diff options
| author | David Heinemeier Hansson <david@loudthinking.com> | 2018-01-12 15:35:22 +0100 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2018-01-12 15:35:22 +0100 |
| commit | 0f7d3b612cc9264a90a1da6820d442099d8641f8 (patch) | |
| tree | 3ed1863622df48772cb2cf66543671f13faa2fc9 /railties/lib/rails | |
| parent | 9a023c83caa2aa94e624659944a9e1539ca465d2 (diff) | |
| download | rails-0f7d3b612cc9264a90a1da6820d442099d8641f8.tar.gz rails-0f7d3b612cc9264a90a1da6820d442099d8641f8.tar.bz2 rails-0f7d3b612cc9264a90a1da6820d442099d8641f8.zip | |
Use unsafe_inline as the default for script_src CSP until we get a nonce alternative
Closes #31273 but we will still want to upgrade this to the
nonce-approach when it’s ready.
Diffstat (limited to 'railties/lib/rails')
| -rw-r--r-- | railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt index ae6dac8c32..c82324ae4d 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt @@ -9,7 +9,7 @@ Rails.application.config.content_security_policy do |policy| policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none - policy.script_src :self, :https + policy.script_src :self, :https, :unsafe_inline policy.style_src :self, :https, :unsafe_inline # Specify URI for violation reports |