Rails CSP API doesn’t allow you to use both Content-Security-Policy and Content-Security-Policy-Report-Only headers together.
def header_name(request)
if request.content_security_policy_report_only
ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
else
ActionDispatch::Constants::CONTENT_SECURITY_POLICY
end
end
As per the MDN documentation for the Content-Security-Policy-Report-Only header:
You can use this to iteratively work on your content security policy. You observe how your site behaves, watching for violation reports, then choose the desired policy enforced by the
Content-Security-Policyheader.
What if I’d like to watch for violations, at the same time enforce a basic set of policies, using the Content-Security-Policy header? Then as I discover new violations, we can either fix them or add new policies to the existing one?
As things stand now, I can only set one of the two headers. Is it not recommended to use both at the same time?
Prior Discussion:
- Extend Content Security Policy DSL to support both enforce and report-only policies at the same time.
- Unable to set both Content-Security-Policy and Content-Security-Policy-Report-Only headers with current DSL. · Issue #40452 · rails/rails · GitHub
- Extend CSP DSL to support both Content-Security-Policy and Content-Security-Policy-Report-Only headers by vandux · Pull Request #40525 · rails/rails · GitHub
