diff options
| author | bogdanvlviv <bogdanvlviv@gmail.com> | 2018-03-18 23:07:12 +0200 |
|---|---|---|
| committer | bogdanvlviv <bogdanvlviv@gmail.com> | 2018-03-18 23:25:19 +0200 |
| commit | 8b26de85e84ab5acfed087b4b2b1b31a6f6b96a7 (patch) | |
| tree | fcca3d8bef11156102c8e88674682ef4aa158d2f /guides/source/5_2_release_notes.md | |
| parent | d9736e50d8d6fc9fad32e16ebdc8dcd0a0a3ec61 (diff) | |
| download | rails-8b26de85e84ab5acfed087b4b2b1b31a6f6b96a7.tar.gz rails-8b26de85e84ab5acfed087b4b2b1b31a6f6b96a7.tar.bz2 rails-8b26de85e84ab5acfed087b4b2b1b31a6f6b96a7.zip | |
Move CSP info from 5.2 release notes to guide [ci skip]
- Add mention about "nonce".
Related to https://github.com/rails/rails/pull/32222#issuecomment-372268157
Diffstat (limited to 'guides/source/5_2_release_notes.md')
| -rw-r--r-- | guides/source/5_2_release_notes.md | 66 |
1 files changed, 3 insertions, 63 deletions
diff --git a/guides/source/5_2_release_notes.md b/guides/source/5_2_release_notes.md index 8086c8cb55..541c025fac 100644 --- a/guides/source/5_2_release_notes.md +++ b/guides/source/5_2_release_notes.md @@ -85,69 +85,9 @@ Rails 5.2 ships with a new DSL that allows you to configure a for your application. You can configure a global default policy and then override it on a per-resource basis and even use lambdas to inject per-request values into the header such as account subdomains in a multi-tenant application. - -Example global policy: - -```ruby -# config/initializers/content_security_policy.rb -Rails.application.config.content_security_policy do |policy| - policy.default_src :self, :https - policy.font_src :self, :https, :data - policy.img_src :self, :https, :data - policy.object_src :none - policy.script_src :self, :https - policy.style_src :self, :https - - # Specify URI for violation reports - policy.report_uri "/csp-violation-report-endpoint" -end -``` - -Example controller overrides: - -```ruby -# Override policy inline -class PostsController < ApplicationController - content_security_policy do |p| - p.upgrade_insecure_requests true - end -end - -# Using literal values -class PostsController < ApplicationController - content_security_policy do |p| - p.base_uri "https://www.example.com" - end -end - -# Using mixed static and dynamic values -class PostsController < ApplicationController - content_security_policy do |p| - p.base_uri :self, -> { "https://#{current_user.domain}.example.com" } - end -end - -# Disabling the global CSP -class LegacyPagesController < ApplicationController - content_security_policy false, only: :index -end -``` - -To report only content violations for migrating -legacy content using the `content_security_policy_report_only` -configuration attribute: - -```ruby -# config/initializers/content_security_policy.rb -Rails.application.config.content_security_policy_report_only = true -``` - -```ruby -# Controller override -class PostsController < ApplicationController - content_security_policy_report_only only: :index -end -``` +You can read more about this in the +[Securing Rails Applications](security.html#content-security-policy) +guide. Railties -------- |