Configure manifest-src and worker-src in security policy
authorTom Hughes <tom@compton.nu>
Thu, 17 May 2018 18:10:39 +0000 (19:10 +0100)
committerTom Hughes <tom@compton.nu>
Thu, 17 May 2018 18:10:39 +0000 (19:10 +0100)
config/initializers/secure_headers.rb

index ba9aa496f4468601293db2a7bd13abed81e404a5..cd6979bee26bf8e9c83e1dc31ae23d65d78b00fd 100644 (file)
@@ -9,11 +9,13 @@ if defined?(CSP_REPORT_URL)
     :frame_ancestors => %w['self'],
     :frame_src => %w['self'],
     :img_src => %w['self' data: www.gravatar.com *.wp.com *.tile.openstreetmap.org *.tile.thunderforest.com *.openstreetmap.fr],
+    :manifest_src => %w['none'],
     :media_src => %w['none'],
     :object_src => %w['self'],
     :plugin_types => %w[],
     :script_src => %w['self'],
     :style_src => %w['self'],
+    :worker_src => %w['none'],
     :report_uri => [CSP_REPORT_URL]
   }