Don't use nonce in CSP in development mode

This commit is contained in:
Jérémy Lecour 2020-09-03 22:46:37 +02:00
parent fec2c8ba0b
commit 959c1ad610
1 changed files with 7 additions and 3 deletions

View File

@ -11,19 +11,23 @@ Rails.application.config.content_security_policy do |policy|
policy.object_src :none
policy.script_src :self, :https
if Rails.env.development?
policy.style_src :self, :https, :blob
policy.style_src :self, :https, :blob, :unsafe_inline
else
policy.style_src :self, :https
end
# If you are using webpack-dev-server then specify webpack-dev-server host
policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
if Rails.env.development?
policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035"
end
# Specify URI for violation reports
# policy.report_uri "/csp-violation-report-endpoint"
end
# If you are using UJS then enable automatic nonce generation
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
unless Rails.env.development?
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
end
# Set the nonce only to specific directives
# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)