enforce content security policy (lobsters#711)

4io · Sep 11, 2019 · 57cf63d · 57cf63d
1 parent a323dc2
commit 57cf63d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -22,4 +22,4 @@
 # Report CSP violations to a specified URI
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-Rails.application.config.content_security_policy_report_only = true
+Rails.application.config.content_security_policy_report_only = false
diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb
@@ -0,0 +1,18 @@
+require 'rails_helper'
+
+describe 'content security policy' do
+  it 'sets the correct headers' do
+    get '/'
+
+    directives = [
+      "default-src 'none'",
+      "img-src * data:",
+      "script-src 'self' 'unsafe-inline'",
+      "style-src 'self' 'unsafe-inline'",
+      "form-action 'self'",
+      "report-uri /csp-violation-report",
+    ].join('; ')
+
+    expect(response.headers['Content-Security-Policy']).to eq(directives)
+  end
+end