From af14feb8fca4d159b9a13dc349f13e70b8a2c571 Mon Sep 17 00:00:00 2001 From: Jeremy Daer Date: Fri, 5 Dec 2025 20:49:41 -0800 Subject: [PATCH] CSP gives env config precedence (#1976) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bit clearer, and simpler config wrangling: presence of ENV → use it. --- config/initializers/content_security_policy.rb | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 7a5b85df7..fe37a5cde 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -4,9 +4,14 @@ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Rails.application.configure do - # Configure from environment variables (fizzy-saas can override by setting config.x values first) - config.x.content_security_policy.report_uri ||= ENV["CSP_REPORT_URI"] - config.x.content_security_policy.report_only ||= ENV["CSP_REPORT_ONLY"] == "true" + # Configure with environment variables with fallback to config.x values (via fizzy-sass) + report_uri = ENV.fetch("CSP_REPORT_URI") { config.x.content_security_policy.report_uri } + report_only = + if ENV.key?("CSP_REPORT_ONLY") + ENV["CSP_REPORT_ONLY"] == "true" + else + config.x.content_security_policy.report_only + end # Generate nonces for importmap and inline scripts config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) } @@ -32,11 +37,9 @@ Rails.application.configure do policy.frame_ancestors :self # Specify URI for violation reports (e.g., Sentry CSP endpoint) - if report_uri = config.x.content_security_policy.report_uri - policy.report_uri report_uri - end + policy.report_uri report_uri if report_uri end # Report violations without enforcing the policy. - config.content_security_policy_report_only = config.x.content_security_policy.report_only + config.content_security_policy_report_only = report_only end unless ENV["DISABLE_CSP"]