Rails.application.config.content_security_policy do |policy| # Whitelist image policy.img_src :self, "*.openstreetmap.org", "static.demarches-simplifiees.fr", "*.cloud.ovh.net", "stats.data.gouv.fr", "*", :data, :blob # Whitelist JS: nous, sendinblue et matomo # miniprofiler et nous avons quelques boutons inline :( policy.script_src :self, "stats.data.gouv.fr", "*.sendinblue.com", "*.crisp.chat", "crisp.chat", "*.sibautomation.com", "sibautomation.com", :unsafe_eval, :unsafe_inline, :blob # Pour les CSS, on a beaucoup de style inline et quelques balises