Sebastian Serth
committed by
Sebastian Serth
Sebastian Serth
parent
b37e1b19c3
commit
545dcd0b92
@ -60,6 +60,7 @@ Rails.application.configure do
|
||||
# Currently, these include turbolinks, and vis.js.
|
||||
policy.style_src_elem :self, :unsafe_inline, :report_sample
|
||||
# We still use some inline styles within the application, and indirectly through d3.js.
|
||||
# Further, the ToastUi markdown editor currently requires inline styles, too.
|
||||
policy.style_src_attr :unsafe_inline, :report_sample
|
||||
# The `style_src` directive is only a fallback for browsers not supporting `style_src_elem` and `style_src_attr`.
|
||||
policy.style_src :self, :unsafe_inline, :report_sample
|
||||
|
||||
@ -35,6 +35,16 @@ const envConfig = module.exports = {
|
||||
filename: 'icons/[hash].svg'
|
||||
},
|
||||
},
|
||||
// Extract ToastUi's inline PNGs to actual resources, similar to Bootstrap's SVGs.
|
||||
// This removes the requirement for `data:` URLs in our CSP
|
||||
{
|
||||
mimetype: 'image/png',
|
||||
scheme: 'data',
|
||||
type: 'asset/resource',
|
||||
generator: {
|
||||
filename: 'icons/[hash].png'
|
||||
},
|
||||
},
|
||||
erb
|
||||
]
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user