I'm migrating a second app from Lift 2.x to 3.x, and I thought I'd share the CSP settings that work for me to disable it since our coverage of the feature is a bit smattered about the ML:
LiftRules.securityRules = () => {
SecurityRules(content = Some(ContentSecurityPolicy(
styleSources = List(
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.All
),
scriptSources = List(
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.UnsafeEval,
ContentSourceRestriction.All
)
)))
}
LiftRules.extractInlineJavaScript = true
Also note that the securityRules setting may appear to not work if you put it too late in your boot (the first time the setting is read, it's locked and subsequent settings are silently ignored. You can find a discussion about improving this behavior in
this thread).
If you have other sources involved (such as fonts if you are using Google fonts), you'll want to investigate the full
API of ContentSecurityPolicy.
Ideally, you want to comb through your code base and rock the default CSP settings before shipping. However, above cross-cutting disabling of the feature is useful to defer upgrading your application to leverage CSP for after you've resolved other Lift 3.x migration needs.
Happy Lifting!
Joe