I am trying to create a vary basic .rb plugin (based on the now obsolete in chrome) discourse-allowall which will merge the CSP header to the default ones but cant get it to work. The below does not seem to do it. Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Po…

My syntax was off and this is working fine now. Correct syntax is like: Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Policy' => "frame-ancestors mylocal.com.localhost"})

Support for this was added in core: Mitigate XSS Attacks with Content Security Policy - #37 by Falco

添加 CSP 标头

开发

Falco (Falco) 2021 年3 月 23 日 00:17 3

对此的支持已添加到核心：Mitigate XSS Attacks with Content Security Policy - #37 by Falco

话题		回复	浏览量
Add own CSP headers Support	4	476	2023 年5 月 17 日
Adding HTTP Headers to Plugin in Development Development	3	888	2020 年5 月 18 日
And invalid response header is being set from embed controller Support	3	756	2021 年3 月 23 日
CSP Frame Ancestors enabled by default Announcements	3	1721	2021 年8 月 5 日
Allowed iframes whitelist not working - 'x-frame-options: SAMEORIGIN' Support	3	917	2022 年6 月 30 日

添加 CSP 标头

相关话题