diff options
| author | Claire <claire.github-309c@sitedethib.com> | 2022-12-15 16:40:32 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-15 16:40:32 +0100 |
| commit | 623d3d2e32ac8ec2819f2cd99e6565d06c9b0023 (patch) | |
| tree | 44ee39ab408dd2f892d009a32971f3b381b22892 | |
| parent | 19f78ea8fadc4626f7b2db5dbe37accbde6a968c (diff) | |
| download | mastodon-623d3d2e32ac8ec2819f2cd99e6565d06c9b0023.tar mastodon-623d3d2e32ac8ec2819f2cd99e6565d06c9b0023.tar.gz mastodon-623d3d2e32ac8ec2819f2cd99e6565d06c9b0023.tar.bz2 mastodon-623d3d2e32ac8ec2819f2cd99e6565d06c9b0023.zip | |
Change CSP directives on API to be tight and concise (#20960)
| -rw-r--r-- | app/controllers/api/base_controller.rb | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb index defef0656..41f3ce2ee 100644 --- a/app/controllers/api/base_controller.rb +++ b/app/controllers/api/base_controller.rb @@ -16,6 +16,26 @@ class Api::BaseController < ApplicationController protect_from_forgery with: :null_session + content_security_policy do |p| + # Set every directive that does not have a fallback + p.default_src :none + p.frame_ancestors :none + p.form_action :none + + # Disable every directive with a fallback to cut on response size + p.base_uri false + p.font_src false + p.img_src false + p.style_src false + p.media_src false + p.frame_src false + p.manifest_src false + p.connect_src false + p.script_src false + p.child_src false + p.worker_src false + end + rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e| render json: { error: e.to_s }, status: 422 end |