Feature #29405

Support header Content Security Policy

Added by Ludovic Andrieux almost 2 years ago. Updated over 1 year ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution:

Description

Hi,

According Google, this a basic Content Security Policy.

Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'

Redmine crash with it because there is some call to eval in javascript in some pages.

Regards,
Ludovic

2018-08-18_142722.png (76.2 KB) Ludovic Andrieux, 2018-08-18 14:30

History

#1 Updated by cam lafit over 1 year ago

Hello

A workaround is to enable all via a config/initializers/csp.rb


Rails.application.config.content_security_policy do |policy|
  policy.default_src "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.font_src    "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.img_src     "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.object_src  "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.script_src  "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 
  policy.style_src   "*",  :data, :blob, "'unsafe-inline'", "'unsafe-eval'" 

  # Specify URI for violation reports
  # policy.report_uri "/csp-violation-report-endpoint" 
end

#Rails.application.config.content_security_policy_report_only = true

Also available in: Atom PDF