method

content_security_policy

v7.2.3 - Show latest stable - Class: ActionController::ContentSecurityPolicy::ClassMethods

content_security_policy(enabled = true, **options, &block)

public

Overrides parts of the globally configured `Content-Security-Policy` header:

class PostsController < ApplicationController
  content_security_policy do |policy|
    policy.base_uri "https://www.example.com"
  end
end

Options can be passed similar to `before_action`. For example, pass `only: :index` to override the header on the index action only:

class PostsController < ApplicationController
  content_security_policy(only: :index) do |policy|
    policy.default_src :self, :https
  end
end

Pass `false` to remove the `Content-Security-Policy` header:

class PostsController < ApplicationController
  content_security_policy false, only: :index
end

# File actionpack/lib/action_controller/metal/content_security_policy.rb, line 40
      def content_security_policy(enabled = true, **options, &block)
        before_action(options) do
          if block_given?
            policy = current_content_security_policy
            instance_exec(policy, &block)
            request.content_security_policy = policy
          end

          unless enabled
            request.content_security_policy = nil
          end
        end
      end

content_security_policy

Related methods