Use unsafe_inline as the default for script_src CSP until we get a nonce alternative

Closes #31273 but we will still want to upgrade this to the nonce-approach when it’s ready.

Use unsafe_inline as the default for script_src CSP until we get a nonce alternative
Closes #31273 but we will still want to upgrade this to the nonce-approach when it’s ready.
0f7d3b61 · David Heinemeier Hansson · 9a023c83 · 0f7d3b61
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt ...mplates/config/initializers/content_security_policy.rb.tt +1 -1

未找到文件。
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@@ -9,7 +9,7 @@ Rails.application.config.content_security_policy do |policy|
  policy.font_src    :self, :https, :data
  policy.img_src     :self, :https, :data
  policy.object_src  :none
-  policy.script_src  :self, :https
+  policy.script_src  :self, :https, :unsafe_inline
  policy.style_src   :self, :https, :unsafe_inline

  # Specify URI for violation reports