Don't allow unsafe inline scripts

2015-02-04 17:23:58 +01:00 · 2015-02-04 17:23:58 +01:00 · 571552b861
commit 571552b861
parent f6751e4b08
1 changed files with 1 additions and 1 deletions
--- a/config/environment.js
+++ b/config/environment.js
@ -87,7 +87,7 @@ module.exports = function(environment) {
    'default-src': "'none'",
    // TODO: for some reason unsafe-eval is needed when I use collection helper,
    //       we should probably remove it at some point
-    'script-src': "'self' 'unsafe-eval' 'unsafe-inline'",
+    'script-src': "'self' 'unsafe-eval'",
    'font-src': "'self'",
    'connect-src': "'self' https://api.travis-ci.org ws://ws.pusherapp.com wss://ws.pusherapp.com http://sockjs.pusher.com",
    'img-src': "'self' data: https://www.gravatar.com http://www.gravatar.com",