cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve the content security policy

Browse source
This commit is contained in:
Tom Hughes 2017-03-01 22:38:24 +00:00
parent d7b4f88d5e
commit c5ef6404f5
4 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
config/initializers/secure_headers.rb
View file

@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
:media_src => %w('none'),
:object_src => %w('self'),
:plugin_types => %w('none'),
:script_src => %w('self' 'unsafe-inline'),
:script_src => %w('self'),
:style_src => %w('self' 'unsafe-inline'),
:report_uri => [CSP_REPORT_URL]
}
@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
SecureHeaders::OPT_OUT
end
policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
SecureHeaders::Configuration.default do |config|
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = policy