"default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
"Content-Security-Policy"
- ENV_KEY =
'secure_headers.content_security_policy'
- DIRECTIVES =
[
:default_src,
:connect_src,
:font_src,
:frame_src,
:img_src,
:media_src,
:object_src,
:script_src,
:style_src
]
- NON_DEFAULT_SOURCES =
[
:base_uri,
:child_src,
:form_action,
:frame_ancestors,
:plugin_types,
:referrer,
:reflected_xss
]
- OTHER =
[
:report_uri
]
- SOURCE_DIRECTIVES =
DIRECTIVES + NON_DEFAULT_SOURCES
- ALL_DIRECTIVES =
DIRECTIVES + NON_DEFAULT_SOURCES + OTHER