1 # Be sure to restart your server when you modify this file.
3 # Define an application-wide content security policy.
4 # See the Securing Rails Applications Guide for more information:
5 # https://guides.rubyonrails.org/security.html#content-security-policy-header
7 Rails.application.configure do
9 img_src = [:self, :data, "www.gravatar.com", "*.wp.com", "tile.openstreetmap.org", "*.tile.thunderforest.com", "tile.tracestrack.com", "*.openstreetmap.fr"]
12 connect_src << Settings.matomo["location"] if defined?(Settings.matomo)
13 img_src << Settings.matomo["location"] if defined?(Settings.matomo)
14 script_src << Settings.matomo["location"] if defined?(Settings.matomo)
16 img_src << Settings.avatar_storage_url if Settings.key?(:avatar_storage_url)
17 img_src << Settings.trace_image_storage_url if Settings.key?(:trace_image_storage_url)
19 config.content_security_policy do |policy|
20 policy.default_src :self
21 policy.child_src(:self)
22 policy.connect_src(*connect_src)
23 policy.font_src(:none)
24 policy.form_action(:self)
25 policy.frame_ancestors(:self)
26 policy.frame_src(:self)
27 policy.img_src(*img_src)
28 policy.manifest_src(:self)
29 policy.media_src(:none)
30 policy.object_src(:self)
32 policy.script_src(*script_src)
33 policy.style_src(:self)
34 policy.worker_src(:none)
35 policy.manifest_src(:self)
36 policy.report_uri(Settings.csp_report_url) if Settings.key?(:csp_report_url)
39 # Generate session nonces for permitted importmap and inline scripts
40 config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(24) }
41 config.content_security_policy_nonce_directives = %w[style-src]
43 # Report violations without enforcing the policy.
44 config.content_security_policy_report_only = true unless Settings.csp_enforce