Remove custom setting of Content-Security-Policy

* proxy側で設定することに
Nyoho · Aug 31, 2024 · 5f3b5cf · 5f3b5cf
1 parent e7ba535
commit 5f3b5cf
Showing 1 changed file with 9 additions and 12 deletions.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -20,31 +20,28 @@ def host_to_url(str)
 media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'
 media_host ||= assets_host
 
-cloudflarecdn = 'https://cdnjs.cloudflare.com'
-mathjax = 'https://cdn.mathjax.org'
-
 Rails.application.config.content_security_policy do |p|
   p.base_uri        :none
   p.default_src     :none
   p.frame_ancestors :none
-  p.font_src        :self, assets_host, cloudflarecdn
-  p.img_src         :self, :https, :data, :blob, assets_host, cloudflarecdn, mathjax
-  p.style_src       :self, :unsafe_inline, assets_host, cloudflarecdn, mathjax
-  p.media_src       :self, :https, :data, assets_host, cloudflarecdn, mathjax
+  p.font_src        :self, assets_host
+  p.img_src         :self, :https, :data, :blob, assets_host
+  p.style_src       :self, assets_host
+  p.media_src       :self, :https, :data, assets_host
   p.frame_src       :self, :https
   p.manifest_src    :self, assets_host
   p.form_action     :self
 
   if Rails.env.development?
     webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }
 
-    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls, cloudflarecdn, mathjax
-    p.script_src  :self, :unsafe_inline, :unsafe_eval, assets_host, cloudflarecdn, mathjax
+    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls
+    p.script_src  :self, :unsafe_inline, :unsafe_eval, assets_host
     p.child_src   :self, :blob, assets_host
     p.worker_src  :self, :blob, assets_host
   else
-    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, cloudflarecdn, mathjax
-    p.script_src  :self, :unsafe_inline, assets_host, "'wasm-unsafe-eval'", cloudflarecdn, mathjax
+    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url
+    p.script_src  :self, assets_host, "'wasm-unsafe-eval'"
     p.child_src   :self, :blob, assets_host
     p.worker_src  :self, :blob, assets_host
   end
@@ -57,7 +54,7 @@ def host_to_url(str)
 
 Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
 
-Rails.application.config.content_security_policy_nonce_directives = []
+Rails.application.config.content_security_policy_nonce_directives = %w(style-src)
 
 Rails.application.reloader.to_prepare do
   PgHero::HomeController.content_security_policy do |p|