Merge pull request #42126 from lfalcao/master

Add support for require-trusted-types-for and trusted-types
2021-05-08 09:56:30 +01:00 · 2021-05-08 09:56:30 +01:00 · 523a526b0e
parent 70b6cee5fd 0f7931572b
commit 523a526b0e
3 changed files with 62 additions and 34 deletions
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@ -1,3 +1,9 @@
+*   Add support for 'require-trusted-types-for' and 'trusted-types' headers.
+
+    Fixes #42034
+
+    *lfalcao*
+
 *   Remove inline styles and address basic accessibility issues on rescue templates.

    *Jacob Herrington*
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@ -114,9 +114,11 @@ module ActionDispatch #:nodoc:
      https:            "https:",
      data:             "data:",
      mediastream:      "mediastream:",
+      allow_duplicates: "'allow-duplicates'",
      blob:             "blob:",
      filesystem:       "filesystem:",
      report_sample:    "'report-sample'",
+      script:           "'script'",
      strict_dynamic:   "'strict-dynamic'",
      ws:               "ws:",
      wss:              "wss:"
@ -136,12 +138,14 @@ module ActionDispatch #:nodoc:
      media_src:                  "media-src",
      object_src:                 "object-src",
      prefetch_src:               "prefetch-src",
+      require_trusted_types_for:  "require-trusted-types-for",
      script_src:                 "script-src",
      script_src_attr:            "script-src-attr",
      script_src_elem:            "script-src-elem",
      style_src:                  "style-src",
      style_src_attr:             "style-src-attr",
      style_src_elem:             "style-src-elem",
+      trusted_types:              "trusted-types",
      worker_src:                 "worker-src"
    }.freeze

--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@ -211,6 +211,24 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
    @policy.require_sri_for
    assert_no_match %r{require-sri-for}, @policy.build

+    @policy.require_trusted_types_for :script
+    assert_match %r{require-trusted-types-for 'script'}, @policy.build
+
+    @policy.require_trusted_types_for
+    assert_no_match %r{require-trusted-types-for}, @policy.build
+
+    @policy.trusted_types :none
+    assert_match %r{trusted-types 'none'}, @policy.build
+
+    @policy.trusted_types "foo", "bar"
+    assert_match %r{trusted-types foo bar}, @policy.build
+
+    @policy.trusted_types "foo", "bar", :allow_duplicates
+    assert_match %r{trusted-types foo bar 'allow-duplicates'}, @policy.build
+
+    @policy.trusted_types
+    assert_no_match %r{trusted-types}, @policy.build
+
    @policy.upgrade_insecure_requests
    assert_match %r{upgrade-insecure-requests}, @policy.build