Merge pull request #34375 from y-yagi/add_connect_src_to_default_csp_initializer

Add `connect_src` example to content security policy initializer

railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt

@@ -11,6 +11,10 @@
 #   policy.object_src  :none
 #   policy.script_src  :self, :https
 #   policy.style_src   :self, :https
+<%- unless options[:skip_javascript] -%>
+#   # If you are using webpack-dev-server then specify webpack-dev-server host
+#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+<%- end -%>
 
 #   # Specify URI for violation reports
 #   # policy.report_uri "/csp-violation-report-endpoint"

railties/test/generators/app_generator_test.rb

@@ -230,6 +230,14 @@ def test_new_application_load_defaults
     assert_equal "false\n", output
   end
 
+  def test_csp_initializer_include_connect_src_example
+    run_generator
+
+    assert_file "config/initializers/content_security_policy.rb" do |content|
+      assert_match(/#   policy\.connect_src/, content)
+    end
+  end
+
   def test_app_update_keep_the_cookie_serializer_if_it_is_already_configured
     app_root = File.join(destination_root, "myapp")
     run_generator [app_root]
@@ -807,6 +815,9 @@ def test_skip_javascript_option
     end
 
     assert_no_gem "webpacker"
+    assert_file "config/initializers/content_security_policy.rb" do |content|
+      assert_no_match(/policy\.connect_src/, content)
+    end
   end
 
   def test_webpack_option_with_js_framework