cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Relax cookie security policy

Browse source
This commit is contained in:
Tom Hughes 2017-11-01 17:44:22 +00:00
parent 2f7072b82d
commit 18d3392ede
1 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
config/initializers/secure_headers.rb
View file

@ -1,5 +1,5 @@
if defined?(CSP_REPORT_URL)
policy = {
csp_policy = {
:default_src => %w['self'],
:child_src => %w['self'],
:connect_src => %w['self'],
@ -15,13 +15,19 @@ if defined?(CSP_REPORT_URL)
:report_uri => [CSP_REPORT_URL]
}
policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
csp_policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
else
policy = SecureHeaders::OPT_OUT
csp_policy = SecureHeaders::OPT_OUT
end
cookie_policy = {
:secure => SecureHeaders::OPT_OUT,
:httponly => SecureHeaders::OPT_OUT
}
SecureHeaders::Configuration.default do |config|
config.hsts = "max-age=0"
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = policy
config.csp_report_only = csp_policy
config.cookies = cookie_policy
end