allow eval only development env

`rack-mini-profiler` uses eval.
y-yagi · Mar 18, 2018 · 1fc04c0 · 1fc04c0
1 parent f809f7c
commit 1fc04c0
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -4,12 +4,15 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
+script_srcs = [:self, "www.dropbox.com", "maps.googleapis.com", "www.google-analytics.com", "cdnjs.cloudflare.com", :unsafe_inline]
+script_srcs << :unsafe_eval if Rails.env.development?
+
 Rails.application.config.content_security_policy do |policy|
   policy.default_src :self
   policy.font_src    :self, :data, "fonts.gstatic.com", "netdna.bootstrapcdn.com"
   policy.img_src     :self, :data, "www.google-analytics.com", "maps.googleapis.com"
   policy.object_src  :none
-  policy.script_src  :self, "www.dropbox.com", "maps.googleapis.com", "www.google-analytics.com", "cdnjs.cloudflare.com", :unsafe_inline
+  policy.script_src  *script_srcs
   policy.style_src   :self, "netdna.bootstrapcdn.com", "fonts.googleapis.com", :unsafe_inline
 
   # Specify URI for violation reports