Add content security policy

assets/javascripts/views/pages/jquery.coffee

@@ -44,7 +44,7 @@ class app.views.JqueryPage extends app.views.BasePage
     return
 
   fixIframeSource: (source) ->
-    source = source.replace '"/resources/', '"http://api.jquery.com/resources/' # attr(), keydown()
+    source = source.replace '"/resources/', '"https://api.jquery.com/resources/' # attr(), keydown()
     source.replace '</head>', """
       <style>
         html, body { border: 0; margin: 0; padding: 0; }

lib/app.rb

@@ -40,6 +40,8 @@ class App < Sinatra::Application
     set :news_path, -> { File.join(root, assets_prefix, 'javascripts', 'news.json') }
     set :news, -> { JSON.parse(File.read(news_path)) }
 
+    set :csp, false
+
     Dir[docs_path, root.join(assets_prefix, '*/')].each do |path|
       sprockets.append_path(path)
     end
@@ -69,6 +71,7 @@ class App < Sinatra::Application
   configure :production do
     set :static, false
     set :docs_host, '//docs.devdocs.io'
+    set :csp, "default-src 'self' *; script-src 'self' 'unsafe-inline' https://cdn.devdocs.io https://www.google-analytics.com https://secure.gaug.es http://*.jquery.com https://*.jquery.com; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
 
     use Rack::ConditionalGet
     use Rack::ETag
@@ -88,6 +91,7 @@ class App < Sinatra::Application
     Sprockets::Helpers.configure do |config|
       config.digest = true
       config.asset_host = 'cdn.devdocs.io'
+      config.protocol = 'https://'
       config.manifest = Sprockets::Manifest.new(sprockets, assets_manifest_path)
     end
   end
@@ -216,6 +220,7 @@ class App < Sinatra::Application
 
   get '/' do
     return redirect '/' unless request.query_string.empty? # courtesy of HTML5 App Cache
+    response.headers['Content-Security-Policy'] = settings.csp if settings.csp
     erb :index
   end
 
@@ -289,6 +294,7 @@ class App < Sinatra::Application
     elsif user_has_docs?(doc) && supports_js_redirection?
       redirect_via_js(request.path)
     else
+      response.headers['Content-Security-Policy'] = settings.csp if settings.csp
       erb :other
     end
   end

public/opensearch.xml

@@ -4,8 +4,8 @@
   <Description>Search API documentation</Description>
   <Tags>devdocs</Tags>
   <Url type="text/html" method="get" template="http://devdocs.io/#q={searchTerms}"/>
-  <Image height="16" width="16" type="image/vnd.microsoft.icon">http://cdn.devdocs.io/favicon.ico</Image>
-  <Image height="64" width="64" type="image/x-icon">http://cdn.devdocs.io/images/icon-64.png</Image>
+  <Image height="16" width="16" type="image/vnd.microsoft.icon">https://cdn.devdocs.io/favicon.ico</Image>
+  <Image height="64" width="64" type="image/x-icon">https://cdn.devdocs.io/images/icon-64.png</Image>
   <InputEncoding>UTF-8</InputEncoding>
   <moz:SearchForm>http://devdocs.io</moz:SearchForm>
   <Url type="application/opensearchdescription+xml" rel="self" template="http://devdocs.io/opensearch.xml"/>

views/app.erb

@@ -34,14 +34,14 @@
   (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
   (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
   m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
   ga('create', 'UA-5544833-12', 'devdocs.io');
   ga('send', 'pageview');
 </script><script>
   var _gauges=_gauges||[];!function(){var a=document.createElement("script");
   a.type="text/javascript",a.async=!0,a.id="gauges-tracker",
   a.setAttribute("data-site-id","51c15f82613f5d7819000067"),
-  a.src="//secure.gaug.es/track.js";var b=document.getElementsByTagName("script")[0];
+  a.src="https://secure.gaug.es/track.js";var b=document.getElementsByTagName("script")[0];
   b.parentNode.insertBefore(a,b)}();
 </script><% end %>
 <style data-size="<%= app_size %>" data-resizer>

views/index.erb

@@ -8,7 +8,7 @@
   <meta property="og:description" content="DevDocs is an API documentation browser that combines 80+ docs in a single UI with offline mode, instant search, keyboard shortcuts, and more.">
   <meta property="og:type" content="website">
   <meta property="og:url" content="http://devdocs.io">
-  <meta property="og:image" content="http://cdn.devdocs.io/images/icon-128.png">
+  <meta property="og:image" content="https://cdn.devdocs.io/images/icon-128.png">
   <meta name="apple-mobile-web-app-capable" content="yes">
   <meta name="apple-mobile-web-app-status-bar-style" content="black">
   <meta name="format-detection" content="telephone=no">
@@ -17,15 +17,15 @@
   <link rel="canonical" href="http://devdocs.io">
   <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="DevDocs Search">
   <link rel="alternate" href="http://devdocs.io/feed" title="DevDocs" type="application/atom+xml">
-  <link rel="icon" type="image/x-icon" href="//cdn.devdocs.io/favicon.ico">
-  <link rel="fluid-icon" href="http://cdn.devdocs.io/images/fluid-icon.png" title="DevDocs">
-  <link rel="apple-touch-icon" sizes="72x72" href="http://cdn.devdocs.io/images/apple-icon-72.png">
-  <link rel="apple-touch-icon" sizes="76x76" href="http://cdn.devdocs.io/images/apple-icon-76.png">
-  <link rel="apple-touch-icon" sizes="114x114" href="http://cdn.devdocs.io/images/apple-icon-114.png">
-  <link rel="apple-touch-icon" sizes="120x120" href="http://cdn.devdocs.io/images/apple-icon-120.png">
-  <link rel="apple-touch-icon" sizes="144x144" href="http://cdn.devdocs.io/images/apple-icon-144.png">
-  <link rel="apple-touch-icon" sizes="152x152" href="http://cdn.devdocs.io/images/apple-icon-152.png">
-  <link rel="apple-touch-icon" sizes="160x160" href="http://cdn.devdocs.io/images/apple-icon-160.png">
+  <link rel="icon" type="image/x-icon" href="https://cdn.devdocs.io/favicon.ico">
+  <link rel="fluid-icon" href="https://cdn.devdocs.io/images/fluid-icon.png" title="DevDocs">
+  <link rel="apple-touch-icon" sizes="72x72" href="https://cdn.devdocs.io/images/apple-icon-72.png">
+  <link rel="apple-touch-icon" sizes="76x76" href="https://cdn.devdocs.io/images/apple-icon-76.png">
+  <link rel="apple-touch-icon" sizes="114x114" href="https://cdn.devdocs.io/images/apple-icon-114.png">
+  <link rel="apple-touch-icon" sizes="120x120" href="https://cdn.devdocs.io/images/apple-icon-120.png">
+  <link rel="apple-touch-icon" sizes="144x144" href="https://cdn.devdocs.io/images/apple-icon-144.png">
+  <link rel="apple-touch-icon" sizes="152x152" href="https://cdn.devdocs.io/images/apple-icon-152.png">
+  <link rel="apple-touch-icon" sizes="160x160" href="https://cdn.devdocs.io/images/apple-icon-160.png">
   <link rel="stylesheet" href="<%= main_stylesheet_path %>" data-alt="<%= alternate_stylesheet_path %>">
   <%= javascript_tag 'application', asset_host: false %>
   <%= javascript_tag 'docs' %><% unless App.production? %>

views/other.erb

@@ -5,10 +5,10 @@
   <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no">
   <% if doc_index_page? %><meta name="description" content="<%= @doc['full_name'] %> API documentation with instant search, offline mode, keyboard shortcuts, mobile version, and more."><% else %><meta name="robots" content="noindex"><% end %>
   <meta name="format-detection" content="telephone=no">
-  <meta property="og:image" content="http://cdn.devdocs.io/images/icon-128.png">
+  <meta property="og:image" content="https://cdn.devdocs.io/images/icon-128.png">
   <title>DevDocs<%= " - #{@doc['full_name']} documentation" if doc_index_page? %></title>
   <link rel="canonical" href="http://devdocs.io<%= request.path %>">
-  <link rel="icon" type="image/x-icon" href="//cdn.devdocs.io/favicon.ico">
+  <link rel="icon" type="image/x-icon" href="https://cdn.devdocs.io/favicon.ico">
   <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="Search DevDocs">
   <link rel="stylesheet" href="<%= main_stylesheet_path %>" data-alt="<%= alternate_stylesheet_path %>">
   <%= javascript_tag 'application', asset_host: false %><% unless App.production? %>