Fix LetterOpennerWeb CSP (#17770)

author Yamagishi Kazutoshi <ykzts@desire.sh>

Mon, 14 Mar 2022 18:20:40 +0000 (03:20 +0900)

committer GitHub <noreply@github.com>

Mon, 14 Mar 2022 18:20:40 +0000 (19:20 +0100)
author Yamagishi Kazutoshi <ykzts@desire.sh>
Mon, 14 Mar 2022 18:20:40 +0000 (03:20 +0900)
committer GitHub <noreply@github.com>
Mon, 14 Mar 2022 18:20:40 +0000 (19:20 +0100)
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb

index b377b7b4d187c3d65fe0aaf5bc69e7caa55a4ed0..c113b0f8b980608f7f1616362a756f15c561bc08 100644 (file)
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -60,4 +60,20 @@ Rails.application.reloader.to_prepare do
    PgHero::HomeController.after_action do
      request.content_security_policy_nonce_generator = nil
    end
+
+  if Rails.env.development?
+    LetterOpenerWeb::LettersController.content_security_policy do |p|
+      p.child_src       :self
+      p.connect_src     :none
+      p.frame_ancestors :self
+      p.frame_src       :self
+      p.script_src      :unsafe_inline
+      p.style_src       :unsafe_inline
+      p.worker_src      :none
+    end
+
+    LetterOpenerWeb::LettersController.after_action do |p|
+      request.content_security_policy_nonce_directives = %w(script-src)
+    end
+  end
  end
author	Yamagishi Kazutoshi <ykzts@desire.sh>
	Mon, 14 Mar 2022 18:20:40 +0000 (03:20 +0900)
committer	GitHub <noreply@github.com>
	Mon, 14 Mar 2022 18:20:40 +0000 (19:20 +0100)