-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem with CSP reverting to report-only mode #183
Comments
That's very strange and I can't say I have a clue as to what is going on. Are you overriding the global settings at all? Overrides are stored as class instance variables so I could see a path where one request can affect others, but you'd have to be using secure_headers in an unsupported fashion which isn't exactly easy to stumble upon. |
Thanks for your reply. I don't think I'm doing anything particularly exotic. I can reproduce this in a newly-created Rails application, as follows.
::SecureHeaders::Configuration.configure do |config|
config.csp = {
enforce: true,
default_src: [
"*",
"'unsafe-inline'",
"'unsafe-eval'",
]
}
end So far, so good. This next part is what causes the problem.
<%= javascript_include_tag "//#{my_domain_name_here}.groovehq.com/widgets/#{my_groove_app_id_here}/ticket.js", async: true %>
|
Thanks, I can reproduce this. Ugh, this is a nasty regression. I'll have a fix shortly and release a new gem when I figure out how far back this goes. |
OK this is only an issue with 2.4.1 |
I just pushed 2.4.2. Thanks for reporting this! |
Wow, that's great. Thanks very much. Tested with version 2.4.2, and the problem is indeed resolved. |
Strange problem, which I probably don't understand well enough to explain...
CSP configured with
enforce: true
; works well until I pull in a third-party JavaScript that injects aniframe
into the page. With the JavaScript in place, the first request after an app restart correctly enforces CSP; all subsequent requests however, return aContent-Security-Policy-Report-Only:
header.I'm struggling to understand how injecting an
iframe
into the page can be causingsecure_headers
apparently to ignore my configuredenforce: true
for the CSP.Any help greatly appreciated.
The text was updated successfully, but these errors were encountered: