aboutsummaryrefslogtreecommitdiffstats
path: root/railties
diff options
context:
space:
mode:
authorDavid Heinemeier Hansson <david@loudthinking.com>2018-01-12 15:35:22 +0100
committerDavid Heinemeier Hansson <david@loudthinking.com>2018-01-12 15:35:22 +0100
commit0f7d3b612cc9264a90a1da6820d442099d8641f8 (patch)
tree3ed1863622df48772cb2cf66543671f13faa2fc9 /railties
parent9a023c83caa2aa94e624659944a9e1539ca465d2 (diff)
downloadrails-0f7d3b612cc9264a90a1da6820d442099d8641f8.tar.gz
rails-0f7d3b612cc9264a90a1da6820d442099d8641f8.tar.bz2
rails-0f7d3b612cc9264a90a1da6820d442099d8641f8.zip
Use unsafe_inline as the default for script_src CSP until we get a nonce alternative
Closes #31273 but we will still want to upgrade this to the nonce-approach when it’s ready.
Diffstat (limited to 'railties')
-rw-r--r--railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt2
1 files changed, 1 insertions, 1 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
index ae6dac8c32..c82324ae4d 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@@ -9,7 +9,7 @@ Rails.application.config.content_security_policy do |policy|
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
- policy.script_src :self, :https
+ policy.script_src :self, :https, :unsafe_inline
policy.style_src :self, :https, :unsafe_inline
# Specify URI for violation reports