Upgrade to rails 7.0

2026-01-27 02:28:50 +01:00 · 2022-01-30 15:07:40 +01:00
parent eab04b9404
commit bfe8ce7b59
12 changed files with 196 additions and 191 deletions
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -4,26 +4,24 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

-Rails.application.config.content_security_policy do |policy|
-  policy.default_src :none
-  policy.font_src    :self, 'https://cdnjs.cloudflare.com'
-  policy.img_src     :self, 'https://cdnjs.cloudflare.com', 'https://projecteuler.net'
-  policy.object_src  :none
-  policy.script_src  :self, 'https://cdnjs.cloudflare.com'
-  policy.style_src   :self, :unsafe_inline
-  policy.connect_src :self
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :none
+    policy.font_src    :self, "https://cdnjs.cloudflare.com"
+    policy.img_src     :self, "https://cdnjs.cloudflare.com", "https://projecteuler.net"
+    policy.object_src  :none
+    policy.script_src  :self, "https://cdnjs.cloudflare.com"
+    policy.style_src   :self, :unsafe_inline
+    policy.connect_src :self
+    # Specify URI for violation reports
+    # policy.report_uri "/csp-violation-report-endpoint"
+  end

-  # Specify URI for violation reports
-  # policy.report_uri "/csp-violation-report-endpoint"
+  # Generate session nonces for permitted importmap and inline scripts
+  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  config.content_security_policy_nonce_directives = %w(script-src)
+
+  # Report CSP violations to a specified URI. See:
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+  # config.content_security_policy_report_only = true
 end
-
-# If you are using UJS then enable automatic nonce generation
-# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
-
-# Set the nonce only to specific directives
-# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
-
-# Report CSP violations to a specified URI
-# For further information see the following documentation:
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-# Rails.application.config.content_security_policy_report_only = true