Change form-action Content-Security-Policy directive to be more restrictive (#26897)

2024-09-12 15:24:19 +02:00 · 2024-09-12 15:24:19 +02:00 · a496aeabcb
commit a496aeabcb
parent 5f782f9629
4 changed files with 29 additions and 21 deletions
--- a/spec/requests/content_security_policy_spec.rb
+++ b/spec/requests/content_security_policy_spec.rb
@ -26,7 +26,7 @@ RSpec.describe 'Content-Security-Policy' do
      connect-src 'self' data: blob: https://cb6e6126.ngrok.io #{Rails.configuration.x.streaming_api_base_url}
      default-src 'none'
      font-src 'self' https://cb6e6126.ngrok.io
-      form-action 'self'
+      form-action 'none'
      frame-ancestors 'none'
      frame-src 'self' https:
      img-src 'self' data: blob: https://cb6e6126.ngrok.io