diff config/initializers/content_security_policy.rb @ 254:89f6c0016bab default tip

Update to latest rails
author nanaya <me@nanaya.net>
date Tue, 03 Sep 2024 19:21:25 +0900
parents ad6264cca788
children
line wrap: on
line diff
--- a/config/initializers/content_security_policy.rb	Mon Mar 25 02:49:50 2024 +0900
+++ b/config/initializers/content_security_policy.rb	Tue Sep 03 19:21:25 2024 +0900
@@ -1,8 +1,8 @@
 # Be sure to restart your server when you modify this file.
 
-# Define an application-wide content security policy
-# For further information see the following documentation
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# Define an application-wide content security policy.
+# See the Securing Rails Applications Guide for more information:
+# https://guides.rubyonrails.org/security.html#content-security-policy-header
 
 # Rails.application.configure do
 #   config.content_security_policy do |policy|
@@ -16,11 +16,10 @@
 #     # policy.report_uri "/csp-violation-report-endpoint"
 #   end
 #
-#   # Generate session nonces for permitted importmap and inline scripts
+#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
 #   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src)
+#   config.content_security_policy_nonce_directives = %w(script-src style-src)
 #
-#   # Report CSP violations to a specified URI. See:
-#   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+#   # Report violations without enforcing the policy.
 #   # config.content_security_policy_report_only = true
 # end