comparison config/initializers/content_security_policy.rb @ 254:89f6c0016bab default tip

Update to latest rails
author nanaya <me@nanaya.net>
date Tue, 03 Sep 2024 19:21:25 +0900
parents ad6264cca788
children
comparison
equal deleted inserted replaced
253:d726e8b92dd1 254:89f6c0016bab
1 # Be sure to restart your server when you modify this file. 1 # Be sure to restart your server when you modify this file.
2 2
3 # Define an application-wide content security policy 3 # Define an application-wide content security policy.
4 # For further information see the following documentation 4 # See the Securing Rails Applications Guide for more information:
5 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy 5 # https://guides.rubyonrails.org/security.html#content-security-policy-header
6 6
7 # Rails.application.configure do 7 # Rails.application.configure do
8 # config.content_security_policy do |policy| 8 # config.content_security_policy do |policy|
9 # policy.default_src :self, :https 9 # policy.default_src :self, :https
10 # policy.font_src :self, :https, :data 10 # policy.font_src :self, :https, :data
14 # policy.style_src :self, :https 14 # policy.style_src :self, :https
15 # # Specify URI for violation reports 15 # # Specify URI for violation reports
16 # # policy.report_uri "/csp-violation-report-endpoint" 16 # # policy.report_uri "/csp-violation-report-endpoint"
17 # end 17 # end
18 # 18 #
19 # # Generate session nonces for permitted importmap and inline scripts 19 # # Generate session nonces for permitted importmap, inline scripts, and inline styles.
20 # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } 20 # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
21 # config.content_security_policy_nonce_directives = %w(script-src) 21 # config.content_security_policy_nonce_directives = %w(script-src style-src)
22 # 22 #
23 # # Report CSP violations to a specified URI. See: 23 # # Report violations without enforcing the policy.
24 # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
25 # # config.content_security_policy_report_only = true 24 # # config.content_security_policy_report_only = true
26 # end 25 # end