Improve the content security policy

[rails.git] / config / initializers / secure_headers.rb

diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 13db365099a9eeacd1fa0dc1aa4376196728a5e0..cd428d7dd2a9084de15f367c45d7ac512540e175 100644 (file)
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
              :media_src => %w('none'),
              :object_src => %w('self'),
              :plugin_types => %w('none'),
-             :script_src => %w('self' 'unsafe-inline'),
+             :script_src => %w('self'),
              :style_src => %w('self' 'unsafe-inline'),
              :report_uri => [CSP_REPORT_URL]
            }
@@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
            SecureHeaders::OPT_OUT
          end
 
+policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
+
 SecureHeaders::Configuration.default do |config|
   config.csp = SecureHeaders::OPT_OUT
   config.csp_report_only = policy