Improve the content security policy
[rails.git] / config / initializers / secure_headers.rb
1 policy = if defined?(CSP_REPORT_URL)
2            {
3              :default_src => %w('self'),
4              :child_src => %w('self'),
5              :connect_src => %w('self'),
6              :font_src => %w('none'),
7              :form_action => %w('self'),
8              :frame_ancestors => %w('self'),
9              :img_src => %w('self' data: www.gravatar.com *.wp.com *.tile.openstreetmap.org *.tile.thunderforest.com *.openstreetmap.fr),
10              :media_src => %w('none'),
11              :object_src => %w('self'),
12              :plugin_types => %w('none'),
13              :script_src => %w('self'),
14              :style_src => %w('self' 'unsafe-inline'),
15              :report_uri => [CSP_REPORT_URL]
16            }
17          else
18            SecureHeaders::OPT_OUT
19          end
20
21 policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
22
23 SecureHeaders::Configuration.default do |config|
24   config.csp = SecureHeaders::OPT_OUT
25   config.csp_report_only = policy
26 end