Adding CSP header

Michael_Katrantzis1 · January 24, 2018, 10:01pm

I am trying to create a vary basic .rb plugin (based on the now obsolete in chrome) discourse-allowallwhich will merge the CSP header to the default ones but cant get it to work.

The below does not seem to do it.

Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Policy' => "frame-ancestors 'http://mylocal.com.localhost'"})

I literally have 0 experience with ruby so need to know:

If thats possible
The correct syntax for defining the above header and merging it with the default ones

End goal is to make my discourse site frameable by 2 specific domains

Michael_Katrantzis1 · January 24, 2018, 11:43pm

My syntax was off and this is working fine now. Correct syntax is like:

Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Policy' => "frame-ancestors mylocal.com.localhost"})

Falco · March 23, 2021, 12:17am

Support for this was added in core: Mitigate XSS Attacks with Content Security Policy - #37 by Falco

Topic		Replies	Views
CSP Frame Ancestors enabled by default Announcements	4	1582	December 20, 2023
Add own CSP headers Support	5	385	June 16, 2023
Allow customization of Referrer-Policy Feature	3	1074	January 18, 2019
Allowed iframes whitelist not working - 'x-frame-options: SAMEORIGIN' Support	4	770	June 30, 2022
Harden Referrer-Policy Header Feature	10	1707	October 25, 2018

Adding CSP header

Related topics