Allow crowdin in-context with CSP, but add opt-out

Since the crowdin iframe adds all sorts of assets, we will want to disabled that.
7 years ago · e2d7c7b070
parent 5954896b90
commit e2d7c7b070
3 changed files with 19 additions and 7 deletions
--- a/app/views/layouts/base.html.erb
+++ b/app/views/layouts/base.html.erb
@ -67,12 +67,12 @@ See docs/COPYRIGHT.rdoc for more details.
        <% end %>
      <% end %>
    <% end %>
-    <% if ::I18n.locale == :lol #the in-context translation pseudo-language %>
-      <script type="text/javascript">
+    <% if OpenProject::Configuration.crowdin_in_context_translations? && ::I18n.locale == :lol #the in-context translation pseudo-language %>
+      <%= nonced_javascript_tag do %>
        var _jipt = [];
            _jipt.push(['project', 'openproject']);
-      </script>
-      <script type="text/javascript" src="//cdn.crowdin.com/jipt/jipt.js"></script>
+      <% end %>
+      <script type="text/javascript" src="https://cdn.crowdin.com/jipt/jipt.js"></script>
    <% end %>
  </head>
  <body class="<%= body_css_classes %>" data-relative_url_root="<%= root_path %>" ng-init="projectIdentifier = '<%= (@project.identifier rescue '') %>'">
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@ -16,6 +16,15 @@ SecureHeaders::Configuration.default do |config|
  asset_host = OpenProject::Configuration.rails_asset_host
  assets_src << asset_host if asset_host.present?

+  # Valid for iframes
+  frame_src = ["'self'"]
+
+  # Allow in-context translations iframe and sources if enabled
+  if OpenProject::Configuration.crowdin_in_context_translations?
+    assets_src += %w[https://cdn.crowdin.com https://crowdin.com]
+    frame_src << 'https://crowdin.com'
+  end
+
  config.csp = {
    preserve_schemes: true,

@ -29,13 +38,13 @@ SecureHeaders::Configuration.default do |config|
    # Form targets can only be self
    form_action: %w('self'),
    # Allow iframe from vimeo (welcome video)
-    frame_src: %w(https://*.vimeo.com 'self'),
+    frame_src: frame_src + %w('self'),
    frame_ancestors: %w('self'),
    # Allow images from anywhere
    img_src: %w(* data:),
    # Allow scripts from self (not inline, but)
    # for now require unsafe-eval for Angular JIT
-    script_src: %w('self' 'unsafe-eval'),
+    script_src: assets_src + %w('unsafe-eval'),
    # Allow unsafe-inline styles
    style_src: assets_src + %w('unsafe-inline'),
  }
--- a/lib/open_project/configuration.rb
+++ b/lib/open_project/configuration.rb
@ -113,7 +113,10 @@ module OpenProject
      'after_login_default_redirect_url' => nil,
      'after_first_login_redirect_url' => nil,

-      'main_content_language' => 'english'
+      'main_content_language' => 'english',
+
+      # Allow in-context translations to be loaded with CSP
+      'crowdin_in_context_translations' => true
    }

    @config = nil