From 0f7d3b612cc9264a90a1da6820d442099d8641f8 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Fri, 12 Jan 2018 15:35:22 +0100
Subject: Use unsafe_inline as the default for script_src CSP until we get a
 nonce alternative
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #31273 but we will still want to upgrade this to the
nonce-approach when it’s ready.
---
 .../app/templates/config/initializers/content_security_policy.rb.tt     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'railties')

diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
index ae6dac8c32..c82324ae4d 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@@ -9,7 +9,7 @@ Rails.application.config.content_security_policy do |policy|
   policy.font_src    :self, :https, :data
   policy.img_src     :self, :https, :data
   policy.object_src  :none
-  policy.script_src  :self, :https
+  policy.script_src  :self, :https, :unsafe_inline
   policy.style_src   :self, :https, :unsafe_inline
 
   # Specify URI for violation reports
-- 
cgit v1.2.3