forked from OpenNeo/impress
Matchu
7ec900b6b6
Oh, I didn't realize the `_elem` variant of these parts of the `Content-Security-Policy` is newer, and so doesn't even work on my current version of Safari on my Mac. My rationale at the time was: `script_src_elem` is stricter against things like imports, and I figured, ok let's do the strictest policy that works. But since it's not fully compatible with browsers even *I'm* using right now, and I'm not aware of an actual problem it would prevent, let's back off that a bit! This should have the same effective security properties for our case. Note that the effect of this compatibility issue wasn't *weakening* the policy; it was being *too* strict, by blocking the scripts and the stylesheets. This is because `script_src_elem` was ignored, and `script_src` was absent, so it fell back to `default_src none`. |
||
---|---|---|
.. | ||
devise | ||
fundraising | ||
about_controller.rb | ||
alt_styles_controller.rb | ||
application_controller.rb | ||
auth_users_controller.rb | ||
closet_hangers_controller.rb | ||
closet_lists_controller.rb | ||
contributions_controller.rb | ||
item_appearances_controller.rb | ||
item_trades_controller.rb | ||
items_controller.rb | ||
locales_controller.rb | ||
neopass_connections_controller.rb | ||
neopets_connections_controller.rb | ||
neopets_page_import_tasks_controller.rb | ||
outfits_controller.rb | ||
pet_types_controller.rb | ||
pets_controller.rb | ||
sitemap_controller.rb | ||
swf_assets_controller.rb | ||
users_controller.rb |