From 345f457513963d13998450dab1ed2077d505e5a1 Mon Sep 17 00:00:00 2001 From: Jeremy Daer Date: Fri, 5 Dec 2025 16:57:03 -0800 Subject: [PATCH] Tune CSP for user extensions and close implicit-allow gaps (#1974) Loosen font-src and add media-src to allow browser extensions like accessibility fonts (OpenDyslexic) and user style managers to work without CSP violations. Add default-src and connect-src directives to close security gaps where unspecified directives were implicitly allowing all sources. --- config/initializers/content_security_policy.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 94a8bd41a..fc63e9479 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -13,10 +13,13 @@ Rails.application.configure do config.content_security_policy_nonce_directives = %w[ script-src ] config.content_security_policy do |policy| + policy.default_src :self policy.script_src :self policy.style_src :self, :unsafe_inline + policy.connect_src :self policy.img_src :self, "blob:", "data:", "https:" - policy.font_src :self + policy.font_src :self, "data:", "https:" + policy.media_src :self, "blob:", "data:", "https:" policy.object_src :none policy.base_uri :none