From 020759bfb301227fe006d83f7042f42408d397a0 Mon Sep 17 00:00:00 2001 From: Dan Milne Date: Sun, 21 Jun 2026 15:39:35 +1000 Subject: [PATCH] Fix invalid require-trusted-types-for CSP directive require-trusted-types-for only accepts 'script'; emitting 'none' produced an invalid directive that browsers rejected. Omit the directive entirely to leave Trusted Types unenforced (needed for WebAuthn). Bump version to 0.16.1. Co-Authored-By: Claude Opus 4.8 (1M context) --- config/initializers/content_security_policy.rb | 7 ++++--- config/initializers/version.rb | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index edf0bc4..a4073d2 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -53,9 +53,10 @@ Rails.application.configure do # Child sources: Allow self for any future iframes policy.child_src :self - # Additional security headers for WebAuthn - # Required for WebAuthn to work properly - policy.require_trusted_types_for :none + # Do not enforce Trusted Types. The only valid value for + # require-trusted-types-for is 'script'; there is no 'none' token, so + # emitting it produces an invalid directive that browsers reject. To leave + # Trusted Types unenforced (needed for WebAuthn), omit the directive entirely. # CSP reporting using report_uri (supported method) policy.report_uri "/api/csp-violation-report" diff --git a/config/initializers/version.rb b/config/initializers/version.rb index b5c1601..4d0a548 100644 --- a/config/initializers/version.rb +++ b/config/initializers/version.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true module Clinch - VERSION = "0.16.0" + VERSION = "0.16.1" end