rm script-src nonce in development bc it prevents relaxing other CSPs…

… for devtools
NeuromatchAcademy · Aug 11, 2024 · 88c9d6a · 88c9d6a
1 parent 350a6a7
commit 88c9d6a
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -69,7 +69,11 @@ def sso_host
 
 Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
 
-Rails.application.config.content_security_policy_nonce_directives = %w(style-src script-src)
+Rails.application.config.content_security_policy_nonce_directives = if Rails.env.development?
+                                                                      %w(style-src)
+                                                                    else
+                                                                      %w(style-src script-src)
+                                                                    end
 
 Rails.application.reloader.to_prepare do
   PgHero::HomeController.content_security_policy do |p|
@@ -93,7 +97,7 @@ def sso_host
     end
 
     LetterOpenerWeb::LettersController.after_action do
-      request.content_security_policy_nonce_directives = %w(script-src)
+      request.content_security_policy_nonce_directives = %w()
     end
   end
 end