panel/config/initializers/content_security_policy.rb

# frozen_string_literal: true

# Be sure to restart your server when you modify this file.

# Define an application-wide content security policy
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self
  # XXX: Varios scripts generan estilos en línea
  policy.style_src   :self, :unsafe_inline
  # Repetimos la default para poder saber cuál es la política en falta
  policy.script_src  :self
  policy.font_src    :self
  # XXX: Los íconos de Trix se cargan vía data:
  policy.img_src     :self, :data, :https
  # Ya no usamos applets!
  policy.object_src  :none
  if Rails.env.development?
    policy.connect_src :self,
                       'http://localhost:3035',
                       'ws://localhost:3035'
  end

  # Specify URI for violation reports
  policy.report_uri "https://api.#{ENV.fetch('SUTTY_WITH_PORT', 'sutty.nl')}/v1/csp_reports.json"
end

# If you are using UJS then enable automatic nonce generation
# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

# Set the nonce only to specific directives
# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)

# Report CSP violations to a specified URI
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
Rails.application.config.content_security_policy_report_only = false
actualizar a rails 6 y jekyll 4 2019-08-29 17:54:19 +00:00			`# frozen_string_literal: true`

			`# Be sure to restart your server when you modify this file.`

			`# Define an application-wide content security policy`
			`# For further information see the following documentation`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy`

Content Security Policy 2020-02-06 16:11:17 +00:00			`Rails.application.config.content_security_policy do \|policy\|`
			`policy.default_src :self`
			`# XXX: Varios scripts generan estilos en línea`
			`policy.style_src :self, :unsafe_inline`
			`# Repetimos la default para poder saber cuál es la política en falta`
			`policy.script_src :self`
			`policy.font_src :self`
cargar los iconos de trix 2020-02-07 23:38:56 +00:00			`# XXX: Los íconos de Trix se cargan vía data:`
permitir carga remota de imágenes 2020-10-19 15:46:25 +00:00			`policy.img_src :self, :data, :https`
Content Security Policy 2020-02-06 16:11:17 +00:00			`# Ya no usamos applets!`
			`policy.object_src :none`
			`if Rails.env.development?`
			`policy.connect_src :self,`
			`'http://localhost:3035',`
			`'ws://localhost:3035'`
			`end`
actualizar a rails 6 y jekyll 4 2019-08-29 17:54:19 +00:00
Content Security Policy 2020-02-06 16:11:17 +00:00			`# Specify URI for violation reports`
			`policy.report_uri "https://api.#{ENV.fetch('SUTTY_WITH_PORT', 'sutty.nl')}/v1/csp_reports.json"`
			`end`
actualizar a rails 6 y jekyll 4 2019-08-29 17:54:19 +00:00
			`# If you are using UJS then enable automatic nonce generation`
Content Security Policy 2020-02-06 16:11:17 +00:00			`# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }`
actualizar a rails 6 y jekyll 4 2019-08-29 17:54:19 +00:00
			`# Set the nonce only to specific directives`
Content Security Policy 2020-02-06 16:11:17 +00:00			`# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)`
actualizar a rails 6 y jekyll 4 2019-08-29 17:54:19 +00:00
			`# Report CSP violations to a specified URI`
			`# For further information see the following documentation:`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only`
Content Security Policy 2020-02-06 16:11:17 +00:00			`Rails.application.config.content_security_policy_report_only = false`