
committed by
Sebastian Serth

parent
b37e1b19c3
commit
545dcd0b92
@ -60,6 +60,7 @@ Rails.application.configure do
|
|||||||
# Currently, these include turbolinks, and vis.js.
|
# Currently, these include turbolinks, and vis.js.
|
||||||
policy.style_src_elem :self, :unsafe_inline, :report_sample
|
policy.style_src_elem :self, :unsafe_inline, :report_sample
|
||||||
# We still use some inline styles within the application, and indirectly through d3.js.
|
# We still use some inline styles within the application, and indirectly through d3.js.
|
||||||
|
# Further, the ToastUi markdown editor currently requires inline styles, too.
|
||||||
policy.style_src_attr :unsafe_inline, :report_sample
|
policy.style_src_attr :unsafe_inline, :report_sample
|
||||||
# The `style_src` directive is only a fallback for browsers not supporting `style_src_elem` and `style_src_attr`.
|
# The `style_src` directive is only a fallback for browsers not supporting `style_src_elem` and `style_src_attr`.
|
||||||
policy.style_src :self, :unsafe_inline, :report_sample
|
policy.style_src :self, :unsafe_inline, :report_sample
|
||||||
|
@ -35,6 +35,16 @@ const envConfig = module.exports = {
|
|||||||
filename: 'icons/[hash].svg'
|
filename: 'icons/[hash].svg'
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
// Extract ToastUi's inline PNGs to actual resources, similar to Bootstrap's SVGs.
|
||||||
|
// This removes the requirement for `data:` URLs in our CSP
|
||||||
|
{
|
||||||
|
mimetype: 'image/png',
|
||||||
|
scheme: 'data',
|
||||||
|
type: 'asset/resource',
|
||||||
|
generator: {
|
||||||
|
filename: 'icons/[hash].png'
|
||||||
|
},
|
||||||
|
},
|
||||||
erb
|
erb
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
Reference in New Issue
Block a user