From 424a607a264d2e0d7083e4f3f93616e0b860ff0a Mon Sep 17 00:00:00 2001 From: Utkarsh Shukla Date: Mon, 8 Jul 2024 15:56:23 -0400 Subject: [PATCH] defines content security policy (#2719) Co-authored-by: Sri Harsha --- .../initializers/content_security_policy.rb | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 497f5667ce7..002e01374c5 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -5,17 +5,14 @@ # For further information see the following documentation # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -# Rails.application.config.content_security_policy do |policy| -# policy.default_src :self, :https -# policy.font_src :self, :https, :data -# policy.img_src :self, :https, :data -# policy.object_src :none -# policy.script_src :self, :https -# policy.style_src :self, :https - -# # Specify URI for violation reports -# # policy.report_uri "/csp-violation-report-endpoint" -# end +Rails.application.config.content_security_policy do |policy| + policy.default_src :self, :https + policy.font_src :self, :https, :data, "*.gstatic.com *.fontawesome.com" + policy.img_src :self, :https, :data, "*.google-analytics.com *.gstatic.com *.googletagmanager.com" + policy.script_src :self, :https, :unsafe_inline, :unsafe_eval, "https://tagmanager.google.com https://www.googletagmanager.com https://apps.usw2.pure.cloud *.fontawesome.com *.google-analytics.com" + policy.style_src :self, :https, :unsafe_inline, "https://tagmanager.google.com https://www.googletagmanager.com https://fonts.googleapis.com *.fontawesome.com" + policy.media_src :self, :https, :data +end # If you are using UJS then enable automatic nonce generation # Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }