module ActionController::ContentSecurityPolicy::ClassMethods
def content_security_policy(enabled = true, **options, &block)
content_security_policy false, only: :index
class PostsController < ApplicationController
Pass +false+ to remove the +Content-Security-Policy+ header:
end
end
policy.default_src :self, :https
content_security_policy(only: :index) do |policy|
class PostsController < ApplicationController
only: :index to override the header on the index action only:
Options can be passed similar to +before_action+. For example, pass
end
end
policy.base_uri "https://www.example.com"
content_security_policy do |policy|
class PostsController < ApplicationController
header:
Overrides parts of the globally configured +Content-Security-Policy+
def content_security_policy(enabled = true, **options, &block) before_action(options) do if block_given? policy = current_content_security_policy instance_exec(policy, &block) request.content_security_policy = policy end unless enabled request.content_security_policy = nil end end end