search

mbramson / content_security_policy

Content Security Policy Library for Elixir and Plug
MIT License
9 stars 7 forks source link

Sobelow still reports an issue #2

Open mplatts opened 2 years ago

mplatts commented 2 years ago

Using the plug ContentSecurityPolicy.Plug.Setup was causing Sobelow to still complain.

So I did this to fix it:


@content_security_policy %ContentSecurityPolicy.Policy{
    default_src: [
      "'unsafe-inline'",
      "'unsafe-eval'",
      "'self'",
      "https://cdnjs.cloudflare.com",
      "https://cdn.skypack.dev",
      "https://res.cloudinary.com"
    ]
  }

pipeline :browser do
  ...
  plug(:put_secure_browser_headers, %{"content-security-policy" => ContentSecurityPolicy.serialize(@content_security_policy)})
  ...
end

Not sure if there is a better way?

rellen commented 1 year ago

you could set the option to %{"content-security-policy" => ""} then put the plug after, but I'm not sure if that counts as better :)