diff options
author | Andrew White <andrew.white@unboxed.co> | 2017-11-15 21:07:28 +0000 |
---|---|---|
committer | Andrew White <andrew.white@unboxed.co> | 2017-11-27 05:59:26 +0000 |
commit | 456c3ffdbe37d430c12ad269514674cc89f38c11 (patch) | |
tree | daf49d80a963ce77e13594c2e9c159c73ad6b1ca /railties/lib/rails/generators | |
parent | 28333d62ee15ec95cc4270c880c90f395e075b3b (diff) | |
download | rails-456c3ffdbe37d430c12ad269514674cc89f38c11.tar.gz rails-456c3ffdbe37d430c12ad269514674cc89f38c11.tar.bz2 rails-456c3ffdbe37d430c12ad269514674cc89f38c11.zip |
Add DSL for configuring Content-Security-Policy header
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Diffstat (limited to 'railties/lib/rails/generators')
-rw-r--r-- | railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt new file mode 100644 index 0000000000..656ded4069 --- /dev/null +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt @@ -0,0 +1,20 @@ +# Define an application-wide content security policy +# For further information see the following documentation +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + +Rails.application.config.content_security_policy do |p| + p.default_src :self, :https + p.font_src :self, :https, :data + p.img_src :self, :https, :data + p.object_src :none + p.script_src :self, :https + p.style_src :self, :https, :unsafe_inline + + # Specify URI for violation reports + # p.report_uri "/csp-violation-report-endpoint" +end + +# Report CSP violations to a specified URI +# For further information see the following documentation: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only +# Rails.application.config.content_security_policy_report_only = true |