Add frame-src but don't spam the log with DEPRECATION warnings.

This is an ugly hack, and it should be reverted once we stop supporting old browsers.

Add frame-src but don't spam the log with DEPRECATION warnings.
edf66020 · Benjamin Neff · Dennis Schubert · 6ec0fd4b · edf66020
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -16,4 +16,18 @@ SecureHeaders::Configuration.default do |config|
                        embedr.flickr.com platform.instagram.com 'unsafe-inline'),
    style_src:       %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
  }
+
+  # Add frame-src but don't spam the log with DEPRECATION warnings.
+  # We need frame-src to support older versions of Chrome, because secure_headers handles all Chrome browsers as
+  # "modern" browser, and ignores the version of the browser. We can drop this once we support only Chrome
+  # versions with child-src support.
+  module SecureHeaders
+    class ContentSecurityPolicy
+      private
+
+      def normalize_child_frame_src
+        @config[:frame_src] = @config[:child_src]
+      end
+    end
+  end
 end