external domains

app/controllers/admin/communication/websites_controller.rb

@@ -20,6 +20,11 @@ class Admin::Communication::WebsitesController < Admin::Communication::Websites:
     add_breadcrumb t('communication.website.analytics')
   end
 
+  def security
+    breadcrumb
+    add_breadcrumb t('communication.website.security')
+  end
+
   def new
     breadcrumb
   end

app/models/communication/website.rb

@@ -50,6 +50,7 @@ class Communication::Website < ApplicationRecord
   include WithReferences
   include WithSpecialPages
   include WithMenus # Menus must be created after special pages, so we can fill legal menu
+  include WithSecurity
   include WithStyle
   include WithTheme
   include WithUniversity

app/models/communication/website/with_security.rb

+module Communication::Website::WithSecurity
+  extend ActiveSupport::Concern
+
+  def external_domains
+    list = external_domains_default
+    list.concat external_domains_plausible
+    list.concat external_domains_from_blocks_video
+    list.concat external_domains_from_blocks_embed
+    list.uniq.compact
+  end
+
+  protected
+
+  def external_domains_default
+    [
+      'osuny-1b4da.kxcdn.com', # KeyCDN for assets resize
+      'demo.osuny.org', # Osuny for assets resize
+      'osuny.s3.fr-par.scw.cloud' # Scaleway for direct assets
+    ]
+  end
+
+  def external_domains_plausible
+    list = []
+    list << URI.parse(plausible_url).host if plausible_url.present?
+    list
+  end
+
+  def external_domains_from_blocks_video
+    list = []
+    blocks.where(template_kind: :video).each do |block|
+      video_url = block.template.url
+      list << URI.parse(video_url).host if url.present?
+    end
+    list
+  end
+
+  def external_domains_from_blocks_embed
+    list = []
+    blocks.where(template_kind: :embed).each do |block|
+      code = block.template.code
+      # https://stackoverflow.com/questions/25095176/extracting-all-urls-from-a-page-using-ruby
+      code.scan(/[[:lower:]]+:\/\/[^\s"]+/).each do |url|
+        list << URI.parse(url).host
+      end
+    end
+    list
+  end
+end
\ No newline at end of file

app/views/admin/communication/websites/security.html.erb

+<% content_for :title, t('communication.website.security') %>
+
+<%= osuny_panel "CSP" do %>
+  <ul>
+    <% @website.external_domains.each do |domain| %>
+      <li><%= domain %></li>
+    <% end %>
+  </ul>
+<% end %>
\ No newline at end of file

config/locales/communication/en.yml

@@ -785,6 +785,7 @@ en:
         published: Published
         successful_batch_update: Posts have been updated succesfully
         unpublished: Unpublished
+      security: Security
       see_all: See the full list (%{number} elements)
   enums:
     communication:

config/locales/communication/fr.yml

@@ -782,6 +782,7 @@ fr:
         published: Publiée
         successful_batch_update: Les actualités ont bien été mises à jour
         unpublished: Non publiée
+      security: Sécurité
       see_all: Voir la liste complète (%{number} éléments)
   enums:
     communication:

config/routes/admin/communication.rb

@@ -8,6 +8,7 @@ namespace :communication do
       get :import
       post :import
       get :analytics
+      get :security
     end
     get 'style' => 'websites/preview#style', as: :style
     get 'assets/*path' => 'websites/preview#assets'