nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add frame-src but don't spam the log with DEPRECATION warnings.

Browse source 
This is an ugly hack, and it should be reverted once we stop supporting
old browsers.
This commit is contained in:
Benjamin Neff 2016-09-10 15:14:44 +02:00 committed by Dennis Schubert
parent 6ec0fd4b9f
commit edf6602099
No known key found for this signature in database
GPG key ID: 5A0304BEA7966D7E
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
config/initializers/secure_headers.rb
View file

@ -16,4 +16,18 @@ SecureHeaders::Configuration.default do |config|
embedr.flickr.com platform.instagram.com 'unsafe-inline'),
style_src: %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
}
# Add frame-src but don't spam the log with DEPRECATION warnings.
# We need frame-src to support older versions of Chrome, because secure_headers handles all Chrome browsers as
# "modern" browser, and ignores the version of the browser. We can drop this once we support only Chrome
# versions with child-src support.
module SecureHeaders
class ContentSecurityPolicy
private
def normalize_child_frame_src
@config[:frame_src] = @config[:child_src]
end
end
end
end