Use the new CSP configuration (#249)

Author: marcospereira

app/views/clipboard.scala.html

@@ -1,5 +1,7 @@
+@()(implicit request: RequestHeader)
+
 <script type="text/javascript" charset="utf-8" src="@routes.Assets.versioned("lib/clipboard.js/clipboard.js")"></script>
-<script type="text/javascript">
+@views.html.helper.script('type -> "text/javascript") {
 (function(){
     var pre = document.getElementsByClassName('prettyprint');
     for (var i = 0; i < pre.length; i++) {
@@ -36,4 +38,4 @@
     });
 
 })();
-</script>
+}

app/views/documentation/algolia.scala.html

@@ -1,7 +1,8 @@
-@(context: models.documentation.TranslationContext)
+@(context: models.documentation.TranslationContext)(implicit request: RequestHeader)
 
 <script type="text/javascript" src="https://cdn.jsdelivr.net/docsearch.js/1/docsearch.min.js"></script>
-<script type="text/javascript"> docsearch({
+@views.html.helper.script('type -> "text/javascript") {
+docsearch({
     apiKey: 'a0b34e68c804cf96e76adcb02d47159b',
     indexName: 'playframework',
     inputSelector: '#search-input',
@@ -14,4 +15,4 @@
         ]
     }
 });
-</script>
+}

app/views/documentation/header.scala.html

@@ -16,10 +16,10 @@ <h1>Documentation</h1>
 
         <hr class="clear"/>
 
-        <script type="text/javascript">
+        @views.html.helper.script('type -> "text/javascript") {
             // On start, check if flex mod is enabled
             if (localStorage && localStorage['flex'] == "true" ) document.body.className += " flex"
-        </script>
+        }
 
         @maybeContext.map { context =>
           @algolia(context)

app/views/main.scala.html

@@ -21,27 +21,28 @@
 
         <!-- OneTrust Cookies Consent Notice (Production Standard, playframework.com, en-GB) start -->
         <script src="https://optanon.blob.core.windows.net/consent/cf9a6823-fec0-455d-b6c6-5f386804e808.js" type="text/javascript" charset="UTF-8"></script>
-        <script type="text/javascript">
+        @views.html.helper.script('type -> "text/javascript") {
             function OptanonWrapper() {
                 //one trust inserts here
             }
-        </script>
+        }
         <!-- OneTrust Cookies Consent Notice (Production Standard, playframework.com, en-GB) end -->
 
         <!--[if lt IE 9]>
         <script src="@routes.Assets.versioned("lib/html5shiv/html5shiv.js")"></script>
         <![endif]-->
         <script src="@routes.Assets.versioned("lib/jquery/jquery.js")"></script>
         <script src="@routes.Assets.versioned("javascripts/main.js")"></script>
-        <script type="application/ld+json">
-        {
-          "@@context" : "http://schema.org",
-          "@@type" : "WebSite",
-          "name" : "Play Framework",
-          "alternateName" : "The High Velocity Web Framework for Java and Scala",
-          "url" : "https://playframework.com"
+        @views.html.helper.script('type -> "application/ld+json") {
+            {
+                "@@context" : "http://schema.org",
+                "@@type" : "WebSite",
+                "name" : "Play Framework",
+                "alternateName" : "The High Velocity Web Framework for Java and Scala",
+                "url" : "https://playframework.com"
+            }
         }
-        </script>
+
     </head>
     <body class="@scope">
         <!--[if lt IE 7]>

app/views/prettify.scala.html

@@ -1,8 +1,9 @@
+@()(implicit request: RequestHeader)
 <script type="text/javascript" charset="utf-8" src="@routes.Assets.versioned("lib/prettify/prettify.js")"></script>
 <script type="text/javascript" charset="utf-8" src="@routes.Assets.versioned("lib/prettify/lang-scala.js")"></script>
-<script type="text/javascript">
-$(function(){
-window.prettyPrint && prettyPrint()
-});
-</script>
+@views.html.helper.script('type -> "text/javascript") {
+    $(function(){
+       window.prettyPrint && prettyPrint()
+    });
+}
 @clipboard()

conf/application.conf

@@ -19,12 +19,25 @@ play {
   server.netty.option.child.SO_KEEPALIVE = true
 
   filters {
+    enabled += play.filters.csp.CSPFilter
+    csp {
+      nonce {
+        enabled = true
+      }
+      directives {
+        default-src = "'self'"
+        img-src = "'self' *.githubusercontent.com *.google-analytics.com d379ifj7s9wntv.cloudfront.net"
+        font-src = "'self' data: fonts.gstatic.com"
+        script-src = ${play.filters.csp.nonce.pattern} "'self' 'unsafe-eval' *.algolia.net *.algolianet.com www.google-analytics.com *.googleapis.com cdn.jsdelivr.net munchkin.marketo.net *.mktoresp.com optanon.blob.core.windows.net"
+        style-src = "'self' fonts.googleapis.com cdn.jsdelivr.net optanon.blob.core.windows.net"
+        connect-src = "'self' *.mktoresp.com *.algolia.net *.algolianet.com"
+      }
+    }
     headers {
       frameOptions = "sameorigin"
-      contentSecurityPolicy="default-src 'self'; img-src 'self' *.githubusercontent.com *.google-analytics.com d379ifj7s9wntv.cloudfront.net; font-src 'self' data: fonts.gstatic.com; script-src 'self' 'unsafe-eval' *.algolia.net *.algolianet.com www.google-analytics.com *.googleapis.com cdn.jsdelivr.net munchkin.marketo.net *.mktoresp.com optanon.blob.core.windows.net 'sha256-Mz1BSEhQ2FXaHzVWxucxc0+PCwT6oyt/5UPqDVlUugs=' 'sha256-1IG7kxxg7+f1m8Iu+Dk44NMBBV2ZjAkq7dalJrzDJMM=' 'sha256-n73RBf/LVzJGkBNoNFYhY2JnwJDTOX/xUOK5XYVcFOI=' 'sha256-DScy2dpFEzZofKeEv/orAZJj/q21B49aHew7suEpfFs=' 'sha256-17TcZWrBMS5XH+2P8hJM6WdgJNdvHZC6w6nhVdCKQoA='; style-src 'self' fonts.googleapis.com cdn.jsdelivr.net optanon.blob.core.windows.net 'sha256-HNYzPTRt75YR/Yjz4EVJvRKMVMBbL6CMpl655m4gDcw=' 'sha256-DBEW4pxWYTcPK7CjJPI+BiO8HUcAwfzMzbFusCyqWWQ=' 'sha256-wYq1X7cBoJbqNegyYiUCSuwas5okdICKhCGXkQLi/EM=' 'sha256-9DTrbcAci4RgTNhuuPqjM9Fs+58Ek/5sYa0HpsNACE4='; connect-src 'self' *.mktoresp.com *.algolia.net *.algolianet.com"
     }
     hosts {
-      allowed = [".playframework.com", "localhost", "playframework-com-app"] # playframework-com-app is the upstream host configured in nginx
+      allowed = [".playframework.com", "localhost", "playframework-com-app", ".playframework1.com"] # playframework-com-app is the upstream host configured in nginx
     }
   }
 }