mastodon/app/controllers/concerns/api/content_security_policy.rb

# frozen_string_literal: true

module Api::ContentSecurityPolicy
  extend ActiveSupport::Concern

  included do
    content_security_policy do |policy|
      # Set every directive that does not have a fallback
      policy.default_src :none
      policy.frame_ancestors :none
      policy.form_action :none

      # Disable every directive with a fallback to cut on response size
      policy.base_uri false
      policy.font_src false
      policy.img_src false
      policy.style_src false
      policy.media_src false
      policy.frame_src false
      policy.manifest_src false
      policy.connect_src false
      policy.script_src false
      policy.child_src false
      policy.worker_src false
    end
  end
end
Specs for minimal CSP policy in `Api::` controllers (#27845) 2023-11-14 15:34:30 +01:00			`# frozen_string_literal: true`

			`module Api::ContentSecurityPolicy`
			`extend ActiveSupport::Concern`

			`included do`
			`content_security_policy do \|policy\|`
			`# Set every directive that does not have a fallback`
			`policy.default_src :none`
			`policy.frame_ancestors :none`
			`policy.form_action :none`

			`# Disable every directive with a fallback to cut on response size`
			`policy.base_uri false`
			`policy.font_src false`
			`policy.img_src false`
			`policy.style_src false`
			`policy.media_src false`
			`policy.frame_src false`
			`policy.manifest_src false`
			`policy.connect_src false`
			`policy.script_src false`
			`policy.child_src false`
			`policy.worker_src false`
			`end`
			`end`
			`end`