Move CSP headers to the appropriate Rails configuration

Also drop dev-static.glitch.social reference.
signup-info-prompt
Thibaut Girka 2018-08-22 17:22:34 +02:00 committed by ThibG
parent f34616eec1
commit e7a72439f1
2 changed files with 12 additions and 11 deletions

View File

@ -99,7 +99,6 @@ Rails.application.configure do
'X-Frame-Options' => 'DENY', 'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff', 'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1; mode=block', 'X-XSS-Protection' => '1; mode=block',
'Content-Security-Policy' => "frame-ancestors 'none'; object-src 'none'; script-src 'self' https://dev-static.glitch.social ; base-uri 'none';" ,
'Referrer-Policy' => 'same-origin', 'Referrer-Policy' => 'same-origin',
'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload', 'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload',
'X-Clacks-Overhead' => 'GNU Natalie Nguyen' 'X-Clacks-Overhead' => 'GNU Natalie Nguyen'

View File

@ -2,17 +2,19 @@
# For further information see the following documentation # For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# Rails.application.config.content_security_policy do |p| Rails.application.config.content_security_policy do |p|
p.frame_ancestors :none
p.object_src :none
p.script_src :self
p.base_uri :none
# p.default_src :self, :https # p.default_src :self, :https
# p.font_src :self, :https, :data # p.font_src :self, :https, :data
# p.img_src :self, :https, :data # p.img_src :self, :https, :data
# p.object_src :none
# p.script_src :self, :https
# p.style_src :self, :https, :unsafe_inline # p.style_src :self, :https, :unsafe_inline
# #
# # Specify URI for violation reports # # Specify URI for violation reports
# # p.report_uri "/csp-violation-report-endpoint" # # p.report_uri "/csp-violation-report-endpoint"
# end end
# Report CSP violations to a specified URI # Report CSP violations to a specified URI
# For further information see the following documentation: # For further information see the following documentation: