<p dir="auto">This replaces <code class="notranslate">secure_headers</code> with the rails builtin support for content security policy.</p>
<p dir="auto">All other headers that <code class="notranslate">secure_headers</code> was setting are already set to the same values by rails with the exception of two which used to be the same but have now been changed:</p>
<ul dir="auto">
<li><code class="notranslate">X-XSS-Protection</code> was changed by <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="842148092" data-permission-text="Title is private" data-url="https://github.com/rails/rails/issues/41769" data-hovercard-type="pull_request" data-hovercard-url="/rails/rails/pull/41769/hovercard" href="https://github.com/rails/rails/pull/41769">rails/rails#41769</a></li>
<li><code class="notranslate">X-Download-Options</code> is no longer set since <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1086702978" data-permission-text="Title is private" data-url="https://github.com/rails/rails/issues/43968" data-hovercard-type="pull_request" data-hovercard-url="/rails/rails/pull/43968/hovercard" href="https://github.com/rails/rails/pull/43968">rails/rails#43968</a></li>
</ul>
<p dir="auto">The only slight annoyance is that rails doesn't make appending (as against overriding) very easy and doesn't have a good way to make changes dynamically within an action - that only really affects <code class="notranslate">map_layout</code>.</p>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>  <a href='https://github.com/openstreetmap/openstreetmap-website/pull/4627'>https://github.com/openstreetmap/openstreetmap-website/pull/4627</a></p>

<h4>Commit Summary</h4>
<ul>
  <li><a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/commits/12556a2810736f4223b7705fa75157eb427ec6b7" class="commit-link">12556a2</a>  Switch to using rails builtin content security policy support</li>
</ul>

<h4 style="display: inline-block">File Changes </h4> <p style="display: inline-block">(<a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files">16 files</a>)</p>
<ul>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-d09ea66f8227784ff4393d88a19836f321c915ae10031d16c93d67e6283ab55f">Gemfile</a>
    (3)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-89cade48462044ee1b672dc5f4c3ec250fbd29effcd8932096a23c1283c6731f">Gemfile.lock</a>
    (2)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-25fe163085ea55de795324d01f141d5e4de00c6a2d3035d75c6e0768af679a2e">app/controllers/accounts_controller.rb</a>
    (12)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-766c34fd6533171eaf54300c153f89d6002c35c02cfc9c5b219251f85180ad07">app/controllers/application_controller.rb</a>
    (50)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-4b73866ef57c70fca07c0f330d7a57aae939b11e4aae0514f303df3aa3762f89">app/controllers/diary_entries_controller.rb</a>
    (3)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-54679e47bd91d0e1b44dc9fd7224f5dff4645487fe07e15aa4a9671039a818cb">app/controllers/export_controller.rb</a>
    (10)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-9b58332ea76756301b1aafeacfb0659d1244ba014947602b0e0bf2d0f2921d26">app/controllers/messages_controller.rb</a>
    (3)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-eb8db9679a832ea753cdb89be6d0aaac12918e8ace5c83c28b68b74de21528d4">app/controllers/oauth2_authorizations_controller.rb</a>
    (9)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-a6d245a96660f22327520216be9996a9f9375865fae7d8daca39cb041e43267c">app/controllers/oauth_controller.rb</a>
    (4)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-cdec550eeeb8fc63be2b5687170f594651a8d0b7f0465c9d807baef392639b6e">app/controllers/sessions_controller.rb</a>
    (4)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-c7e7144de4dcf44dbb148d4acc6aa4a9d8581c6a581966a0bbfb598e79730f14">app/controllers/site_controller.rb</a>
    (24)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-cfdccd0a9d5df5a43aaad2a35d36ebbe187c52ad5fdc9846fa189d04537adb6e">app/controllers/users_controller.rb</a>
    (8)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-be8f1d8caac1cf1a1c9cb4b0d463d6a89b19a833e289db8a9768457a3f63fa5f">app/views/layouts/_head.html.erb</a>
    (2)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-c1c619ffb7b249550067cb696b8e7d6c29d1efe2ed4cf5b7a8bb6bed47b409d1">config/initializers/content_security_policy.rb</a>
    (58)
  </li>
  <li>
    <strong>D</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-66cc7258886071348febbf60314501e02948b7d31e616fe88121ccc338ddb449">config/initializers/secure_headers.rb</a>
    (50)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-bb2a4b5fcffb49c9f95d0f839ba62c674a05fe17ac90798a38178a8a3a3b528b">config/initializers/session_store.rb</a>
    (4)
  </li>
</ul>

<h4>Patch Links:</h4>
<ul>
  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/4627.patch'>https://github.com/openstreetmap/openstreetmap-website/pull/4627.patch</a></li>
  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/4627.diff'>https://github.com/openstreetmap/openstreetmap-website/pull/4627.diff</a></li>
</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4627">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLLF4IPPHWJZILCHXXTY2HH6FAVCNFSM6AAAAABFJV6OHWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYDSMZSGM3DSMY">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLOJCFUSYV2HNIMSVL3Y2HH6FA5CNFSM6AAAAABFJV6OHWWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHIHL42VU.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/4627</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/4627",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/4627",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>