1 # frozen_string_literal: true
3 # Be sure to restart your server when you modify this file.
5 # Define an application-wide content security policy.
6 # See the Securing Rails Applications Guide for more information:
7 # https://guides.rubyonrails.org/security.html#content-security-policy-header
9 Rails.application.configure do
11 img_src = [:self, :data, "www.gravatar.com", "*.wp.com", "tile.openstreetmap.org", "gps.tile.openstreetmap.org", "*.tile.thunderforest.com", "tile.tracestrack.com", "*.openstreetmap.fr"]
14 connect_src << Settings.matomo["location"] if defined?(Settings.matomo)
15 img_src << Settings.matomo["location"] if defined?(Settings.matomo)
16 script_src << Settings.matomo["location"] if defined?(Settings.matomo)
18 img_src << Settings.avatar_storage_url if Settings.key?(:avatar_storage_url)
19 img_src << Settings.trace_image_storage_url if Settings.key?(:trace_image_storage_url)
21 config.content_security_policy do |policy|
22 policy.default_src :self
23 policy.child_src(:self)
24 policy.connect_src(*connect_src)
25 policy.font_src(:none)
26 policy.form_action(:self)
27 policy.frame_ancestors(:self)
28 policy.frame_src(:self)
29 policy.img_src(*img_src)
30 policy.manifest_src(:self)
31 policy.media_src(:none)
32 policy.object_src(:self)
34 policy.script_src(*script_src)
35 policy.style_src(:self)
36 policy.worker_src(:blob)
37 policy.manifest_src(:self)
38 policy.report_uri(Settings.csp_report_url) if Settings.key?(:csp_report_url)
41 # Generate session nonces for permitted importmap, inline scripts, and inline styles.
42 config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(24) }
43 config.content_security_policy_nonce_directives = %w[script-src style-src]
45 # Report violations without enforcing the policy.
46 config.content_security_policy_report_only = true unless Settings.csp_enforce
projects / rails.git / blob