For a better idea of why you really need to set content security policy headers, read this excellent blog post by David Gilbertson. Setting Content Security Policy headers helps solve this problem.

This is on default but can be turned off by using config.cookies = SecureHeaders::OPT_OUT. secure_headers is a library with a global config, per request overrides, and rack middleware that enables you ...