| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- # Be sure to restart your server when you modify this file.
- # Define an application-wide content security policy
- # For further information see the following documentation
- # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- # Rails.application.config.content_security_policy do |policy|
- # policy.default_src :self, :https
- # policy.font_src :self, :https, :data
- # policy.img_src :self, :https, :data
- # policy.object_src :none
- # policy.script_src :self, :https
- # policy.style_src :self, :https
- # # Specify URI for violation reports
- # # policy.report_uri "/csp-violation-report-endpoint"
- # end
- Rails.application.config.content_security_policy do |policy|
- base_uri = proc do
- next if !Rails.env.production?
- next if !Setting.get('system_init_done')
- http_type = Setting.get('http_type')
- fqdn = Setting.get('fqdn')
- "#{http_type}://#{fqdn}"
- end
- policy.base_uri :self, base_uri
- policy.default_src :self, :ws, :wss, 'https://log.zammad.com', 'https://images.zammad.com'
- policy.font_src :self, :data
- policy.img_src '*', :data
- policy.object_src :none
- policy.script_src :self, :unsafe_eval, :unsafe_inline, :strict_dynamic
- policy.style_src :self, :unsafe_inline
- policy.frame_src 'www.youtube.com', 'player.vimeo.com'
- end
- # If you are using UJS then enable automatic nonce generation
- Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
- # Report CSP violations to a specified URI
- # For further information see the following documentation:
- # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
- # Rails.application.config.content_security_policy_report_only = true
|
