Improve CSP initializer copy
The `content_security_policy_report_only` config does not enable violation reporting. It makes sure the policy isn't enforced, only reported. Also link to the guide instead of external documentation.
This commit is contained in:
Petrik
parent
ce1806d945
commit
ba3ff2def8
7
railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
7
railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt
@ -1,8 +1,8 @@
|
||||
# Be sure to restart your server when you modify this file.
|
||||
|
||||
# Define an application-wide content security policy.
|
||||
# For further information see the following documentation:
|
||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
||||
# See the Securing Rails Applications Guide for more information:
|
||||
# https://guides.rubyonrails.org/security.html#content-security-policy-header
|
||||
|
||||
# Rails.application.configure do
|
||||
# config.content_security_policy do |policy|
|
||||
@ -20,7 +20,6 @@
|
||||
# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
|
||||
# config.content_security_policy_nonce_directives = %w(script-src)
|
||||
#
|
||||
# # Report CSP violations to a specified URI. See:
|
||||
# # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
|
||||
# # Report violations without enforcing the policy.
|
||||
# # config.content_security_policy_report_only = true
|
||||
# end
|
||||
|
||||
Loading…
Reference in New Issue
Block a user