803f87567f
One feature of the content security policy DSL, though undocumented, is that it will not generate headers for non-HTML responses, even if a configuration is explicitly provided. While it may not seem obvious that anyone would want to send this header in an API response, Mozilla Observatory, for instance, recommends the following for API responses: `Content-Security-Policy: default-src 'none'; frame-ancestors 'none'` (source: https://observatory.mozilla.org/faq/) The Secure Headers gem also makes recommendations about the content security policy for API responses: https://github.com/github/secure_headers#api-configurations As such, this removes the HTML guard clause from the `ContentSecurityPolicy` middleware. |
||
---|---|---|
.. | ||
http | ||
journey | ||
middleware | ||
request | ||
routing | ||
system_testing | ||
testing | ||
journey.rb | ||
railtie.rb | ||
routing.rb | ||
system_test_case.rb |