demarches/config/initializers/content_security_policy.rb

Rails.application.configure do
	config.content_security_policy do |policy|
		policy.default_src :none
		policy.font_src :self
		policy.img_src :self
		policy.object_src :self
		policy.script_src :self
		policy.style_src :self
		policy.frame_src :self

		if Rails.env.development?
			policy.connect_src :self # LiveReload
		end
	end

	# Generate session nonces for permitted importmap, inline scripts, and inline styles.
	config.content_security_policy_nonce_generator = -> _ { SecureRandom.hex 16 }
	config.content_security_policy_nonce_directives = %w(script-src style-src)

	# config.content_security_policy_report_only = true
end