1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/actionpack/lib/action_dispatch.rb

120 lines
3.5 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
#--
# Copyright (c) 2004-2020 David Heinemeier Hansson
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#++
require "active_support"
require "active_support/rails"
require "active_support/core_ext/module/attribute_accessors"
require "action_pack"
require "rack"
2009-08-31 15:27:10 -04:00
module Rack
autoload :Test, "rack/test"
2009-08-31 15:27:10 -04:00
end
module ActionDispatch
extend ActiveSupport::Autoload
class IllegalStateError < StandardError
end
class MissingController < NameError
end
eager_autoload do
autoload_under "http" do
autoload :ContentSecurityPolicy
Adds support for configuring HTTP Feature Policy (#33439) A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
2019-07-10 18:33:16 -04:00
autoload :FeaturePolicy
autoload :Request
autoload :Response
end
2009-12-22 18:27:37 -05:00
end
2009-12-22 18:11:21 -05:00
autoload_under "middleware" do
autoload :HostAuthorization
autoload :RequestId
2009-12-22 18:27:37 -05:00
autoload :Callbacks
2010-01-16 18:21:46 -05:00
autoload :Cookies
autoload :ActionableExceptions
autoload :DebugExceptions
autoload :DebugLocks
autoload :DebugView
autoload :ExceptionWrapper
autoload :Executor
2010-01-15 15:44:27 -05:00
autoload :Flash
autoload :PublicExceptions
autoload :Reloader
autoload :RemoteIp
2009-12-22 18:27:37 -05:00
autoload :ShowExceptions
2012-03-16 22:22:25 -04:00
autoload :SSL
2009-12-22 18:27:37 -05:00
autoload :Static
end
2009-10-20 11:14:46 -04:00
autoload :Journey
autoload :MiddlewareStack, "action_dispatch/middleware/stack"
2009-12-22 18:27:37 -05:00
autoload :Routing
2009-12-22 18:27:37 -05:00
module Http
extend ActiveSupport::Autoload
autoload :Cache
autoload :Headers
autoload :MimeNegotiation
autoload :Parameters
autoload :UploadedFile, "action_dispatch/http/upload"
autoload :URL
2009-12-22 18:27:37 -05:00
end
2009-12-22 18:27:37 -05:00
module Session
autoload :AbstractStore, "action_dispatch/middleware/session/abstract_store"
autoload :AbstractSecureStore, "action_dispatch/middleware/session/abstract_store"
autoload :CookieStore, "action_dispatch/middleware/session/cookie_store"
autoload :MemCacheStore, "action_dispatch/middleware/session/mem_cache_store"
autoload :CacheStore, "action_dispatch/middleware/session/cache_store"
2009-12-22 18:27:37 -05:00
end
mattr_accessor :test_app
autoload_under "testing" do
2009-12-22 18:27:37 -05:00
autoload :Assertions
autoload :Integration
autoload :IntegrationTest, "action_dispatch/testing/integration"
2009-12-22 18:27:37 -05:00
autoload :TestProcess
autoload :TestRequest
autoload :TestResponse
autoload :AssertionResponse
end
autoload :SystemTestCase, "action_dispatch/system_test_case"
end
autoload :Mime, "action_dispatch/http/mime_type"
ActiveSupport.on_load(:action_view) do
ActionView::Base.default_formats ||= Mime::SET.symbols
ActionView::Template::Types.delegate_to Mime
ActionView::LookupContext::DetailsKey.clear
end