X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/cb87f02642d0097ebc067ca1f9371dde274a41e3..c77c7d015f224db8c383932c3745e1cbd48eb519:/config/initializers/secure_headers.rb diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index f4633d72f..9af170623 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -6,6 +6,7 @@ if defined?(CSP_REPORT_URL) :font_src => %w['none'], :form_action => %w['self'], :frame_ancestors => %w['self'], + :frame_src => %w['self'], :img_src => %w['self' data: www.gravatar.com *.wp.com *.tile.openstreetmap.org *.tile.thunderforest.com *.openstreetmap.fr], :media_src => %w['none'], :object_src => %w['self'], @@ -15,6 +16,7 @@ if defined?(CSP_REPORT_URL) :report_uri => [CSP_REPORT_URL] } + csp_policy[:img_src] << PIWIK["location"] if defined?(PIWIK) csp_policy[:script_src] << PIWIK["location"] if defined?(PIWIK) else csp_policy = SecureHeaders::OPT_OUT @@ -26,7 +28,7 @@ cookie_policy = { } SecureHeaders::Configuration.default do |config| - config.hsts = "max-age=0" + config.hsts = SecureHeaders::OPT_OUT config.csp = SecureHeaders::OPT_OUT config.csp_report_only = csp_policy config.cookies = cookie_policy