Merge pull request #42126 from lfalcao/master
Add support for require-trusted-types-for and trusted-types
This commit is contained in:
commit
523a526b0e
|
@ -1,3 +1,9 @@
|
|||
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
|
||||
|
||||
Fixes #42034
|
||||
|
||||
*lfalcao*
|
||||
|
||||
* Remove inline styles and address basic accessibility issues on rescue templates.
|
||||
|
||||
*Jacob Herrington*
|
||||
|
|
|
@ -106,43 +106,47 @@ module ActionDispatch #:nodoc:
|
|||
end
|
||||
|
||||
MAPPINGS = {
|
||||
self: "'self'",
|
||||
unsafe_eval: "'unsafe-eval'",
|
||||
unsafe_inline: "'unsafe-inline'",
|
||||
none: "'none'",
|
||||
http: "http:",
|
||||
https: "https:",
|
||||
data: "data:",
|
||||
mediastream: "mediastream:",
|
||||
blob: "blob:",
|
||||
filesystem: "filesystem:",
|
||||
report_sample: "'report-sample'",
|
||||
strict_dynamic: "'strict-dynamic'",
|
||||
ws: "ws:",
|
||||
wss: "wss:"
|
||||
self: "'self'",
|
||||
unsafe_eval: "'unsafe-eval'",
|
||||
unsafe_inline: "'unsafe-inline'",
|
||||
none: "'none'",
|
||||
http: "http:",
|
||||
https: "https:",
|
||||
data: "data:",
|
||||
mediastream: "mediastream:",
|
||||
allow_duplicates: "'allow-duplicates'",
|
||||
blob: "blob:",
|
||||
filesystem: "filesystem:",
|
||||
report_sample: "'report-sample'",
|
||||
script: "'script'",
|
||||
strict_dynamic: "'strict-dynamic'",
|
||||
ws: "ws:",
|
||||
wss: "wss:"
|
||||
}.freeze
|
||||
|
||||
DIRECTIVES = {
|
||||
base_uri: "base-uri",
|
||||
child_src: "child-src",
|
||||
connect_src: "connect-src",
|
||||
default_src: "default-src",
|
||||
font_src: "font-src",
|
||||
form_action: "form-action",
|
||||
frame_ancestors: "frame-ancestors",
|
||||
frame_src: "frame-src",
|
||||
img_src: "img-src",
|
||||
manifest_src: "manifest-src",
|
||||
media_src: "media-src",
|
||||
object_src: "object-src",
|
||||
prefetch_src: "prefetch-src",
|
||||
script_src: "script-src",
|
||||
script_src_attr: "script-src-attr",
|
||||
script_src_elem: "script-src-elem",
|
||||
style_src: "style-src",
|
||||
style_src_attr: "style-src-attr",
|
||||
style_src_elem: "style-src-elem",
|
||||
worker_src: "worker-src"
|
||||
base_uri: "base-uri",
|
||||
child_src: "child-src",
|
||||
connect_src: "connect-src",
|
||||
default_src: "default-src",
|
||||
font_src: "font-src",
|
||||
form_action: "form-action",
|
||||
frame_ancestors: "frame-ancestors",
|
||||
frame_src: "frame-src",
|
||||
img_src: "img-src",
|
||||
manifest_src: "manifest-src",
|
||||
media_src: "media-src",
|
||||
object_src: "object-src",
|
||||
prefetch_src: "prefetch-src",
|
||||
require_trusted_types_for: "require-trusted-types-for",
|
||||
script_src: "script-src",
|
||||
script_src_attr: "script-src-attr",
|
||||
script_src_elem: "script-src-elem",
|
||||
style_src: "style-src",
|
||||
style_src_attr: "style-src-attr",
|
||||
style_src_elem: "style-src-elem",
|
||||
trusted_types: "trusted-types",
|
||||
worker_src: "worker-src"
|
||||
}.freeze
|
||||
|
||||
DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
|
||||
|
|
|
@ -211,6 +211,24 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
|
|||
@policy.require_sri_for
|
||||
assert_no_match %r{require-sri-for}, @policy.build
|
||||
|
||||
@policy.require_trusted_types_for :script
|
||||
assert_match %r{require-trusted-types-for 'script'}, @policy.build
|
||||
|
||||
@policy.require_trusted_types_for
|
||||
assert_no_match %r{require-trusted-types-for}, @policy.build
|
||||
|
||||
@policy.trusted_types :none
|
||||
assert_match %r{trusted-types 'none'}, @policy.build
|
||||
|
||||
@policy.trusted_types "foo", "bar"
|
||||
assert_match %r{trusted-types foo bar}, @policy.build
|
||||
|
||||
@policy.trusted_types "foo", "bar", :allow_duplicates
|
||||
assert_match %r{trusted-types foo bar 'allow-duplicates'}, @policy.build
|
||||
|
||||
@policy.trusted_types
|
||||
assert_no_match %r{trusted-types}, @policy.build
|
||||
|
||||
@policy.upgrade_insecure_requests
|
||||
assert_match %r{upgrade-insecure-requests}, @policy.build
|
||||
|
||||
|
|
Loading…
Reference in New Issue