about summary refs log tree commit diff
path: root/config/initializers/content_security_policy.rb
diff options
context:
space:
mode:
authorThibG <thib@sitedethib.com>2020-07-07 16:21:42 +0200
committerGitHub <noreply@github.com>2020-07-07 16:21:42 +0200
commitc4e1b82caf5c932a3c19bc77726c9e3ab3d2c46a (patch)
tree432bd5bc0c7ec19aac3175150e397b5336c71a4d /config/initializers/content_security_policy.rb
parent94e09d309cb068ea92919767e40e655260ac43cb (diff)
parent6c7ac1b48f7d4c6d0a1e0cf7f663c3188421d7c7 (diff)
Merge pull request #1373 from ThibG/glitch-soc/merge-upstream
Merge upstream changes
Diffstat (limited to 'config/initializers/content_security_policy.rb')
-rw-r--r--config/initializers/content_security_policy.rb18
1 files changed, 18 insertions, 0 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index a76db6fe5..68d3751fc 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -49,7 +49,25 @@ end
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 # Rails.application.config.content_security_policy_report_only = true
 
+Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+
+# Monkey-patching Rails 5
+module ActionDispatch
+  class ContentSecurityPolicy
+    def nonce_directive?(directive)
+      directive == 'style-src'
+    end
+  end
+end
+
+# Rails 6 would require the following instead:
+# Rails.application.config.content_security_policy_nonce_directives = %w(style-src)
+
 PgHero::HomeController.content_security_policy do |p|
   p.script_src :self, :unsafe_inline, assets_host
   p.style_src  :self, :unsafe_inline, assets_host
 end
+
+PgHero::HomeController.after_action do
+  request.content_security_policy_nonce_generator = nil
+end
generated by cgit-pink (git 2.37.1) at 2024-07-17 01:45:06 +0000