diff options
author | Andrew White <pixeltrix@users.noreply.github.com> | 2017-11-27 08:15:46 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-11-27 08:15:46 +0000 |
commit | afc2b424e27fe48f83d5d1be73a8fadc38499c0c (patch) | |
tree | b62113aebad00db0899fccdbd36c28c23a6be264 /railties/lib/rails/generators | |
parent | 7ce8a6af1b8fdbc9ee553bda3fd725bea169c2f3 (diff) | |
parent | 456c3ffdbe37d430c12ad269514674cc89f38c11 (diff) | |
download | rails-afc2b424e27fe48f83d5d1be73a8fadc38499c0c.tar.gz rails-afc2b424e27fe48f83d5d1be73a8fadc38499c0c.tar.bz2 rails-afc2b424e27fe48f83d5d1be73a8fadc38499c0c.zip |
Merge pull request #31162 from rails/add-csp-config
Add DSL for configuring Content-Security-Policy header
Diffstat (limited to 'railties/lib/rails/generators')
-rw-r--r-- | railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt new file mode 100644 index 0000000000..656ded4069 --- /dev/null +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt @@ -0,0 +1,20 @@ +# Define an application-wide content security policy +# For further information see the following documentation +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + +Rails.application.config.content_security_policy do |p| + p.default_src :self, :https + p.font_src :self, :https, :data + p.img_src :self, :https, :data + p.object_src :none + p.script_src :self, :https + p.style_src :self, :https, :unsafe_inline + + # Specify URI for violation reports + # p.report_uri "/csp-violation-report-endpoint" +end + +# Report CSP violations to a specified URI +# For further information see the following documentation: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only +# Rails.application.config.content_security_policy_report_only = true |