1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

7 commits

Author SHA1 Message Date
yuuji.yaginuma
09d55b3022 Add the ability to set the CSP nonce only to the specified directives
I changed to set CSP nonce to `style-src` directive in #32932.
But this causes an issue when `unsafe-inline` is specified to `style-src`
(If a nonce is present, a nonce takes precedence over `unsafe-inline`).

So, I fixed to nonce directives configurable. By configure this, users
can make CSP as before.

Fixes #35137.
2019-06-22 12:44:37 +09:00
Ryuta Kamizono
c81af6ae72 Enable Layout/EmptyLinesAroundAccessModifier cop
We sometimes say "✂️ newline after `private`" in a code review (e.g.
https://github.com/rails/rails/pull/18546#discussion_r23188776,
https://github.com/rails/rails/pull/34832#discussion_r244847195).

Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style
`EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059).

That cop and enforced style will reduce the our code review cost.
2019-06-13 12:00:45 +09:00
Andrew White
d85283cc42 Remove trailing semi-colon from CSP
Although the spec[1] is defined in such a way that a trailing semi-colon
is valid it also doesn't allow a semi-colon by itself to indicate an
empty policy. Therefore it's easier (and valid) just to omit it rather
than to detect whether the policy is empty or not.

[1]: https://www.w3.org/TR/CSP2/#policy-syntax
2018-02-19 12:20:43 +00:00
Andrew White
57f9c36387 Don't accidentally create an empty CSP
Setting up the request environment was accidentally creating a CSP
as a consequence of accessing the option - only set the instance
variable if a block is passed.
2018-02-19 12:17:51 +00:00
Andrew White
52a1f1c226 Revert "Merge pull request #32045 from eagletmt/skip-csp-header"
This reverts commit 86f7c26907, reversing
changes made to 5ece2e4a44.

If a policy is set then we should generate it even if it's empty.
However what is happening is that we're accidentally generating an
empty policy when the initializer is commented out by default.
2018-02-19 12:00:29 +00:00
Kohei Suzuki
53d863d4bb
Skip generating empty CSP header when no policy is configured
`Rails.application.config.content_security_policy` is configured with no
policies by default. In this case, Content-Security-Policy header should
not be generated instead of generating the header with no directives.
Firefox also warns "Content Security Policy: Couldn't process unknown
directive ''".
2018-02-18 23:45:57 +09:00
Andrew White
456c3ffdbe Add DSL for configuring Content-Security-Policy header
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
2017-11-27 05:59:26 +00:00