Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Configure Content Security Policy for Action Cable #31309
Steps to reproduce
Generate a new app (5.2.0.beta2) with Action Cable.
when generating a fresh application the content security policy should add directive to
Should skip if action_cable is ignored when generating a new app.
Content security policy has no instructions for
For instance I added the following in
but it does not work.
Rails version: 5.2.0.beta2
Ruby version: 3.3.1
If the aforementioned configuration is not possible not sure how people use Action Cable with a security policy in development.
Thanks @jeremy for the link. The issue is quite old so I doubt this will change anytime soon.
@pixeltrix Turned out that the eval issue comes from
@guilleiguaran is right, this seems to work though when you set
At then end I guess it'a matter of documenting this in ActionCable docs. Will open a PR separately. Thank you all.
This was referenced
Dec 2, 2017
Where does this leave system tests? For use with Webpacker (Vue) and ActionCable, my CSP includes this:
However, this doesn't work in the test environment, since the port changes each time. As a workaround, I've included this:
if Rails.env.test? p.connect_src :self, '*' else p.connect_src :self, :https, 'http://localhost:3035', 'ws://localhost:3035', 'ws://localhost:3000' end
Is this a Rails CSP concern (is this even a problem?), or should I move this to StackOverflow
@guilleiguaran yes. This was confirmed by accessing the browser during a system test and checking the value of
Without my workaround above, the console would repeatedly error that it could not connect to the WS.