From f85245530b828af525c217b32e9fd2909ce88385 Mon Sep 17 00:00:00 2001
From: Leni Kadali <52788034+lenikadali@users.noreply.github.com>
Date: Fri, 24 Apr 2026 21:04:43 +0300
Subject: [PATCH] Enable Content Security Policy for AWBW

Enables Content Security Policy for AWBW based on
what we're already using in the codebase (the code
is mostly vanilla Rails with minimal to no JavaScript)
so much of the Rails defaults have removed.
---
 .../initializers/content_security_policy.rb   | 44 ++++++-------------
 1 file changed, 13 insertions(+), 31 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index d5527fe15..c08c8bbef 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -4,34 +4,16 @@
 # See the Securing Rails Applications Guide for more information:
 # https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     # Allow @vite/client to hot reload javascript changes in development
-#     # policy.script_src *policy.script_src, :unsafe_eval, "http://#{ ViteRuby.config.host_with_port }" if Rails.env.development?
-#     # You may need to enable this in production as well depending on your setup.
-#     # policy.script_src *policy.script_src, :blob if Rails.env.test?
-#     policy.style_src   :self, :https
-#     # Allow @vite/client to hot reload style changes in development
-#     # policy.style_src *policy.style_src, :unsafe_inline if Rails.env.development?
-#     # Allow @vite/client to hot reload changes in development
-#     # policy.connect_src *policy.connect_src, "ws://#{ ViteRuby.config.host_with_port }" if Rails.env.development?
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src style-src)
-#
-#   # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`
-#   # if the corresponding directives are specified in `content_security_policy_nonce_directives`.
-#   # config.content_security_policy_nonce_auto = true
-#
-#   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :self, :https
+    policy.font_src    :self, :https, :data
+    policy.img_src     :self, :https, :data
+    policy.object_src  :none
+    policy.script_src  :self, :https
+    # Specify URI for violation reports
+    policy.report_uri "/csp-violation-report-endpoint"
+  end
+  # Report violations without enforcing the policy.
+  config.content_security_policy_report_only = true
+end