diff options
author | Thibaut Girka <thib@sitedethib.com> | 2020-07-07 15:34:00 +0200 |
---|---|---|
committer | Thibaut Girka <thib@sitedethib.com> | 2020-07-07 15:58:45 +0200 |
commit | e9ad99bc93b6f65277956d997792ec40f08165cb (patch) | |
tree | ce71714d2d0d680adecf070cb4e698f3a6984b56 /config/initializers/content_security_policy.rb | |
parent | 94e09d309cb068ea92919767e40e655260ac43cb (diff) | |
parent | 6e25574ce599cbc37b7215ded03c7d07208af6bb (diff) |
Merge branch 'master' into glitch-soc/merge-upstream
Conflicts: - `package.json`: Not really a conflict, just some glitch-soc-specific dependency too close to an upstream-updated one.
Diffstat (limited to 'config/initializers/content_security_policy.rb')
-rw-r--r-- | config/initializers/content_security_policy.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index a76db6fe5..68d3751fc 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -49,7 +49,25 @@ end # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only # Rails.application.config.content_security_policy_report_only = true +Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) } + +# Monkey-patching Rails 5 +module ActionDispatch + class ContentSecurityPolicy + def nonce_directive?(directive) + directive == 'style-src' + end + end +end + +# Rails 6 would require the following instead: +# Rails.application.config.content_security_policy_nonce_directives = %w(style-src) + PgHero::HomeController.content_security_policy do |p| p.script_src :self, :unsafe_inline, assets_host p.style_src :self, :unsafe_inline, assets_host end + +PgHero::HomeController.after_action do + request.content_security_policy_nonce_generator = nil +end |