Merge pull request #23001 from Fryguy/object_src

Add object_src Content-Security-Policy directive
ManageIQ · Apr 25, 2024 · 10d41d6 · 10d41d6
2 parents 2a31b19 + f5a6995
commit 10d41d6
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
@@ -15,14 +15,16 @@
     # Need google fonts in fonts_src for https://fonts.googleapis.com/css?family=IBM+Plex+Sans+Condensed%7CIBM+Plex+Sans:400,600&display=swap (For carbon-charts download)
     config.csp = {
       :report_only => false,
+      :report_uri  => ["/dashboard/csp_report"],
+
       :default_src => ["'self'"],
-      :frame_src   => ["'self'"],
+      :connect_src => ["'self'"],
       :font_src    => ["'self'", 'https://fonts.gstatic.com', "https://fonts.googleapis.com"],
+      :frame_src   => ["'self'"],
       :img_src     => ["'self'", "data:"],
-      :connect_src => ["'self'"],
-      :style_src   => ["'unsafe-inline'", "'self'", "https://fonts.googleapis.com", "https://fonts.gstatic.com"],
+      :object_src  => ["'self'"],
       :script_src  => ["'unsafe-eval'", "'unsafe-inline'", "'self'"],
-      :report_uri  => ["/dashboard/csp_report"]
+      :style_src   => ["'unsafe-inline'", "'self'", "https://fonts.googleapis.com", "https://fonts.gstatic.com"]
     }
   end
 end