[openstreetmap/openstreetmap-website] Switch to using rails builtin content security policy support (PR #4627)

Tom Hughes notifications at github.com
Tue Mar 26 21:02:42 UTC 2024 

This replaces `secure_headers` with the rails builtin support for content security policy.

All other headers that `secure_headers` was setting are already set to the same values by rails with the exception of two which used to be the same but have now been changed:

* `X-XSS-Protection` was changed by https://github.com/rails/rails/pull/41769
* `X-Download-Options` is no longer set since https://github.com/rails/rails/pull/43968

The only slight annoyance is that rails doesn't make appending (as against overriding) very easy and doesn't have a good way to make changes dynamically within an action - that only really affects `map_layout`.
You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/4627

-- Commit Summary --

  * Switch to using rails builtin content security policy support

-- File Changes --

    M Gemfile (3)
    M Gemfile.lock (2)
    M app/controllers/accounts_controller.rb (12)
    M app/controllers/application_controller.rb (50)
    M app/controllers/diary_entries_controller.rb (3)
    M app/controllers/export_controller.rb (10)
    M app/controllers/messages_controller.rb (3)
    M app/controllers/oauth2_authorizations_controller.rb (9)
    M app/controllers/oauth_controller.rb (4)
    M app/controllers/sessions_controller.rb (4)
    M app/controllers/site_controller.rb (24)
    M app/controllers/users_controller.rb (8)
    M app/views/layouts/_head.html.erb (2)
    M config/initializers/content_security_policy.rb (58)
    D config/initializers/secure_headers.rb (50)
    M config/initializers/session_store.rb (4)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/4627.patch
https://github.com/openstreetmap/openstreetmap-website/pull/4627.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4627
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/4627 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240326/042ade51/attachment-0001.htm>

More information about the rails-dev mailing list