Add the ability to disable the global CSP in a controller

e.g: class LegacyPagesController < ApplicationController content_security_policy false, only: :index end
2022-11-09 12:12:34 -05:00 · 2018-03-08 14:01:15 +00:00 · 2018-03-08 14:01:15 +00:00 · af406a753c
commit af406a753c
parent f30ac99d0c
2 changed files with 19 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/content_security_policy.rb
+++ b/actionpack/lib/action_controller/metal/content_security_policy.rb
@ -14,13 +14,17 @@ module ActionController #:nodoc:
    end
    module ClassMethods
-      def content_security_policy(**options, &block)
+      def content_security_policy(enabled = true, **options, &block)
        before_action(options) do
          if block_given?
            policy = request.content_security_policy.clone
            yield policy
            request.content_security_policy = policy
          end
          unless enabled
            request.content_security_policy = nil
          end
        end
      end
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@ -258,6 +258,8 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
      p.script_src :self
    end
    content_security_policy(false, only: :no_policy)
    content_security_policy_report_only only: :report_only
    def index
@ -280,6 +282,10 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
      head :ok
    end
    def no_policy
      head :ok
    end
    private
      def condition?
        params[:condition] == "true"
@ -294,6 +300,7 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
      get "/conditional", to: "policy#conditional"
      get "/report-only", to: "policy#report_only"
      get "/script-src", to: "policy#script_src"
      get "/no-policy", to: "policy#no_policy"
    end
  end
@ -353,6 +360,13 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
    assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='"
  end
  def test_generates_no_content_security_policy
    get "/no-policy"
    assert_nil response.headers["Content-Security-Policy"]
    assert_nil response.headers["Content-Security-Policy-Report-Only"]
  end
  private
    def env_config