diff options
author | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2019-02-03 11:33:44 +0900 |
---|---|---|
committer | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2019-06-22 12:44:37 +0900 |
commit | 09d55b302266cf002a4b307f8d37a105d2838a18 (patch) | |
tree | a85cf250ab0171a780f34dd1c0edae56bea20e6d /railties/lib/rails/generators | |
parent | a2a515d9de4ef0ddf4d78b05fcb0b838d2e1b5e3 (diff) | |
download | rails-09d55b302266cf002a4b307f8d37a105d2838a18.tar.gz rails-09d55b302266cf002a4b307f8d37a105d2838a18.tar.bz2 rails-09d55b302266cf002a4b307f8d37a105d2838a18.zip |
Add the ability to set the CSP nonce only to the specified directives
I changed to set CSP nonce to `style-src` directive in #32932.
But this causes an issue when `unsafe-inline` is specified to `style-src`
(If a nonce is present, a nonce takes precedence over `unsafe-inline`).
So, I fixed to nonce directives configurable. By configure this, users
can make CSP as before.
Fixes #35137.
Diffstat (limited to 'railties/lib/rails/generators')
-rw-r--r-- | railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt index c517b0f96b..3d468f7633 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt @@ -23,6 +23,9 @@ # If you are using UJS then enable automatic nonce generation # Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) } +# Set the nonce only to specific directives +# Rails.application.config.content_security_policy_nonce_directives = %w(script-src) + # Report CSP violations to a specified URI # For further information see the following documentation: # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only |