fix content security policy issue
Should remove 'script-src' 'unsafe-eval' in future for better security. It's required by modenizr.
This commit is contained in:
jelhan
parent
48e76cf45b
commit
4b2f287e8f
2 changed files with 13 additions and 3 deletions
|
|
@ -14,6 +14,16 @@ module.exports = function(environment) {
|
||||||
APP: {
|
APP: {
|
||||||
// Here you can pass flags/options to your application instance
|
// Here you can pass flags/options to your application instance
|
||||||
// when it is created
|
// when it is created
|
||||||
|
},
|
||||||
|
|
||||||
|
contentSecurityPolicy: {
|
||||||
|
'default-src': "'none'",
|
||||||
|
'script-src': "'self' 'unsafe-eval'",
|
||||||
|
'font-src': "'self'",
|
||||||
|
'connect-src': "'self'",
|
||||||
|
'img-src': "'self'",
|
||||||
|
'style-src': "'self' 'unsafe-inline'",
|
||||||
|
'media-src': "'self'"
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# Content Security Policy-Headers
|
# Content Security Policy-Headers
|
||||||
# you have to enable apache module headers to get them working
|
# you have to enable apache module headers to get them working
|
||||||
#Header set Content-Security-Policy "default-src 'self'"
|
#Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
|
||||||
#Header set X-Content-Security-Policy "default-src 'self'"
|
#Header set X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
|
||||||
#Header set X-Webkit-CSP "default-src 'self'"
|
#Header set X-Webkit-CSP "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
|
||||||
Loading…
Reference in a new issue