def securityRules: SecurityRules = {
SecurityRules(
https = None,
content = Some(ContentSecurityPolicy(
defaultSources = List(
ContentSourceRestriction.All,
ContentSourceRestriction.UnsafeEval,
ContentSourceRestriction.UnsafeInline
),
styleSources = List(
ContentSourceRestriction.Self,
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.Host("https://maxcdn.bootstrapcdn.com/bootstrap/"),
ContentSourceRestriction.Host("http://static.olark.com/css/"),
ContentSourceRestriction.Host("https://fonts.googleapis.com/css"),
ContentSourceRestriction.Host("http://cdn-images.mailchimp.com/embedcode/"),
ContentSourceRestriction.Host("http://a.disquscdn.com/next/embed/styles/")
),
fontSources = List(
ContentSourceRestriction.Self,
ContentSourceRestriction.Host("https://maxcdn.bootstrapcdn.com/bootstrap/"),
ContentSourceRestriction.Host("https://fonts.gstatic.com/"),
ContentSourceRestriction.Host("https://fonts.googleapis.com/")
),
scriptSources = List(
ContentSourceRestriction.Self,
ContentSourceRestriction.Host("http://cdn.mxpnl.com/libs/"),
ContentSourceRestriction.Host("http://www.google-analytics.com/"),
ContentSourceRestriction.Host("http://olark.com/"),
ContentSourceRestriction.Host("http://*.olark.com/"),
ContentSourceRestriction.Host("http://a.disquscdn.com/"),
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.UnsafeEval
)
)),
frameRestrictions = None,
enforceInOtherModes = false,
logInOtherModes = true,
enforceInDevMode = true
)
}
def boot(): Unit = {
LiftRules.securityRules = () => securityRules// ....}
--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You write "None of my custom setup is visible"
Okey so it is not the sources you specify in CSP Host setting or
any other explicit CSP related setting that fails to load but some
"custom setup" sources that fails to load. By "custom setup" I
assume you refer to some locally managed sources like css files,
script files, images and so on.
Now, If my assumption above is right and if the CSP settings is
involved in preventing your local sources to load (get available)
you should see errors in production logs (from startup of your
application) and probably also in the browser console. In
development you should see warnings on startup of your
application, if not then the CSP settings has nothing to do with
the problem you experience.
Make sure that you clear browser cash, make sure your "custom
resources" (is referenced correctly) is present in the jar/war/ear
(or deploy folder) that you deploy to production and make sure
that they are present in it's expected location(s).
best regards Peter Petersson