Permalink
Browse files

Disable CSP by default

Before this patch, to be able to use webpacker and webconsole we were
defining an used default in the script-src policy. White we don't
implement the automatic nonce approach defined in
#31689 it is better to not have any
default configuration in Rails 5.2.
  • Loading branch information...
rafaelfranca committed Jan 30, 2018
1 parent 889eb91 commit 39c4a5c40b3abde1d3dee76a3ccdd326f77f60b0
@@ -4,17 +4,17 @@
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https, :unsafe_inline
policy.style_src :self, :https, :unsafe_inline
# Rails.application.config.content_security_policy do |policy|
# policy.default_src :self, :https
# policy.font_src :self, :https, :data
# policy.img_src :self, :https, :data
# policy.object_src :none
# policy.script_src :self, :https
# policy.style_src :self, :https, :unsafe_inline
# Specify URI for violation reports
# policy.report_uri "/csp-violation-report-endpoint"
end
# # Specify URI for violation reports
# # policy.report_uri "/csp-violation-report-endpoint"
# end
# Report CSP violations to a specified URI
# For further information see the following documentation:

0 comments on commit 39c4a5c

Please sign in to comment.