Content-Security-Policy: default-src 'self' https://js-agent.newrelic.com https://bam.nr-data.net
It says to just put both
default-src for Content-Security-Policy in which we want to be more specific and not just blindly let everything else fall back to default.
So we have the following since that seems all that the agent needs
# config/initializers/content_security_policy.rb ... policy.script_src :self, 'bam.nr-data.net', 'js-agent.newrelic.com' policy.connect_src :self, 'bam.nr-data.net' ...
However there isn’t any easier way to add csp
::NewRelic::Agent.browser_timing_header scripts. I wished there is a method for me to just pass in the
nonce and have the agent insert those 2 script tags with the our
nonce so we know those inline scripts are good.
This is my current hack and I was wondering if there is any better way to do this.