fix content security policy issue

Should remove 'script-src' 'unsafe-eval' in future for better security. It's required by modenizr.
2015-01-16 16:38:47 +01:00 · 2015-01-16 16:38:47 +01:00 · 4b2f287e8f
commit 4b2f287e8f
parent 48e76cf45b
2 changed files with 13 additions and 3 deletions
--- a/config/environment.js
+++ b/config/environment.js
@ -14,6 +14,16 @@ module.exports = function(environment) {
    APP: {
      // Here you can pass flags/options to your application instance
      // when it is created
+    },
+    
+    contentSecurityPolicy: {
+      'default-src': "'none'",
+      'script-src': "'self' 'unsafe-eval'",
+      'font-src': "'self'",
+      'connect-src': "'self'",
+      'img-src': "'self'",
+      'style-src': "'self' 'unsafe-inline'",
+      'media-src': "'self'"
    }
  };

--- a/public/.htaccess
+++ b/public/.htaccess
@ -1,5 +1,5 @@
 # Content Security Policy-Headers
 # you have to enable apache module headers to get them working
-#Header set Content-Security-Policy "default-src 'self'"
-#Header set X-Content-Security-Policy "default-src 'self'"
-#Header set X-Webkit-CSP "default-src 'self'"
+#Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+#Header set X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+#Header set X-Webkit-CSP "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"