closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6131 Commits
4 Branches
567 MiB
Tree: 2d27c11061
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2d27c11061'
${ noResults }
mastodon/config/initializers/content_security_policy.rb

23 lines
1.0 KiB
Raw Normal View History

Upgrade Rails to version 5.2.0 (#5898)
6 years ago
Set Content-Security-Policy rules through RoR's config (#8957) * Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames
5 years ago
Upgrade Rails to version 5.2.0 (#5898)
6 years ago
 
  1. # Define an application-wide content security policy
  2. # For further information see the following documentation
  3. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
  4. 

  5. assets_host = Rails.configuration.action_controller.asset_host || "https://#{ENV['WEB_DOMAIN'] || ENV['LOCAL_DOMAIN']}"
  6. 

  7. Rails.application.config.content_security_policy do |p|
  8.   p.base_uri        :none
  9.   p.default_src     :none
  10.   p.frame_ancestors :none
  11.   p.script_src      :self, assets_host
  12.   p.font_src        :self, assets_host
  13.   p.img_src         :self, :https, :data, :blob
  14.   p.style_src       :self, :unsafe_inline, assets_host
  15.   p.media_src       :self, :data, assets_host
  16.   p.frame_src       :self, :https
  17.   p.connect_src     :self, assets_host, Rails.configuration.x.streaming_api_base_url
  18. end
  19. 

  20. # Report CSP violations to a specified URI
  21. # For further information see the following documentation:
  22. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
  23. # Rails.application.config.content_security_policy_report_only = true