Paulo Casaretto
Paulo Casaretto
Hey, I've discovered something interesting. Using an anonymous controller removes the routing from the equation. I'm not really sure how that works with multiple API versions tho. Something along the...
They do. I thinks its because it draws a "anonymous" controller routing, therefore eliminating the route not found problem, Like I said before, I'm not sure how that works with...
Just to be clear, I'm more than willing to submit a PR once we decided this is a problem worth solving on this gem.
> Are you using both csp and csp-report-only? That is the case, yes. As we fix issues we find in the incoming reports, we migrate the directives from csp-report-only to...
A teammate just pointed out to me that this behavior was the cause of a recent outage. The [rollbar gem recently added CSP compatibility](https://github.com/rollbar/rollbar-gem/pull/1010). When we deployed that update, it...
With your approval, I'd like to edit the issue to make it clear that the current behavior of using nonced tags with a config using `'unsafe-inline'` is a bug.
Done! Any suggestions regarding how to proceed?
> add the config option to specify which header the nonce should go in Just to be clear: by that you mean an additional config option that would be fed...
> What breaking change would be introduced by preserving the current behavior? Allow me rephrase the question. Given that * the current behavior is dangerous, and might break apps that...
The following scenario hapenned in production with us: * we have a pretty sizeable Rails app with a lot Javascript. Several instances of `javascript_tag` and plain `` tags inside views....