[WIP] Adds secure_headers & Content-Security-Policy to Classroom

Gemfile

@@ -27,7 +27,7 @@ gem "flipper-ui",         "~> 0.10.2"
 
 gem "geo_pattern", "~> 1.4"
 
-gem "jquery-datetimepicker-rails", "~> 2.4", ">= 2.4.1.0"
+gem "jquery-datetimepicker-rails", git: "git://github.com/anglinb/jquery-datetimepicker-rails.git", tag: "v2.5.4.0"
 gem "jquery-turbolinks",           "~> 2.1"
 
 gem "kaminari", "~> 1.0", ">= 1.0.1"
@@ -57,9 +57,10 @@ gem "rails-i18n",          "~> 5.0", ">= 5.0.1"
 gem "redis-namespace",     "~> 1.5", ">= 1.5.3"
 gem "ruby-progressbar",    "~> 1.8", ">= 1.8.1", require: false
 
-gem "sass-rails", "~> 5.0", ">= 5.0.6"
-gem "sidekiq",    "~> 5.0", ">= 5.0.4"
-gem "sprockets",  "~> 3.7", ">= 3.7.1"
+gem "sass-rails",     "~> 5.0", ">= 5.0.6"
+gem "secure_headers", "~> 4.0", ">= 4.0.0"
+gem "sidekiq",        "~> 5.0", ">= 5.0.4"
+gem "sprockets",      "~> 3.7", ">= 3.7.1"
 
 gem "turbolinks", github: "turbolinks/turbolinks-classic", ref: "37a7c296232d20a61bd1946f600da7f2009189db"
 gem "typhoeus",   "~> 1.3"

Gemfile.lock

@@ -1,3 +1,10 @@
+GIT
+  remote: git://github.com/anglinb/jquery-datetimepicker-rails.git
+  revision: 535e81708a45ef077b408b6e5a5c47196cbf911f
+  tag: v2.5.4.0
+  specs:
+    jquery-datetimepicker-rails (2.5.4.0)
+
 GIT
   remote: https://github.com/Soliah/peek-sidekiq.git
   revision: 261c857578ae6dc189506a35194785a4db51e54c
@@ -187,7 +194,6 @@ GEM
     hashdiff (0.3.6)
     hashie (3.5.6)
     i18n (0.8.6)
-    jquery-datetimepicker-rails (2.4.1.0)
     jquery-turbolinks (2.1.0)
       railties (>= 3.1.0)
       turbolinks
@@ -390,6 +396,8 @@ GEM
     scss_lint (0.54.0)
       rake (>= 0.9, < 13)
       sass (~> 3.4.20)
+    secure_headers (4.0.0)
+      useragent (>= 0.15.0)
     shellany (0.0.1)
     sidekiq (5.0.4)
       concurrent-ruby (~> 1.0)
@@ -427,6 +435,7 @@ GEM
       execjs (>= 0.3.0, < 3)
     unicode-display_width (1.3.0)
     uniform_notifier (1.10.0)
+    useragent (0.16.8)
     vcr (3.0.3)
     web-console (3.5.1)
       actionview (>= 5.0)
@@ -466,7 +475,7 @@ DEPENDENCIES
   foreman (~> 0.84.0)
   geo_pattern (~> 1.4)
   guard-rspec (~> 4.7, >= 4.7.3)
-  jquery-datetimepicker-rails (~> 2.4, >= 2.4.1.0)
+  jquery-datetimepicker-rails!
   jquery-turbolinks (~> 2.1)
   kaminari (~> 1.0, >= 1.0.1)
   knapsack (~> 1.14, >= 1.14.1)
@@ -502,6 +511,7 @@ DEPENDENCIES
   ruby-progressbar (~> 1.8, >= 1.8.1)
   sass-rails (~> 5.0, >= 5.0.6)
   scss_lint (~> 0.54.0)
+  secure_headers (~> 4.0, >= 4.0.0)
   sidekiq (~> 5.0, >= 5.0.4)
   simplecov (~> 0.15.0)
   spring (~> 2.0, >= 2.0.2)

app/controllers/pages_controller.rb

@@ -6,6 +6,10 @@ class PagesController < ApplicationController
   skip_before_action :authenticate_user!
 
   def home
-    redirect_to organizations_path if logged_in?
+    if logged_in?
+      redirect_to organizations_path
+    else
+      use_content_security_policy_named_append(:unauthed_video)
+    end
   end
 end

config/initializers/secure_headers.rb

@@ -0,0 +1,20 @@
+# Setup Secure Headers with default values
+# rubocop:disable Lint/PercentStringArray
+SecureHeaders::Configuration.default do |config|
+  config.csp = {
+    default_src: %w[https: 'self'],
+    style_src: %w['self' 'unsafe-inline'],
+    script_src: %w['self'],
+    img_src: %w['self' data: *.githubusercontent.com]
+  }
+end
+
+# Provide additional permissions on home page for video
+# `unauthed_video`
+SecureHeaders::Configuration.named_append(:unauthed_video) do
+  {
+    script_src: %w[https://www.youtube.com https://s.ytimg.com],
+    child_src: %w[https://www.youtube.com/ https://s.ytimg.com]
+  }
+end
+# rubocop:enable Lint/PercentStringArray