From d3c6021ef4bfd5b70da83e19d69e8cbd9f301179 Mon Sep 17 00:00:00 2001 From: clemkeirua Date: Thu, 20 Jun 2019 09:53:27 +0200 Subject: [PATCH] add duplicate rules as fallback --- config/initializers/content_security_policy.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index f105b9eaa..9d46a3874 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -6,10 +6,10 @@ Rails.application.config.content_security_policy do |policy| policy.report_uri "http://#{ENV['APP_HOST']}/csp/" # ne pas notifier report-uri en dev/test end # Whitelist image - policy.img_src :self, "*.openstreetmap.org", "static.demarches-simplifiees.fr", "*.cloud.ovh.net", "stats.data.gouv.fr", "*" + policy.img_src :self, "*.openstreetmap.org", "static.demarches-simplifiees.fr", "*.cloud.ovh.net", "stats.data.gouv.fr", "*", :data # Whitelist JS: nous, sendinblue et matomo # miniprofiler et nous avons quelques boutons inline :( - policy.script_src :self, "stats.data.gouv.fr", "*.sendinblue.com", :unsafe_eval, :unsafe_inline + policy.script_src :self, "stats.data.gouv.fr", "*.sendinblue.com", "*.crisp.chat", "crisp.chat", "*.sibautomation.com", "sibautomation.com", :unsafe_eval, :unsafe_inline, :blob # Pour les CSS, on a beaucoup de style inline et quelques balises