Not setting a script_src value means your policy falls back to whatever default_src (also required) is set to. This can be very dangerous and indicates the policy is too loose.
However, sometimes you really don't need a script-src e.g. API responses (default-src 'none') so you can set script_src: SecureHeaders::OPT_OUT to work around this.
The default CSP has changed to be more universal without sacrificing too much security.
- Flash/Java disabled by default
img-srcallows data: images and favicons (among others)style-srcallows inline CSS by default (most find it impossible/impractical to remove inline content today)form-action(not governed bydefault-src, practically treated as*) is set to'self'
Previously, the default CSP was:
content-security-policy: default-src 'self'
The new default policy is:
default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:
- Setting
report_only: truein a CSP config will raise an error. Instead, setcsp_report_only. - Setting
frame_srcandchild_srcwhen values don't match will raise an error. Just useframe_src.
Use config.cookies instead.
We've dropped support for ruby versions <= 2.2. Sorry.