Actions
Feature #29405
open
Support header Content Security Policy
Status:
New
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Description
Hi,
According Google, this a basic Content Security Policy.
Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'
Redmine crash with it because there is some call to eval in javascript in some pages.
Regards,
Ludovic
Files
Updated by cam lafit almost 4 years ago
Hello
A workaround is to enable all via a config/initializers/csp.rb
Rails.application.config.content_security_policy do |policy|
policy.default_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.font_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.img_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.object_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.script_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
policy.style_src "*", :data, :blob, "'unsafe-inline'", "'unsafe-eval'"
# Specify URI for violation reports
# policy.report_uri "/csp-violation-report-endpoint"
end
#Rails.application.config.content_security_policy_report_only = true
Actions