Browse Source

Don't use nonce in CSP in development mode

master
Jérémy Lecour 5 months ago
parent
commit
959c1ad610
1 changed files with 7 additions and 3 deletions
  1. +7
    -3
      config/initializers/content_security_policy.rb

+ 7
- 3
config/initializers/content_security_policy.rb View File

@ -11,19 +11,23 @@ Rails.application.config.content_security_policy do |policy|
policy.object_src :none
policy.script_src :self, :https
if Rails.env.development?
policy.style_src :self, :https, :blob
policy.style_src :self, :https, :blob, :unsafe_inline
else
policy.style_src :self, :https
end
# If you are using webpack-dev-server then specify webpack-dev-server host
policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
if Rails.env.development?
policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035"
end
# Specify URI for violation reports
# policy.report_uri "/csp-violation-report-endpoint"
end
# If you are using UJS then enable automatic nonce generation
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
unless Rails.env.development?
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
end
# Set the nonce only to specific directives
# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)


Loading…
Cancel
Save