aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/CHANGELOG.md
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack/CHANGELOG.md')
-rw-r--r--actionpack/CHANGELOG.md20
1 files changed, 10 insertions, 10 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index d48aa1081f..1843f058e0 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -5,11 +5,11 @@
about the Content-Security-Policy header see MDN:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-
+
Example global policy:
-
+
# config/initializers/content_security_policy.rb
- Rails.application.config.content_security_policy do
+ Rails.application.config.content_security_policy do |p|
p.default_src :self, :https
p.font_src :self, :https, :data
p.img_src :self, :https, :data
@@ -17,9 +17,9 @@
p.script_src :self, :https
p.style_src :self, :https, :unsafe_inline
end
-
+
Example controller overrides:
-
+
# Override policy inline
class PostsController < ApplicationController
content_security_policy do |p|
@@ -40,22 +40,22 @@
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
end
end
-
+
Allows you to also only report content violations for migrating
legacy content using the `content_security_policy_report_only`
configuration attribute, e.g;
-
+
# config/initializers/content_security_policy.rb
Rails.application.config.content_security_policy_report_only = true
-
+
# controller override
class PostsController < ApplicationController
self.content_security_policy_report_only = true
end
-
+
Note that this feature does not validate the header for performance
reasons since the header is calculated at runtime.
-
+
*Andrew White*
* Make `assert_recognizes` to traverse mounted engines