Fix LetterOpennerWeb CSP (#17770)

author: Yamagishi Kazutoshi <ykzts@desire.sh> 2022-03-15 03:20:40 +0900
committer: GitHub <noreply@github.com> 2022-03-14 19:20:40 +0100
commit: eb9a7e36260c99aec980d097ee819c17ebb93631 (patch)
tree: 3a2f667c56b842ad39e06ce5d443b0458aa32637 /config/initializers
parent: d182470c9db1595321e1def76ab31f92cf5dd69f (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index b377b7b4d..c113b0f8b 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -60,4 +60,20 @@ Rails.application.reloader.to_prepare do
   PgHero::HomeController.after_action do
     request.content_security_policy_nonce_generator = nil
   end
+
+  if Rails.env.development?
+    LetterOpenerWeb::LettersController.content_security_policy do |p|
+      p.child_src       :self
+      p.connect_src     :none
+      p.frame_ancestors :self
+      p.frame_src       :self
+      p.script_src      :unsafe_inline
+      p.style_src       :unsafe_inline
+      p.worker_src      :none
+    end
+
+    LetterOpenerWeb::LettersController.after_action do |p|
+      request.content_security_policy_nonce_directives = %w(script-src)
+    end
+  end
 end
author	Yamagishi Kazutoshi <ykzts@desire.sh>	2022-03-15 03:20:40 +0900
committer	GitHub <noreply@github.com>	2022-03-14 19:20:40 +0100
commit	eb9a7e36260c99aec980d097ee819c17ebb93631 (patch)
tree	3a2f667c56b842ad39e06ce5d443b0458aa32637 /config/initializers
parent	d182470c9db1595321e1def76ab31f92cf5dd69f (diff)