about summary refs log tree commit diff
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/application.rb16
-rw-r--r--config/boot.rb2
-rw-r--r--config/deploy.rb2
-rw-r--r--config/environments/development.rb3
-rw-r--r--config/environments/production.rb4
-rw-r--r--config/environments/test.rb2
-rw-r--r--config/initializers/content_security_policy.rb20
-rw-r--r--config/initializers/cors.rb30
8 files changed, 60 insertions, 19 deletions
diff --git a/config/application.rb b/config/application.rb
index c0899ad70..fdb534343 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -24,7 +24,7 @@ require_relative '../lib/mastodon/redis_config'
 module Mastodon
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 5.1
+    config.load_defaults 5.2
 
     # Settings in config/environments/* take precedence over those specified here.
     # Application configuration should go into files in config/initializers
@@ -86,20 +86,6 @@ module Mastodon
 
     config.active_job.queue_adapter = :sidekiq
 
-    #config.middleware.insert_before 0, Rack::Cors, debug: true, logger: (-> { Rails.logger }) do
-    config.middleware.insert_before 0, Rack::Cors do
-      allow do
-        origins  '*'
-        resource '/@:username',  headers: :any, methods: [:get], credentials: false
-        resource '/api/*',       headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
-        resource '/oauth/token', headers: :any, methods: [:post], credentials: false
-        resource '/assets/*', headers: :any, methods: [:get, :head, :options]
-        resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options]
-        resource '/javascripts/*', headers: :any, methods: [:get, :head, :options]
-        resource '/packs/*', headers: :any, methods: [:get, :head, :options]
-      end
-    end
-
     config.middleware.use Rack::Attack
     config.middleware.use Rack::Deflater
 
diff --git a/config/boot.rb b/config/boot.rb
index 703738b76..0a3cd4ebe 100644
--- a/config/boot.rb
+++ b/config/boot.rb
@@ -1,7 +1,7 @@
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 
 require 'bundler/setup' # Set up gems listed in the Gemfile.
-require 'bootsnap'
+require 'bootsnap' # Speed up boot time by caching expensive operations.
 
 Bootsnap.setup(
   cache_dir:            'tmp/cache',
diff --git a/config/deploy.rb b/config/deploy.rb
index 3fd149f21..180dd1c2a 100644
--- a/config/deploy.rb
+++ b/config/deploy.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-lock '3.10.0'
+lock '3.10.1'
 
 set :repo_url, ENV.fetch('REPO', 'https://github.com/tootsuite/mastodon.git')
 set :branch, ENV.fetch('BRANCH', 'master')
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 285fea8b8..b6478f16e 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -13,13 +13,14 @@ Rails.application.configure do
   config.consider_all_requests_local = true
 
   # Enable/disable caching. By default caching is disabled.
+  # Run rails dev:cache to toggle caching.
   if Rails.root.join('tmp/caching-dev.txt').exist?
     config.action_controller.perform_caching = true
 
     config.cache_store = :redis_store, ENV['REDIS_URL'], REDIS_CACHE_PARAMS
 
     config.public_file_server.headers = {
-      'Cache-Control' => "public, max-age=#{2.days.seconds.to_i}",
+      'Cache-Control' => "public, max-age=#{2.days.to_i}",
     }
   else
     config.action_controller.perform_caching = false
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 7a800db19..2c8471ddd 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -15,6 +15,10 @@ Rails.application.configure do
   config.action_controller.perform_caching = true
   config.action_controller.asset_host      = ENV['CDN_HOST'] if ENV.key?('CDN_HOST')
 
+  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
+  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
+  # config.require_master_key = true
+
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
   config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 122634d5b..1c1891561 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -15,7 +15,7 @@ Rails.application.configure do
   # Configure public file server for tests with Cache-Control for performance.
   config.public_file_server.enabled = true
   config.public_file_server.headers = {
-    'Cache-Control' => "public, max-age=#{1.hour.seconds.to_i}"
+    'Cache-Control' => "public, max-age=#{1.hour.to_i}"
   }
   config.assets.digest = false
 
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
new file mode 100644
index 000000000..37f2c0d45
--- /dev/null
+++ b/config/initializers/content_security_policy.rb
@@ -0,0 +1,20 @@
+# Define an application-wide content security policy
+# For further information see the following documentation
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
+# Rails.application.config.content_security_policy do |p|
+#   p.default_src :self, :https
+#   p.font_src    :self, :https, :data
+#   p.img_src     :self, :https, :data
+#   p.object_src  :none
+#   p.script_src  :self, :https
+#   p.style_src   :self, :https, :unsafe_inline
+#
+#   # Specify URI for violation reports
+#   # p.report_uri "/csp-violation-report-endpoint"
+# end
+
+# Report CSP violations to a specified URI
+# For further information see the following documentation:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+# Rails.application.config.content_security_policy_report_only = true
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
new file mode 100644
index 000000000..36e2694e3
--- /dev/null
+++ b/config/initializers/cors.rb
@@ -0,0 +1,30 @@
+# Be sure to restart your server when you modify this file.
+
+# Avoid CORS issues when API is called from the frontend app.
+# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests.
+
+# Read more: https://github.com/cyu/rack-cors
+
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+
+    resource '/@:username',
+      headers: :any,
+      methods: [:get],
+      credentials: false
+    resource '/api/*',
+      headers: :any,
+      methods: [:post, :put, :delete, :get, :patch, :options],
+      credentials: false,
+      expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
+    resource '/oauth/token',
+      headers: :any,
+      methods: [:post],
+      credentials: false
+    resource '/assets/*', headers: :any, methods: [:get, :head, :options]
+    resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options]
+    resource '/javascripts/*', headers: :any, methods: [:get, :head, :options]
+    resource '/packs/*', headers: :any, methods: [:get, :head, :options]
+  end
+end