Skip to content

Instantly share code, notes, and snippets.


aviat/csp-github.rb Secret

Last active Jul 11, 2016
What would you like to do?
SecureHeaders::Configuration.default do |config|
config.csp = {
script_src: %w(,
img_src: %w('self' * * data: *,
frame_ancestors: %w('none'),
default_src: %w('none'),
frame_src: %w(,
object_src: %w(,
style_src: %w('unsafe-inline',
connect_src: %w( 'self' wss://,
plugin_types: %w(application/x-shockwave-flash),
child_src: %w(,
media_src: %w('none'),
font_src: %w(,
block_all_mixed_content: %w(),
form_action: %w( 'self'),
base_uri: %w('self')

This comment has been minimized.

Copy link

@oreoshake oreoshake commented Jul 10, 2016

preload: %w(),

preload is not a part of CSP config

includeSubdomains: %w(),

includeSubdomains is not a part of CSP config

block_all_mixed_content: %w(),

block_all_mixed_content requires a boolean value

Maybe add upgrade_insecure_requests: true for some visibility into the feature?


This comment has been minimized.

Copy link
Owner Author

@aviat aviat commented Jul 11, 2016

Thanks for the typos @oreoshake, that's fixed!
Yet for block_all_mixed_content the spec don't specify this boolean parameter:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.