diff options
author | David Yip <yipdw@member.fsf.org> | 2018-04-13 16:36:46 -0500 |
---|---|---|
committer | David Yip <yipdw@member.fsf.org> | 2018-04-13 16:36:46 -0500 |
commit | ed490b781f9347b77eb2305e33ba6dd83f3539b0 (patch) | |
tree | 4f958ce8da072e35ef654cf5ae0a152f613f3ad8 /config | |
parent | a817f084eafaf5527445c29ab1d68f42b1a2872f (diff) | |
parent | 50529cbceb84e611bca497624a7a4c38113e5135 (diff) |
Merge remote-tracking branch 'origin/master' into gs-master
Conflicts: Gemfile.lock config/application.rb
Diffstat (limited to 'config')
-rw-r--r-- | config/application.rb | 16 | ||||
-rw-r--r-- | config/boot.rb | 2 | ||||
-rw-r--r-- | config/deploy.rb | 2 | ||||
-rw-r--r-- | config/environments/development.rb | 3 | ||||
-rw-r--r-- | config/environments/production.rb | 4 | ||||
-rw-r--r-- | config/environments/test.rb | 2 | ||||
-rw-r--r-- | config/initializers/content_security_policy.rb | 20 | ||||
-rw-r--r-- | config/initializers/cors.rb | 30 |
8 files changed, 60 insertions, 19 deletions
diff --git a/config/application.rb b/config/application.rb index c0899ad70..fdb534343 100644 --- a/config/application.rb +++ b/config/application.rb @@ -24,7 +24,7 @@ require_relative '../lib/mastodon/redis_config' module Mastodon class Application < Rails::Application # Initialize configuration defaults for originally generated Rails version. - config.load_defaults 5.1 + config.load_defaults 5.2 # Settings in config/environments/* take precedence over those specified here. # Application configuration should go into files in config/initializers @@ -86,20 +86,6 @@ module Mastodon config.active_job.queue_adapter = :sidekiq - #config.middleware.insert_before 0, Rack::Cors, debug: true, logger: (-> { Rails.logger }) do - config.middleware.insert_before 0, Rack::Cors do - allow do - origins '*' - resource '/@:username', headers: :any, methods: [:get], credentials: false - resource '/api/*', headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id'] - resource '/oauth/token', headers: :any, methods: [:post], credentials: false - resource '/assets/*', headers: :any, methods: [:get, :head, :options] - resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options] - resource '/javascripts/*', headers: :any, methods: [:get, :head, :options] - resource '/packs/*', headers: :any, methods: [:get, :head, :options] - end - end - config.middleware.use Rack::Attack config.middleware.use Rack::Deflater diff --git a/config/boot.rb b/config/boot.rb index 703738b76..0a3cd4ebe 100644 --- a/config/boot.rb +++ b/config/boot.rb @@ -1,7 +1,7 @@ ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__) require 'bundler/setup' # Set up gems listed in the Gemfile. -require 'bootsnap' +require 'bootsnap' # Speed up boot time by caching expensive operations. Bootsnap.setup( cache_dir: 'tmp/cache', diff --git a/config/deploy.rb b/config/deploy.rb index 3fd149f21..180dd1c2a 100644 --- a/config/deploy.rb +++ b/config/deploy.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -lock '3.10.0' +lock '3.10.1' set :repo_url, ENV.fetch('REPO', 'https://github.com/tootsuite/mastodon.git') set :branch, ENV.fetch('BRANCH', 'master') diff --git a/config/environments/development.rb b/config/environments/development.rb index 285fea8b8..b6478f16e 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -13,13 +13,14 @@ Rails.application.configure do config.consider_all_requests_local = true # Enable/disable caching. By default caching is disabled. + # Run rails dev:cache to toggle caching. if Rails.root.join('tmp/caching-dev.txt').exist? config.action_controller.perform_caching = true config.cache_store = :redis_store, ENV['REDIS_URL'], REDIS_CACHE_PARAMS config.public_file_server.headers = { - 'Cache-Control' => "public, max-age=#{2.days.seconds.to_i}", + 'Cache-Control' => "public, max-age=#{2.days.to_i}", } else config.action_controller.perform_caching = false diff --git a/config/environments/production.rb b/config/environments/production.rb index 7a800db19..2c8471ddd 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -15,6 +15,10 @@ Rails.application.configure do config.action_controller.perform_caching = true config.action_controller.asset_host = ENV['CDN_HOST'] if ENV.key?('CDN_HOST') + # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"] + # or in config/master.key. This key is used to decrypt credentials (and other encrypted files). + # config.require_master_key = true + # Disable serving static files from the `/public` folder by default since # Apache or NGINX already handles this. config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present? diff --git a/config/environments/test.rb b/config/environments/test.rb index 122634d5b..1c1891561 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -15,7 +15,7 @@ Rails.application.configure do # Configure public file server for tests with Cache-Control for performance. config.public_file_server.enabled = true config.public_file_server.headers = { - 'Cache-Control' => "public, max-age=#{1.hour.seconds.to_i}" + 'Cache-Control' => "public, max-age=#{1.hour.to_i}" } config.assets.digest = false diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb new file mode 100644 index 000000000..37f2c0d45 --- /dev/null +++ b/config/initializers/content_security_policy.rb @@ -0,0 +1,20 @@ +# Define an application-wide content security policy +# For further information see the following documentation +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + +# Rails.application.config.content_security_policy do |p| +# p.default_src :self, :https +# p.font_src :self, :https, :data +# p.img_src :self, :https, :data +# p.object_src :none +# p.script_src :self, :https +# p.style_src :self, :https, :unsafe_inline +# +# # Specify URI for violation reports +# # p.report_uri "/csp-violation-report-endpoint" +# end + +# Report CSP violations to a specified URI +# For further information see the following documentation: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only +# Rails.application.config.content_security_policy_report_only = true diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb new file mode 100644 index 000000000..36e2694e3 --- /dev/null +++ b/config/initializers/cors.rb @@ -0,0 +1,30 @@ +# Be sure to restart your server when you modify this file. + +# Avoid CORS issues when API is called from the frontend app. +# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests. + +# Read more: https://github.com/cyu/rack-cors + +Rails.application.config.middleware.insert_before 0, Rack::Cors do + allow do + origins '*' + + resource '/@:username', + headers: :any, + methods: [:get], + credentials: false + resource '/api/*', + headers: :any, + methods: [:post, :put, :delete, :get, :patch, :options], + credentials: false, + expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id'] + resource '/oauth/token', + headers: :any, + methods: [:post], + credentials: false + resource '/assets/*', headers: :any, methods: [:get, :head, :options] + resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options] + resource '/javascripts/*', headers: :any, methods: [:get, :head, :options] + resource '/packs/*', headers: :any, methods: [:get, :head, :options] + end +end |