diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2018-01-30 17:50:32 -0500 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2018-01-30 17:50:32 -0500 |
| commit | 39c4a5c40b3abde1d3dee76a3ccdd326f77f60b0 (patch) | |
| tree | 29cb5fec4fad1e1b348655fcf16a7741cc3367ac | |
| parent | 889eb91d5f439eab647fbbef47886c61dc98e4e8 (diff) | |
| download | rails-39c4a5c40b3abde1d3dee76a3ccdd326f77f60b0.tar.gz rails-39c4a5c40b3abde1d3dee76a3ccdd326f77f60b0.tar.bz2 rails-39c4a5c40b3abde1d3dee76a3ccdd326f77f60b0.zip | |
Disable CSP by default
Before this patch, to be able to use webpacker and webconsole we were
defining an used default in the script-src policy. White we don't
implement the automatic nonce approach defined in
https://github.com/rails/rails/issues/31689 it is better to not have any
default configuration in Rails 5.2.
| -rw-r--r-- | railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt index c82324ae4d..edde7f42b8 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt @@ -4,17 +4,17 @@ # For further information see the following documentation # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -Rails.application.config.content_security_policy do |policy| - policy.default_src :self, :https - policy.font_src :self, :https, :data - policy.img_src :self, :https, :data - policy.object_src :none - policy.script_src :self, :https, :unsafe_inline - policy.style_src :self, :https, :unsafe_inline +# Rails.application.config.content_security_policy do |policy| +# policy.default_src :self, :https +# policy.font_src :self, :https, :data +# policy.img_src :self, :https, :data +# policy.object_src :none +# policy.script_src :self, :https +# policy.style_src :self, :https, :unsafe_inline - # Specify URI for violation reports - # policy.report_uri "/csp-violation-report-endpoint" -end +# # Specify URI for violation reports +# # policy.report_uri "/csp-violation-report-endpoint" +# end # Report CSP violations to a specified URI # For further information see the following documentation: |