Skip to content

Instantly share code, notes, and snippets.

@aviat aviat/csp-github.rb Secret
Last active Jul 11, 2016

Embed
What would you like to do?
SecureHeaders::Configuration.default do |config|
config.csp = {
script_src: %w(assets-cdn.github.com),
img_src: %w('self' *.wp.com *.gravatar.com collector.githubapp.com www.google-analytics.com data: identicons.github.com assets-cdn.github.com *.githubusercontent.com),
frame_ancestors: %w('none'),
default_src: %w('none'),
frame_src: %w(render.githubusercontent.com),
object_src: %w(assets-cdn.github.com),
style_src: %w('unsafe-inline' assets-cdn.github.com),
connect_src: %w(github-cloud.s3.amazonaws.com status.github.com 'self' www.google-analytics.com wss://live.github.com uploads.github.com api.github.com),
plugin_types: %w(application/x-shockwave-flash),
child_src: %w(render.githubusercontent.com),
media_src: %w('none'),
font_src: %w(assets-cdn.github.com),
block_all_mixed_content: %w(),
form_action: %w(github.com gist.github.com 'self'),
base_uri: %w('self')
}
end
@oreoshake

This comment has been minimized.

Copy link

commented Jul 10, 2016

preload: %w(),

preload is not a part of CSP config

includeSubdomains: %w(),

includeSubdomains is not a part of CSP config

block_all_mixed_content: %w(),

block_all_mixed_content requires a boolean value

Maybe add upgrade_insecure_requests: true for some visibility into the feature?

@aviat

This comment has been minimized.

Copy link
Owner Author

commented Jul 11, 2016

Thanks for the typos @oreoshake, that's fixed!
Yet for block_all_mixed_content the spec don't specify this boolean parameter:
https://www.w3.org/TR/mixed-content/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.