Remove unsafe-eval from script-src CSP

2015-02-04 18:22:58 +01:00 · 2015-02-04 18:22:58 +01:00 · fdda7b482f
commit fdda7b482f
parent 571552b861
1 changed files with 1 additions and 3 deletions
--- a/config/environment.js
+++ b/config/environment.js
@ -85,9 +85,7 @@ module.exports = function(environment) {

  ENV.contentSecurityPolicy = {
    'default-src': "'none'",
-    // TODO: for some reason unsafe-eval is needed when I use collection helper,
-    //       we should probably remove it at some point
-    'script-src': "'self' 'unsafe-eval'",
+    'script-src': "'self'",
    'font-src': "'self'",
    'connect-src': "'self' https://api.travis-ci.org ws://ws.pusherapp.com wss://ws.pusherapp.com http://sockjs.pusher.com",
    'img-src': "'self' data: https://www.gravatar.com http://www.gravatar.com",