diff options
Diffstat (limited to 'config/initializers/content_security_policy.rb')
| -rw-r--r-- | config/initializers/content_security_policy.rb | 49 |
1 files changed, 26 insertions, 23 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index d51d713..1569942 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb | |||
| @@ -4,26 +4,29 @@ | |||
| 4 | # See the Securing Rails Applications Guide for more information: | 4 | # See the Securing Rails Applications Guide for more information: |
| 5 | # https://guides.rubyonrails.org/security.html#content-security-policy-header | 5 | # https://guides.rubyonrails.org/security.html#content-security-policy-header |
| 6 | 6 | ||
| 7 | # Rails.application.configure do | 7 | Rails.application.configure do |
| 8 | # config.content_security_policy do |policy| | 8 | config.content_security_policy do |policy| |
| 9 | # policy.default_src :self, :https | 9 | policy.default_src :self |
| 10 | # policy.font_src :self, :https, :data | 10 | policy.script_src :self |
| 11 | # policy.img_src :self, :https, :data | 11 | policy.style_src :self, :unsafe_inline |
| 12 | # policy.object_src :none | 12 | policy.img_src :self, :data |
| 13 | # policy.script_src :self, :https | 13 | policy.font_src :self |
| 14 | # policy.style_src :self, :https | 14 | policy.object_src :none |
| 15 | # # Specify URI for violation reports | 15 | policy.frame_ancestors :none |
| 16 | # # policy.report_uri "/csp-violation-report-endpoint" | 16 | policy.base_uri :self |
| 17 | # end | 17 | policy.form_action :self |
| 18 | # | 18 | policy.report_uri "/csp_reports" |
| 19 | # # Generate session nonces for permitted importmap, inline scripts, and inline styles. | 19 | end |
| 20 | # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } | 20 | |
| 21 | # config.content_security_policy_nonce_directives = %w(script-src style-src) | 21 | # Per-request nonce; script-src only. style-src keeps unsafe_inline |
| 22 | # | 22 | # deliberately: TinyMCE emits img[style] in body content and the |
| 23 | # # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag` | 23 | # public layout carries style attributes -- CSS injection is a |
| 24 | # # if the corresponding directives are specified in `content_security_policy_nonce_directives`. | 24 | # low-yield channel, script-src is where the protection lives. |
| 25 | # # config.content_security_policy_nonce_auto = true | 25 | config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) } |
| 26 | # | 26 | config.content_security_policy_nonce_directives = %w[script-src] |
| 27 | # # Report violations without enforcing the policy. | 27 | |
| 28 | # # config.content_security_policy_report_only = true | 28 | # Report-only: nothing blocks. Enforcement is a later, deliberate |
| 29 | # end | 29 | # flip once the reports have mapped reality (admin inline scripts, |
| 30 | # legacy hotlinked images in old bodies, embeds). | ||
| 31 | config.content_security_policy_report_only = true | ||
| 32 | end | ||
