X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/550c4a3a45814fde5c809334c85f1ebc47659a82..0a10ac2e9be4246987951eea86ae201f14c65fc1:/config/initializers/content_security_policy.rb

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 3621f97f8..b3076b38f 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -1,8 +1,8 @@
 # Be sure to restart your server when you modify this file.
 
-# Define an application-wide content security policy
-# For further information see the following documentation
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# Define an application-wide content security policy.
+# See the Securing Rails Applications Guide for more information:
+# https://guides.rubyonrails.org/security.html#content-security-policy-header
 
 # Rails.application.configure do
 #   config.content_security_policy do |policy|
@@ -16,11 +16,10 @@
 #     # policy.report_uri "/csp-violation-report-endpoint"
 #   end
 #
-#   # Generate session nonces for permitted importmap and inline scripts
+#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
 #   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src)
+#   config.content_security_policy_nonce_directives = %w(script-src style-src)
 #
-#   # Report CSP violations to a specified URI. See:
-#   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+#   # Report violations without enforcing the policy.
 #   # config.content_security_policy_report_only = true
 # end