Fix countdown CSP.

stefansundin · stefansundin · commit bd824cef1c4d · 2018-09-28T20:31:53.000-07:00
diff --git a/app.rb b/app.rb
@@ -18,7 +18,13 @@
 get "/live" do
   content_type :html
   SecureHeaders.use_secure_headers_override(request, :live)
-  send_file File.join(settings.public_folder, 'live.html')
+  send_file File.join(settings.public_folder, "live.html")
+end
+
+get "/countdown" do
+  content_type :html
+  SecureHeaders.use_secure_headers_override(request, :countdown)
+  send_file File.join(settings.public_folder, "countdown.html")
 end
 
 get "/go" do
diff --git a/config/application.rb b/config/application.rb
@@ -11,6 +11,7 @@
 configure do
   use Rack::SslEnforcer, only_hosts: (ENV["SSL_ENFORCER_HOST"] || /\.herokuapp\.com$/)
   use SecureHeaders::Middleware
+  set :protection, :except => [:frame_options] # Disable things that secure_headers handles
   set :erb, trim: "-"
   # Look up Rack::Mime::MIME_TYPES to see rack defaults
   mime_type :opensearch, "application/opensearchdescription+xml"
diff --git a/config/initializers/10-secure_headers.rb b/config/initializers/10-secure_headers.rb
@@ -57,7 +57,6 @@
   end
 end
 
-# Live page
 SecureHeaders::Configuration.override(:live) do |config|
   config.csp.merge!({
     # "meta" values. these will shape the header, but the values are not included in the header.
@@ -72,3 +71,16 @@
     connect_src: %w(graph.facebook.com www.googleapis.com api.twitch.tv),
   })
 end
+
+SecureHeaders::Configuration.override(:countdown) do |config|
+  config.x_frame_options = SecureHeaders::OPT_OUT
+  config.csp.merge!({
+    # "meta" values. these will shape the header, but the values are not included in the header.
+    report_only: false,
+    preserve_schemes: true,
+    # directive values: these values will directly translate into source directives
+    default_src: %w('none'),
+    style_src: %w('unsafe-inline'),
+    script_src: %w('unsafe-inline'),
+  })
+end
diff --git a/public/countdown.html b/public/countdown.html
@@ -29,7 +29,7 @@
 }
 
 function init() {
-  // Parse query string, e.g: countdown.html?date=2018-09-27T03:30:00Z
+  // Parse query string, e.g: /countdown?date=2018-09-27T03:30:00Z
   var params = {};
   window.location.search.substr(1).split("&").forEach(function(param) {
     param = param.split("=");
diff --git a/public/img/icon512.png b/public/img/icon512.png
diff --git a/views/youtube_feed.erb b/views/youtube_feed.erb
@@ -27,7 +27,7 @@
       title += " (scheduled for #{updated.readable(@tz)})"
       content_extra = <<~EOF
         <p>Live broadcast scheduled to start at: #{updated.readable(@tz)}.</p>
-        <iframe width="640" height="50" src="#{request.root_url}/countdown.html?date=#{updated}" frameborder="0" scrolling="yes" referrerpolicy="no-referrer"></iframe>
+        <iframe width="640" height="50" src="#{request.root_url}/countdown?date=#{updated}" frameborder="0" scrolling="yes" referrerpolicy="no-referrer"></iframe>
       EOF
     end
   end

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`function init() {`
`32`		`- // Parse query string, e.g: countdown.html?date=2018-09-27T03:30:00Z`
	`32`	`+ // Parse query string, e.g: /countdown?date=2018-09-27T03:30:00Z`
`33`	`33`	`var params = {};`
`34`	`34`	`window.location.search.substr(1).split("&").forEach(function(param) {`
`35`	`35`	`param = param.split("=");`