0

I am trying to create a vary basic .rb plugin (based on the now obsolete in chrome) discourse-allowall which will merge the CSP header to the default ones but cant get it to work.

The below does not seem to do it.

Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Policy' => "frame-ancestors 'http://mylocal.com.localhost'"})

I literally have 0 experience with ruby so need to know:

  1. If thats possible
  2. The correct syntax for defining the above header and merging it with the default ones

NOTE: End goal is to allow for the application to be frameable by 2 specific domains.

mixkat
  • 3,883
  • 10
  • 40
  • 58

1 Answers1

0

My syntax was off and this is working fine now. Correct syntax is like:

Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Policy' => "frame-ancestors *"})

Put it up on github in case someone wants to use it as a plugin: https://github.com/mkatrantzis/testDiscourseCSP

mixkat
  • 3,883
  • 10
  • 40
  • 58