This pull request identifies a potential security vulnerability in the Rails application's Content Security Policy (CSP) configuration that could allow script execution from multiple sources, potentially enabling cross-site scripting (XSS) attacks.

💭 Unconfirmed Findings (1)

Vulnerability

Potential Content Security Policy (CSP) Bypass

Description

In the Rails application's content security policy configuration, script sources are currently allowed from :self and :https, which could create vulnerabilities by permitting script execution from multiple sources and potentially enabling cross-site scripting (XSS) attacks. The configuration is located in config/initializers/content_security_policy.rb and represents a security risk that should be more tightly controlled.

---

All finding details can be found in the DryRun Security Dashboard.