I can obviously change the Content-Security-Policy in views/application.rb. I can also add a different Content-Security-Policy for development mode.
How I can use a different Content-Security-Policy for a specific action/actions?
Asked
Active
Viewed 812 times
0
Simone Carletti
- 173,507
- 49
- 363
- 364
John La Rooy
- 295,403
- 53
- 369
- 502
1 Answers
4
Content-Security-Policy is a HTTP header, so it's related to actions, not views.
You can set a global value in apps/web/application.rb like this:
security.content_security_policy '...'
You can set a global value, per environment basis in apps/web/application.rb:
configure :development do
security.content_security_policy '...'
end
You can set a different value for a given action:
module Web::Controllers::Home
include Web::Action
def call(params)
headers.merge!('Content-Security-Policy' => '...')
end
end
If you have many actions that need that same exception you can do:
# apps/web/controllers/csp_rule.rb
module Web::Controllers::CSPRule
def self.included(action)
action.class_eval do
before :set_content_security_policy
end
end
private
def set_content_security_policy
headers.merge!('Content-Security-Policy' => '...')
end
end
And you can include it where needed.
John La Rooy
- 295,403
- 53
- 369
- 502
Luca Guidi
- 1,201
- 10
- 10