Commit 3390ca52 authored by Axel García's avatar Axel García

Update Content Security Policy headers

Adding the default-src values to policies
so they work as usual on tests. Or other
environments without explicit CSP config.
parent 7029aa51
...@@ -18,10 +18,12 @@ class RegistrationsController < Devise::RegistrationsController ...@@ -18,10 +18,12 @@ class RegistrationsController < Devise::RegistrationsController
content_security_policy do |policy| content_security_policy do |policy|
next if policy.directives.blank? next if policy.directives.blank?
script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com'] default_script_src = policy.directives['script-src'] || policy.directives['default-src']
script_src_values = Array.wrap(default_script_src) | ["'self'", "'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']
policy.script_src(*script_src_values) policy.script_src(*script_src_values)
connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org'] default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
connect_src_values = Array.wrap(default_connect_src) | ["'self'", 'https://cdn.cookielaw.org']
policy.connect_src(*connect_src_values) policy.connect_src(*connect_src_values)
end end
......
...@@ -58,10 +58,12 @@ class SessionsController < Devise::SessionsController ...@@ -58,10 +58,12 @@ class SessionsController < Devise::SessionsController
content_security_policy do |policy| content_security_policy do |policy|
next if policy.directives.blank? next if policy.directives.blank?
script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com'] default_script_src = policy.directives['script-src'] || policy.directives['default-src']
script_src_values = Array.wrap(default_script_src) | ["'self'", "'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']
policy.script_src(*script_src_values) policy.script_src(*script_src_values)
connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org'] default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
connect_src_values = Array.wrap(default_connect_src) | ["'self'", 'https://cdn.cookielaw.org']
policy.connect_src(*connect_src_values) policy.connect_src(*connect_src_values)
end end
......
...@@ -15,10 +15,12 @@ class TrialRegistrationsController < RegistrationsController ...@@ -15,10 +15,12 @@ class TrialRegistrationsController < RegistrationsController
content_security_policy do |policy| content_security_policy do |policy|
next if policy.directives.blank? next if policy.directives.blank?
script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com'] default_script_src = policy.directives['script-src'] || policy.directives['default-src']
script_src_values = Array.wrap(default_script_src) | ["'self'", "'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']
policy.script_src(*script_src_values) policy.script_src(*script_src_values)
connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org'] default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
connect_src_values = Array.wrap(default_connect_src) | ["'self'", 'https://cdn.cookielaw.org']
policy.connect_src(*connect_src_values) policy.connect_src(*connect_src_values)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment