config/initializers/secure_headers.rb

   1 policy = if defined?(CSP_REPORT_URL)
   2            {
   3              :default_src => %w('self'),
   4              :child_src => %w('self'),
   5              :connect_src => %w('self'),
   6              :font_src => %w('none'),
   7              :form_action => %w('self'),
   8              :frame_ancestors => %w('self'),
   9              :img_src => %w('self' data: www.gravatar.com *.wp.com *.tile.openstreetmap.org *.tile.thunderforest.com *.openstreetmap.fr),
  10              :media_src => %w('none'),
  11              :object_src => %w('self'),
  12              :plugin_types => %w('none'),
  13              :script_src => %w('self'),
  14              :style_src => %w('self' 'unsafe-inline'),
  15              :report_uri => [CSP_REPORT_URL]
  16            }
  17          else
  18            SecureHeaders::OPT_OUT
  19          end
  20
  21 policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
  22
  23 SecureHeaders::Configuration.default do |config|
  24   config.csp = SecureHeaders::OPT_OUT
  25   config.csp_report_only = policy
  26 end