remote_interaction_helper_controller.rb 1.1 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243
  1. # frozen_string_literal: true
  2. class RemoteInteractionHelperController < ApplicationController
  3. vary_by ''
  4. skip_before_action :require_functional!
  5. skip_around_action :set_locale
  6. skip_before_action :update_user_sign_in
  7. content_security_policy do |p|
  8. # We inherit the normal `script-src`
  9. # Set every directive that does not have a fallback
  10. p.default_src :none
  11. p.form_action :none
  12. p.base_uri :none
  13. # Disable every directive with a fallback to cut on response size
  14. p.base_uri false
  15. p.font_src false
  16. p.img_src false
  17. p.style_src false
  18. p.media_src false
  19. p.frame_src false
  20. p.manifest_src false
  21. p.connect_src false
  22. p.child_src false
  23. p.worker_src false
  24. # Widen the directives that we do need
  25. p.frame_ancestors :self
  26. p.connect_src :https
  27. end
  28. def index
  29. expires_in(5.minutes, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.day)
  30. response.headers['X-Frame-Options'] = 'SAMEORIGIN'
  31. response.headers['Referrer-Policy'] = 'no-referrer'
  32. render layout: 'helper_frame'
  33. end
  34. end