scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2024-12-31 04:32:06 +08:00
Code Issues Projects Releases Packages Wiki Activity

Disallow scripts loading over https [SCI-8634] (#5713)

Browse source 
Co-authored-by: Sboursen <dev.sboursen@gmail.com>
This commit is contained in:
Soufiane 2023-07-05 13:19:16 +02:00 committed by GitHub
parent 85ad167998
commit ea6a714dac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/views/layouts/application.html.erb
View file

@ -1,6 +1,7 @@
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
<head> <head>
<%= csp_meta_tag %>
<meta data-hook="head-js"> <meta data-hook="head-js">
<title><%=t "head.title", title: (yield :head_title) %></title> <title><%=t "head.title", title: (yield :head_title) %></title>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
@ -12,7 +13,6 @@
<% end %> <% end %>
<%= stylesheet_link_tag "tailwind", "data-turbo-track": "reload" %> <%= stylesheet_link_tag "tailwind", "data-turbo-track": "reload" %>
<%= stylesheet_link_tag 'application', media: 'all' %> <%= stylesheet_link_tag 'application', media: 'all' %>
<%= csp_meta_tag %>
<% if ::NewRelic::Agent.instance.started? %> <% if ::NewRelic::Agent.instance.started? %>
<%= ::NewRelic::Agent.browser_timing_header(controller.request.content_security_policy_nonce) %> <%= ::NewRelic::Agent.browser_timing_header(controller.request.content_security_policy_nonce) %>
<% end %> <% end %>

2
config/initializers/security_policy.rb
View file

@ -10,7 +10,7 @@ Rails.application.config.content_security_policy do |policy|
policy.font_src :self, :https, :data policy.font_src :self, :https, :data
policy.img_src :self, :https, :data, :blob policy.img_src :self, :https, :data, :blob
policy.object_src :none policy.object_src :none
policy.script_src :self, :https, :unsafe_eval policy.script_src :self, :unsafe_eval
policy.style_src :self, :https, :unsafe_inline, :data policy.style_src :self, :https, :unsafe_inline, :data
policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES