From 5cbbbb8d3ed482e0d6af9128994e0160224b1d87 Mon Sep 17 00:00:00 2001 From: clemkeirua Date: Mon, 20 May 2019 09:52:44 +0200 Subject: [PATCH 1/2] more whitelist for the common domains we use --- config/initializers/content_security_policy.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index a812e0e9e..d06d5d578 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -9,12 +9,12 @@ Rails.application.config.content_security_policy do |policy| policy.img_src :self, "*.openstreetmap.org", "static.demarches-simplifiees.fr", "*.cloud.ovh.net", "stats.data.gouv.fr" # Whitelist JS: nous, sendinblue et matomo # miniprofiler et nous avons quelques boutons inline :( - policy.script_src :self, "*.sibautomation.com", "stats.data.gouv.fr", "*.sendinblue.com", :unsafe_eval, :unsafe_inline + policy.script_src :self, "*.sibautomation.com", "sibautomation.com", "stats.data.gouv.fr", "*.sendinblue.com", :unsafe_eval, :unsafe_inline # Pour les CSS, on a beaucoup de style inline et quelques balises