# frozen_string_literal: true # Be sure to restart your server when you modify this file. # Define an application-wide content security policy # For further information see the following documentation # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Rails.application.config.content_security_policy do |policy| images_whitelist = ["*.openstreetmap.org", "*.cloud.ovh.net", "*"] images_whitelist << URI(DS_PROXY_URL).host if DS_PROXY_URL.present? images_whitelist << URI(MATOMO_IFRAME_URL).host if MATOMO_IFRAME_URL.present? policy.img_src(:self, :data, :blob, *images_whitelist) # Javascript: allow us, SendInBlue and Matomo. # We need unsafe_inline because miniprofiler and us have some inline buttons :( scripts_whitelist = ["*.crisp.chat", "crisp.chat", "cdn.jsdelivr.net", "maxcdn.bootstrapcdn.com", "code.jquery.com", "unpkg.com"] scripts_whitelist << URI(MATOMO_IFRAME_URL).host if MATOMO_IFRAME_URL.present? policy.script_src(:self, :unsafe_eval, :unsafe_inline, :blob, *scripts_whitelist) # CSS: We have a lot of inline style, and some