Move secure_headers into reloader

config/initializers/secure_headers.rb

@@ -1,75 +1,77 @@
-SecureHeaders::Configuration.default do |config|
-  config.cookies = {
-    secure: true,
-    httponly: true
-  }
-  # Add "; preload" and submit the site to hstspreload.org for best protection.
-  config.hsts = "max-age=#{20.years.to_i}; includeSubdomains"
-  config.x_frame_options = "SAMEORIGIN"
-  config.x_content_type_options = "nosniff"
-  config.x_xss_protection = "1; mode=block"
-  config.x_permitted_cross_domain_policies = "none"
-  config.referrer_policy = "origin-when-cross-origin"
+Rails.application.reloader.to_prepare do
+  SecureHeaders::Configuration.default do |config|
+    config.cookies = {
+      secure: true,
+      httponly: true
+    }
+    # Add "; preload" and submit the site to hstspreload.org for best protection.
+    config.hsts = "max-age=#{20.years.to_i}; includeSubdomains"
+    config.x_frame_options = "SAMEORIGIN"
+    config.x_content_type_options = "nosniff"
+    config.x_xss_protection = "1; mode=block"
+    config.x_permitted_cross_domain_policies = "none"
+    config.referrer_policy = "origin-when-cross-origin"
 
-  # Valid for assets
-  assets_src = ["'self'"]
-  asset_host = OpenProject::Configuration.rails_asset_host
-  assets_src << asset_host if asset_host.present?
+    # Valid for assets
+    assets_src = ["'self'"]
+    asset_host = OpenProject::Configuration.rails_asset_host
+    assets_src << asset_host if asset_host.present?
 
-  # Valid for iframes
-  frame_src = %w['self' https://player.vimeo.com]
-  frame_src << OpenProject::Configuration[:security_badge_url]
+    # Valid for iframes
+    frame_src = %w['self' https://player.vimeo.com]
+    frame_src << OpenProject::Configuration[:security_badge_url]
 
-  # Default src
-  default_src = %w('self') + OpenProject::Configuration.remote_storage_hosts
+    # Default src
+    default_src = %w('self') + OpenProject::Configuration.remote_storage_hosts
 
-  # Allow requests to CLI in dev mode
-  connect_src = default_src + [OpenProject::Configuration.enterprise_trial_creation_host]
+    # Allow requests to CLI in dev mode
+    connect_src = default_src + [OpenProject::Configuration.enterprise_trial_creation_host]
 
-  if OpenProject::Configuration.sentry_frontend_dsn.present?
-    connect_src += [OpenProject::Configuration.sentry_host]
-  end
+    if OpenProject::Configuration.sentry_frontend_dsn.present?
+      connect_src += [OpenProject::Configuration.sentry_host]
+    end
 
-  # Add proxy configuration for Angular CLI to csp
-  if FrontendAssetHelper.assets_proxied?
-    proxied = ['ws://localhost:*', 'http://localhost:*', FrontendAssetHelper.cli_proxy]
-    connect_src += proxied
-    assets_src += proxied
-  end
+    # Add proxy configuration for Angular CLI to csp
+    if FrontendAssetHelper.assets_proxied?
+      proxied = ['ws://localhost:*', 'http://localhost:*', FrontendAssetHelper.cli_proxy]
+      connect_src += proxied
+      assets_src += proxied
+    end
 
-  # Allow to extend the script-src in specific situations
-  script_src = assets_src
+    # Allow to extend the script-src in specific situations
+    script_src = assets_src
 
-  # Allow unsafe-eval for rack-mini-profiler
-  if Rails.env.development? && ENV['OPENPROJECT_RACK_PROFILER_ENABLED']
-    script_src += %w('unsafe-eval')
-  end
+    # Allow unsafe-eval for rack-mini-profiler
+    if Rails.env.development? && ENV['OPENPROJECT_RACK_PROFILER_ENABLED']
+      script_src += %w('unsafe-eval')
+    end
 
-  config.csp = {
-    preserve_schemes: true,
+    config.csp = {
+      preserve_schemes: true,
 
-    # Fallback when no value is defined
-    default_src: default_src,
-    # Allowed uri in <base> tag
-    base_uri: %w('self'),
+      # Fallback when no value is defined
+      default_src: default_src,
+      # Allowed uri in <base> tag
+      base_uri: %w('self'),
 
-    # Allow fonts from self, asset host, or DATA uri
-    font_src: assets_src + %w(data:),
-    # Form targets can only be self
-    form_action: default_src,
-    # Allow iframe from vimeo (welcome video)
-    frame_src: frame_src + %w('self'),
-    frame_ancestors: %w('self'),
-    # Allow images from anywhere including data urls and blobs (used in resizing)
-    img_src: %w(* data: blob:),
-    # Allow scripts from self
-    script_src: script_src,
-    # Allow unsafe-inline styles
-    style_src: assets_src + %w('unsafe-inline'),
-    # Allow object-src from Release API
-    object_src: [OpenProject::Configuration[:security_badge_url]],
+      # Allow fonts from self, asset host, or DATA uri
+      font_src: assets_src + %w(data:),
+      # Form targets can only be self
+      form_action: default_src,
+      # Allow iframe from vimeo (welcome video)
+      frame_src: frame_src + %w('self'),
+      frame_ancestors: %w('self'),
+      # Allow images from anywhere including data urls and blobs (used in resizing)
+      img_src: %w(* data: blob:),
+      # Allow scripts from self
+      script_src: script_src,
+      # Allow unsafe-inline styles
+      style_src: assets_src + %w('unsafe-inline'),
+      # Allow object-src from Release API
+      object_src: [OpenProject::Configuration[:security_badge_url]],
 
-    # Connect sources for CLI in dev mode
-    connect_src: connect_src
-  }
+      # Connect sources for CLI in dev mode
+      connect_src: connect_src
+    }
+  end
 end