mirror of https://github.com/tootsuite/mastodon
44 lines
1.1 KiB
Ruby
44 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class RemoteInteractionHelperController < ApplicationController
|
|
vary_by ''
|
|
|
|
skip_before_action :require_functional!
|
|
skip_around_action :set_locale
|
|
skip_before_action :update_user_sign_in
|
|
|
|
content_security_policy do |p|
|
|
# We inherit the normal `script-src`
|
|
|
|
# Set every directive that does not have a fallback
|
|
p.default_src :none
|
|
p.form_action :none
|
|
p.base_uri :none
|
|
|
|
# Disable every directive with a fallback to cut on response size
|
|
p.base_uri false
|
|
p.font_src false
|
|
p.img_src false
|
|
p.style_src false
|
|
p.media_src false
|
|
p.frame_src false
|
|
p.manifest_src false
|
|
p.connect_src false
|
|
p.child_src false
|
|
p.worker_src false
|
|
|
|
# Widen the directives that we do need
|
|
p.frame_ancestors :self
|
|
p.connect_src :https
|
|
end
|
|
|
|
def index
|
|
expires_in(5.minutes, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.day)
|
|
|
|
response.headers['X-Frame-Options'] = 'SAMEORIGIN'
|
|
response.headers['Referrer-Policy'] = 'no-referrer'
|
|
|
|
render layout: 'helper_frame'
|
|
end
|
|
end
|