mirror of
https://github.com/scinote-eln/scinote-web.git
synced 2024-12-31 04:32:06 +08:00
Disallow scripts loading over https [SCI-8634] (#5713)
Co-authored-by: Sboursen <dev.sboursen@gmail.com>
This commit is contained in:
parent
85ad167998
commit
ea6a714dac
2 changed files with 2 additions and 2 deletions
|
@ -1,6 +1,7 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<%= csp_meta_tag %>
|
||||
<meta data-hook="head-js">
|
||||
<title><%=t "head.title", title: (yield :head_title) %></title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
|
||||
|
@ -12,7 +13,6 @@
|
|||
<% end %>
|
||||
<%= stylesheet_link_tag "tailwind", "data-turbo-track": "reload" %>
|
||||
<%= stylesheet_link_tag 'application', media: 'all' %>
|
||||
<%= csp_meta_tag %>
|
||||
<% if ::NewRelic::Agent.instance.started? %>
|
||||
<%= ::NewRelic::Agent.browser_timing_header(controller.request.content_security_policy_nonce) %>
|
||||
<% end %>
|
||||
|
|
|
@ -10,7 +10,7 @@ Rails.application.config.content_security_policy do |policy|
|
|||
policy.font_src :self, :https, :data
|
||||
policy.img_src :self, :https, :data, :blob
|
||||
policy.object_src :none
|
||||
policy.script_src :self, :https, :unsafe_eval
|
||||
policy.script_src :self, :unsafe_eval
|
||||
policy.style_src :self, :https, :unsafe_inline, :data
|
||||
policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
|
||||
|
||||
|
|
Loading…
Reference in a new issue