diff options
| author | beatrix-bitrot <beatrix.bitrot@gmail.com> | 2017-05-14 20:56:30 +0000 |
|---|---|---|
| committer | beatrix-bitrot <beatrix.bitrot@gmail.com> | 2017-06-23 21:45:14 +0000 |
| commit | 9bc593d6753922d995867b632477d4d3b9e86e20 (patch) | |
| tree | 55bbe055b7831d06aa62080bf6ede001119db0d1 /config | |
| parent | 09f7ad361467d93c2f23aa0c18797f9451fa2dae (diff) | |
update local modifications for cors and cp
Diffstat (limited to 'config')
| -rw-r--r-- | config/application.rb | 5 | ||||
| -rw-r--r-- | config/environments/production.rb | 11 |
2 files changed, 11 insertions, 5 deletions
diff --git a/config/application.rb b/config/application.rb index ac63e0e94..dd63017b3 100644 --- a/config/application.rb +++ b/config/application.rb @@ -71,10 +71,13 @@ module Mastodon config.middleware.insert_before 0, Rack::Cors do allow do origins '*' - resource '/assets/*', headers: :any, methods: [:get, :head, :options] resource '/@:username', headers: :any, methods: [:get], credentials: false resource '/api/*', headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id'] resource '/oauth/token', headers: :any, methods: [:post], credentials: false + resource '/assets/*', headers: :any, methods: [:get, :head, :options] + resource '/stylesheets/*', headers: :any, methods: [:get, :head, :options] + resource '/javascripts/*', headers: :any, methods: [:get, :head, :options] + resource '/packs/*', headers: :any, methods: [:get, :head, :options] end end diff --git a/config/environments/production.rb b/config/environments/production.rb index bd87d79a7..68229531d 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -93,9 +93,12 @@ Rails.application.configure do end config.action_dispatch.default_headers = { - 'Server' => 'Mastodon', - 'X-Frame-Options' => 'DENY', - 'X-Content-Type-Options' => 'nosniff', - 'X-XSS-Protection' => '1; mode=block', + 'Server' => 'Mastodon', + 'X-Frame-Options' => 'DENY', + 'X-Content-Type-Options' => 'nosniff', + 'X-XSS-Protection' => '1; mode=block', + 'Content-Security-Policy' => "frame-ancestors 'none'; object-src 'none'; script-src 'self' https://dev-static.glitch.social 'unsafe-inline'; base-uri 'none';" , + 'Referrer-Policy' => 'no-referrer, strict-origin-when-cross-origin', + 'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload' } end |