diff options
Diffstat (limited to 'actionpack/CHANGELOG.md')
-rw-r--r-- | actionpack/CHANGELOG.md | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index d48aa1081f..1843f058e0 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -5,11 +5,11 @@ about the Content-Security-Policy header see MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - + Example global policy: - + # config/initializers/content_security_policy.rb - Rails.application.config.content_security_policy do + Rails.application.config.content_security_policy do |p| p.default_src :self, :https p.font_src :self, :https, :data p.img_src :self, :https, :data @@ -17,9 +17,9 @@ p.script_src :self, :https p.style_src :self, :https, :unsafe_inline end - + Example controller overrides: - + # Override policy inline class PostsController < ApplicationController content_security_policy do |p| @@ -40,22 +40,22 @@ p.base_uri :self, -> { "https://#{current_user.domain}.example.com" } end end - + Allows you to also only report content violations for migrating legacy content using the `content_security_policy_report_only` configuration attribute, e.g; - + # config/initializers/content_security_policy.rb Rails.application.config.content_security_policy_report_only = true - + # controller override class PostsController < ApplicationController self.content_security_policy_report_only = true end - + Note that this feature does not validate the header for performance reasons since the header is calculated at runtime. - + *Andrew White* * Make `assert_recognizes` to traverse mounted engines |