kotovalexarian-likes-github
/
rails--rails
mirror of https://github.com/rails/rails.git
1
0
Fork 0
Code Releases Activity

Merge pull request #42126 from lfalcao/master 

Add support for require-trusted-types-for and trusted-types
This commit is contained in:
Andrew White 2021-05-08 09:56:30 +01:00 committed by GitHub
parent 70b6cee5fd 0f7931572b
commit 523a526b0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 62 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
actionpack/CHANGELOG.md
View File

@ -1,3 +1,9 @@
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.
Fixes #42034
*lfalcao*
* Remove inline styles and address basic accessibility issues on rescue templates.
*Jacob Herrington*

72
actionpack/lib/action_dispatch/http/content_security_policy.rb
View File

@ -106,43 +106,47 @@ module ActionDispatch #:nodoc:
end
MAPPINGS = {
self: "'self'",
unsafe_eval: "'unsafe-eval'",
unsafe_inline: "'unsafe-inline'",
none: "'none'",
http: "http:",
https: "https:",
data: "data:",
mediastream: "mediastream:",
blob: "blob:",
filesystem: "filesystem:",
report_sample: "'report-sample'",
strict_dynamic: "'strict-dynamic'",
ws: "ws:",
wss: "wss:"
self: "'self'",
unsafe_eval: "'unsafe-eval'",
unsafe_inline: "'unsafe-inline'",
none: "'none'",
http: "http:",
https: "https:",
data: "data:",
mediastream: "mediastream:",
allow_duplicates: "'allow-duplicates'",
blob: "blob:",
filesystem: "filesystem:",
report_sample: "'report-sample'",
script: "'script'",
strict_dynamic: "'strict-dynamic'",
ws: "ws:",
wss: "wss:"
}.freeze
DIRECTIVES = {
base_uri: "base-uri",
child_src: "child-src",
connect_src: "connect-src",
default_src: "default-src",
font_src: "font-src",
form_action: "form-action",
frame_ancestors: "frame-ancestors",
frame_src: "frame-src",
img_src: "img-src",
manifest_src: "manifest-src",
media_src: "media-src",
object_src: "object-src",
prefetch_src: "prefetch-src",
script_src: "script-src",
script_src_attr: "script-src-attr",
script_src_elem: "script-src-elem",
style_src: "style-src",
style_src_attr: "style-src-attr",
style_src_elem: "style-src-elem",
worker_src: "worker-src"
base_uri: "base-uri",
child_src: "child-src",
connect_src: "connect-src",
default_src: "default-src",
font_src: "font-src",
form_action: "form-action",
frame_ancestors: "frame-ancestors",
frame_src: "frame-src",
img_src: "img-src",
manifest_src: "manifest-src",
media_src: "media-src",
object_src: "object-src",
prefetch_src: "prefetch-src",
require_trusted_types_for: "require-trusted-types-for",
script_src: "script-src",
script_src_attr: "script-src-attr",
script_src_elem: "script-src-elem",
style_src: "style-src",
style_src_attr: "style-src-attr",
style_src_elem: "style-src-elem",
trusted_types: "trusted-types",
worker_src: "worker-src"
}.freeze
DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze

18
actionpack/test/dispatch/content_security_policy_test.rb
View File

@ -211,6 +211,24 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
@policy.require_sri_for
assert_no_match %r{require-sri-for}, @policy.build
@policy.require_trusted_types_for :script
assert_match %r{require-trusted-types-for 'script'}, @policy.build
@policy.require_trusted_types_for
assert_no_match %r{require-trusted-types-for}, @policy.build
@policy.trusted_types :none
assert_match %r{trusted-types 'none'}, @policy.build
@policy.trusted_types "foo", "bar"
assert_match %r{trusted-types foo bar}, @policy.build
@policy.trusted_types "foo", "bar", :allow_duplicates
assert_match %r{trusted-types foo bar 'allow-duplicates'}, @policy.build
@policy.trusted_types
assert_no_match %r{trusted-types}, @policy.build
@policy.upgrade_insecure_requests
assert_match %r{upgrade-insecure-requests}, @policy.build