Skip to content

Instantly share code, notes, and snippets.

@aviat

aviat/csp-github.rb Secret

Last active July 11, 2016 16:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aviat/17c96a9707c0806cb307fb1dee6466d3 to your computer and use it in GitHub Desktop.
Save aviat/17c96a9707c0806cb307fb1dee6466d3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
csp-github.rb
SecureHeaders::Configuration.default do |config|
config.csp = {
script_src: %w(assets-cdn.github.com),
img_src: %w('self' *.wp.com *.gravatar.com collector.githubapp.com www.google-analytics.com data: identicons.github.com assets-cdn.github.com *.githubusercontent.com),
frame_ancestors: %w('none'),
default_src: %w('none'),
frame_src: %w(render.githubusercontent.com),
object_src: %w(assets-cdn.github.com),
style_src: %w('unsafe-inline' assets-cdn.github.com),
connect_src: %w(github-cloud.s3.amazonaws.com status.github.com 'self' www.google-analytics.com wss://live.github.com uploads.github.com api.github.com),
plugin_types: %w(application/x-shockwave-flash),
child_src: %w(render.githubusercontent.com),
media_src: %w('none'),
font_src: %w(assets-cdn.github.com),
block_all_mixed_content: %w(),
form_action: %w(github.com gist.github.com 'self'),
base_uri: %w('self')
}
end
@oreoshake
Copy link

preload: %w(),

preload is not a part of CSP config

includeSubdomains: %w(),

includeSubdomains is not a part of CSP config

block_all_mixed_content: %w(),

block_all_mixed_content requires a boolean value

Maybe add upgrade_insecure_requests: true for some visibility into the feature?

@aviat
Copy link
Author

aviat commented Jul 11, 2016

Thanks for the typos @oreoshake, that's fixed!
Yet for block_all_mixed_content the spec don't specify this boolean parameter:
https://www.w3.org/TR/mixed-content/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment