fix content security policy issue

jelhan · jelhan · commit 4b2f287e8fc5 · 2015-01-16T16:38:47.000+01:00
Should remove 'script-src' 'unsafe-eval' in future for better security.
It's required by modenizr.
diff --git a/config/environment.js b/config/environment.js
@@ -14,6 +14,16 @@ module.exports = function(environment) {
     APP: {
       // Here you can pass flags/options to your application instance
       // when it is created
+    },
+    
+    contentSecurityPolicy: {
+      'default-src': "'none'",
+      'script-src': "'self' 'unsafe-eval'",
+      'font-src': "'self'",
+      'connect-src': "'self'",
+      'img-src': "'self'",
+      'style-src': "'self' 'unsafe-inline'",
+      'media-src': "'self'"
     }
   };
 
diff --git a/public/.htaccess b/public/.htaccess
@@ -1,5 +1,5 @@
 # Content Security Policy-Headers
 # you have to enable apache module headers to get them working
-#Header set Content-Security-Policy "default-src 'self'"
-#Header set X-Content-Security-Policy "default-src 'self'"
-#Header set X-Webkit-CSP "default-src 'self'"
+#Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+#Header set X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+#Header set X-Webkit-CSP "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
