Move CSP headers to the appropriate Rails configuration

Also drop dev-static.glitch.social reference.
lolsob-rspec
Thibaut Girka 2018-08-22 17:22:34 +02:00 committed by ThibG
parent 3209b431f2
commit 563a09d81a
2 changed files with 12 additions and 11 deletions

View File

@ -99,7 +99,6 @@ Rails.application.configure do
'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1; mode=block',
'Content-Security-Policy' => "frame-ancestors 'none'; object-src 'none'; script-src 'self' https://dev-static.glitch.social ; base-uri 'none';" ,
'Referrer-Policy' => 'same-origin',
'Strict-Transport-Security' => 'max-age=63072000; includeSubDomains; preload',
'X-Clacks-Overhead' => 'GNU Natalie Nguyen'

View File

@ -2,17 +2,19 @@
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# Rails.application.config.content_security_policy do |p|
# p.default_src :self, :https
# p.font_src :self, :https, :data
# p.img_src :self, :https, :data
# p.object_src :none
# p.script_src :self, :https
# p.style_src :self, :https, :unsafe_inline
Rails.application.config.content_security_policy do |p|
p.frame_ancestors :none
p.object_src :none
p.script_src :self
p.base_uri :none
# p.default_src :self, :https
# p.font_src :self, :https, :data
# p.img_src :self, :https, :data
# p.style_src :self, :https, :unsafe_inline
#
# # Specify URI for violation reports
# # p.report_uri "/csp-violation-report-endpoint"
# end
# # Specify URI for violation reports
# # p.report_uri "/csp-violation-report-endpoint"
end
# Report CSP violations to a specified URI
# For further information see the following documentation: