mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Add the ability to disable the global CSP in a controller
e.g: class LegacyPagesController < ApplicationController content_security_policy false, only: :index end
This commit is contained in:
parent
f30ac99d0c
commit
af406a753c
2 changed files with 19 additions and 1 deletions
|
@ -14,13 +14,17 @@ module ActionController #:nodoc:
|
|||
end
|
||||
|
||||
module ClassMethods
|
||||
def content_security_policy(**options, &block)
|
||||
def content_security_policy(enabled = true, **options, &block)
|
||||
before_action(options) do
|
||||
if block_given?
|
||||
policy = request.content_security_policy.clone
|
||||
yield policy
|
||||
request.content_security_policy = policy
|
||||
end
|
||||
|
||||
unless enabled
|
||||
request.content_security_policy = nil
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -258,6 +258,8 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
|
|||
p.script_src :self
|
||||
end
|
||||
|
||||
content_security_policy(false, only: :no_policy)
|
||||
|
||||
content_security_policy_report_only only: :report_only
|
||||
|
||||
def index
|
||||
|
@ -280,6 +282,10 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
|
|||
head :ok
|
||||
end
|
||||
|
||||
def no_policy
|
||||
head :ok
|
||||
end
|
||||
|
||||
private
|
||||
def condition?
|
||||
params[:condition] == "true"
|
||||
|
@ -294,6 +300,7 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
|
|||
get "/conditional", to: "policy#conditional"
|
||||
get "/report-only", to: "policy#report_only"
|
||||
get "/script-src", to: "policy#script_src"
|
||||
get "/no-policy", to: "policy#no_policy"
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -353,6 +360,13 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
|
|||
assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='"
|
||||
end
|
||||
|
||||
def test_generates_no_content_security_policy
|
||||
get "/no-policy"
|
||||
|
||||
assert_nil response.headers["Content-Security-Policy"]
|
||||
assert_nil response.headers["Content-Security-Policy-Report-Only"]
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def env_config
|
||||
|
|
Loading…
Reference in a new issue