Merge pull request #23734 from jrafanie/add-csp-fallbacks

Add csp fallbacks

Author: Fryguy

config/initializers/secure_headers.rb

@@ -27,14 +27,19 @@
       :report_only => false,
       :report_uri  => ["/dashboard/csp_report"],
 
-      :default_src => ["'self'"],
-      :connect_src => ["'self'"],
-      :font_src    => ["'self'", 'https://fonts.gstatic.com', "https://fonts.googleapis.com"],
-      :frame_src   => ["'self'"],
-      :img_src     => ["'self'", "data:"],
-      :object_src  => ["'self'"],
-      :script_src  => ["'unsafe-eval'", "'unsafe-inline'", "'self'"],
-      :style_src   => ["'unsafe-inline'", "'self'", "https://fonts.googleapis.com", "https://fonts.gstatic.com"]
+      :base_uri        => ["'self'"],
+      :default_src     => ["'self'"],
+      :child_src       => ["'self'"],
+      :connect_src     => ["'self'"],
+      :font_src        => ["'self'", 'https://fonts.gstatic.com', "https://fonts.googleapis.com"],
+      :form_action     => ["'self'"],
+      :frame_ancestors => ["'self'"],
+      :frame_src       => ["'self'"],
+      :img_src         => ["'self'", "data:"],
+      :object_src      => ["'self'"],
+      :script_src      => ["'unsafe-eval'", "'unsafe-inline'", "'self'"],
+      :style_src       => ["'unsafe-inline'", "'self'", "https://fonts.googleapis.com", "https://fonts.gstatic.com"],
+      :worker_src      => ["'self'"]
     }
   end
 end