csp + error

Author: gildesmarais

app.rb

@@ -91,16 +91,22 @@ def development? = self.class.development?
 
       plugin :content_security_policy do |csp|
         csp.default_src :none
-        csp.style_src :self
-        csp.script_src :self
+        csp.style_src :self, "'unsafe-inline'" # Allow inline styles for Starlight
+        csp.script_src :self, "'unsafe-inline'" # Allow inline scripts for progressive enhancement
         csp.connect_src :self
-        csp.img_src :self
+        csp.img_src :self, 'data:', 'blob:'
         csp.font_src :self, 'data:'
         csp.form_action :self
         csp.base_uri :none
-        csp.frame_ancestors :self
-        csp.frame_src :self
+        csp.frame_ancestors :none # More restrictive than :self
+        csp.frame_src :none # More restrictive than :self
+        csp.object_src :none # Prevent object/embed/applet
+        csp.media_src :none # Prevent media sources
+        csp.manifest_src :none # Prevent manifest
+        csp.worker_src :none # Prevent workers
+        csp.child_src :none # Prevent child contexts
         csp.block_all_mixed_content
+        csp.upgrade_insecure_requests # Upgrade HTTP to HTTPS
       end
 
       plugin :default_headers,
@@ -110,7 +116,11 @@ def development? = self.class.development?
              'X-Frame-Options' => 'DENY',
              'X-Permitted-Cross-Domain-Policies' => 'none',
              'Referrer-Policy' => 'strict-origin-when-cross-origin',
-             'Permissions-Policy' => 'geolocation=(), microphone=(), camera=()'
+             'Permissions-Policy' => 'geolocation=(), microphone=(), camera=()',
+             'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
+             'Cross-Origin-Embedder-Policy' => 'require-corp',
+             'Cross-Origin-Opener-Policy' => 'same-origin',
+             'Cross-Origin-Resource-Policy' => 'same-origin'
 
       plugin :exception_page
       plugin :error_handler do |error|

app/auto_source_routes.rb

@@ -85,48 +85,33 @@ def handle_auto_source_error(router, error)
         XmlBuilder.build_error_feed(message: error.message)
       end
 
-      # Helper methods that need to be implemented by the main app
+      # Delegate to centralized ResponseHelpers methods
       def bad_request_response(router, message)
-        router.response.status = 400
-        router.response['Content-Type'] = 'application/xml'
-        XmlBuilder.build_access_denied_feed(message)
+        ResponseHelpers.bad_request_response_with_router(router, message)
       end
 
       def unauthorized_response(router)
-        router.response.status = 401
-        router.response['Content-Type'] = 'application/xml'
-        XmlBuilder.build_error_feed(message: 'Unauthorized')
+        ResponseHelpers.unauthorized_response_with_router(router)
       end
 
       def access_denied_response(router, url)
-        router.response.status = 403
-        router.response['Content-Type'] = 'application/xml'
-        XmlBuilder.build_access_denied_feed(url)
+        ResponseHelpers.access_denied_response_with_router(router, url)
       end
 
       def method_not_allowed_response(router)
-        router.response.status = 405
-        router.response['Content-Type'] = 'application/xml'
-        XmlBuilder.build_error_feed(message: 'Method Not Allowed')
+        ResponseHelpers.method_not_allowed_response_with_router(router)
       end
 
       def internal_error_response(router)
-        router.response.status = 500
-        router.response['Content-Type'] = 'application/xml'
-        XmlBuilder.build_error_feed(message: 'Internal Server Error')
+        ResponseHelpers.internal_error_response_with_router(router)
       end
 
       def forbidden_origin_response(router)
-        router.response.status = 403
-        router.response['Content-Type'] = 'application/xml'
-        XmlBuilder.build_error_feed(message: 'Forbidden Origin')
+        ResponseHelpers.forbidden_origin_response_with_router(router)
       end
 
       def configure_auto_source_headers(router)
-        router.response['Content-Type'] = 'application/xml'
-        router.response['Cache-Control'] = 'public, max-age=3600'
-        router.response['X-Content-Type-Options'] = 'nosniff'
-        router.response['X-XSS-Protection'] = '1; mode=block'
+        ResponseHelpers.configure_auto_source_headers_with_router(router)
       end
 
       def validate_and_decode_base64(encoded_url)

app/response_helpers.rb

@@ -9,6 +9,7 @@ module Web
     module ResponseHelpers
       module_function
 
+      # Methods that work with response object directly (for main app)
       def unauthorized_response
         response.status = 401
         response['Content-Type'] = 'application/xml'
@@ -58,6 +59,57 @@ def configure_auto_source_headers
         response['X-Content-Type-Options'] = 'nosniff'
         response['X-XSS-Protection'] = '1; mode=block'
       end
+
+      # Methods that work with router objects (for route modules)
+      def unauthorized_response_with_router(router)
+        router.response.status = 401
+        router.response['Content-Type'] = 'application/xml'
+        router.response['WWW-Authenticate'] = 'Basic realm="Auto Source"'
+        XmlBuilder.build_error_feed(message: 'Unauthorized')
+      end
+
+      def forbidden_origin_response_with_router(router)
+        router.response.status = 403
+        router.response['Content-Type'] = 'application/xml'
+        XmlBuilder.build_error_feed(message: 'Origin is not allowed.')
+      end
+
+      def access_denied_response_with_router(router, url)
+        router.response.status = 403
+        router.response['Content-Type'] = 'application/xml'
+        XmlBuilder.build_access_denied_feed(url)
+      end
+
+      def not_found_response_with_router(router)
+        router.response.status = 404
+        router.response['Content-Type'] = 'application/xml'
+        XmlBuilder.build_error_feed(message: 'Feed not found', title: 'Not Found')
+      end
+
+      def bad_request_response_with_router(router, message)
+        router.response.status = 400
+        router.response['Content-Type'] = 'application/xml'
+        XmlBuilder.build_error_feed(message: message, title: 'Bad Request')
+      end
+
+      def method_not_allowed_response_with_router(router)
+        router.response.status = 405
+        router.response['Content-Type'] = 'application/xml'
+        XmlBuilder.build_error_feed(message: 'Method Not Allowed')
+      end
+
+      def internal_error_response_with_router(router)
+        router.response.status = 500
+        router.response['Content-Type'] = 'application/xml'
+        XmlBuilder.build_error_feed(message: 'Internal Server Error')
+      end
+
+      def configure_auto_source_headers_with_router(router)
+        router.response['Content-Type'] = 'application/xml'
+        router.response['Cache-Control'] = 'public, max-age=3600'
+        router.response['X-Content-Type-Options'] = 'nosniff'
+        router.response['X-XSS-Protection'] = '1; mode=block'
+      end
     end
   end
 end

app/static_file_helpers.rb

@@ -61,23 +61,6 @@ def serve_astro_file(file_path)
         response['Content-Type'] = 'text/html'
         File.read(file_path)
       end
-
-      ##
-      # Validate and decode Base64 string safely
-      # @param encoded_string [String] Base64 encoded string
-      # @return [String, nil] decoded string if valid, nil if invalid
-      def validate_and_decode_base64(encoded_string)
-        return nil unless encoded_string.is_a?(String)
-        return nil if encoded_string.empty?
-
-        # Check if string contains only valid Base64 characters
-        return nil unless encoded_string.match?(%r{\A[A-Za-z0-9+/]*={0,2}\z})
-
-        # Attempt to decode
-        Base64.decode64(encoded_string)
-      rescue ArgumentError
-        nil
-      end
     end
   end
 end