mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Add the ability to disable the global CSP in a controller
e.g: class LegacyPagesController < ApplicationController content_security_policy false, only: :index end
This commit is contained in:
parent
f30ac99d0c
commit
af406a753c
2 changed files with 19 additions and 1 deletions
|
@ -14,13 +14,17 @@ module ActionController #:nodoc:
|
||||||
end
|
end
|
||||||
|
|
||||||
module ClassMethods
|
module ClassMethods
|
||||||
def content_security_policy(**options, &block)
|
def content_security_policy(enabled = true, **options, &block)
|
||||||
before_action(options) do
|
before_action(options) do
|
||||||
if block_given?
|
if block_given?
|
||||||
policy = request.content_security_policy.clone
|
policy = request.content_security_policy.clone
|
||||||
yield policy
|
yield policy
|
||||||
request.content_security_policy = policy
|
request.content_security_policy = policy
|
||||||
end
|
end
|
||||||
|
|
||||||
|
unless enabled
|
||||||
|
request.content_security_policy = nil
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -258,6 +258,8 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
|
||||||
p.script_src :self
|
p.script_src :self
|
||||||
end
|
end
|
||||||
|
|
||||||
|
content_security_policy(false, only: :no_policy)
|
||||||
|
|
||||||
content_security_policy_report_only only: :report_only
|
content_security_policy_report_only only: :report_only
|
||||||
|
|
||||||
def index
|
def index
|
||||||
|
@ -280,6 +282,10 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
|
||||||
head :ok
|
head :ok
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def no_policy
|
||||||
|
head :ok
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
def condition?
|
def condition?
|
||||||
params[:condition] == "true"
|
params[:condition] == "true"
|
||||||
|
@ -294,6 +300,7 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
|
||||||
get "/conditional", to: "policy#conditional"
|
get "/conditional", to: "policy#conditional"
|
||||||
get "/report-only", to: "policy#report_only"
|
get "/report-only", to: "policy#report_only"
|
||||||
get "/script-src", to: "policy#script_src"
|
get "/script-src", to: "policy#script_src"
|
||||||
|
get "/no-policy", to: "policy#no_policy"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -353,6 +360,13 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
|
||||||
assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='"
|
assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_generates_no_content_security_policy
|
||||||
|
get "/no-policy"
|
||||||
|
|
||||||
|
assert_nil response.headers["Content-Security-Policy"]
|
||||||
|
assert_nil response.headers["Content-Security-Policy-Report-Only"]
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def env_config
|
def env_config
|
||||||
|
|
Loading…
Reference in a new issue