kotovalexarian-likes-github
/
rails--rails
mirror of https://github.com/rails/rails.git
1
0
Fork 0
Code Releases Activity
rails--rails/actionpack/lib/action_dispatch
History
Tim Wade 803f87567f
Generate content security policy for non-HTML responses 
One feature of the content security policy DSL, though undocumented,
is that it will not generate headers for non-HTML responses, even if a
configuration is explicitly provided. While it may not seem obvious
that anyone would want to send this header in an API response, Mozilla
Observatory, for instance, recommends the following for API responses:

`Content-Security-Policy: default-src 'none'; frame-ancestors 'none'`

(source: https://observatory.mozilla.org/faq/)

The Secure Headers gem also makes recommendations about the content
security policy for API responses: https://github.com/github/secure_headers#api-configurations

As such, this removes the HTML guard clause from the
`ContentSecurityPolicy` middleware.
 		2022-03-07 16:24:14 -08:00
..
http Generate content security policy for non-HTML responses 2022-03-07 16:24:14 -08:00
journey [Temporal] Test railties using multiline Regex 2021-10-13 19:14:20 -04:00
middleware Remove body content from redirect responses 2022-02-25 13:31:54 -04:00
request Stringify keys in session.merge! 2022-02-05 11:23:45 +01:00
routing Remove body content from redirect responses 2022-02-25 13:31:54 -04:00
system_testing Don't start the server for the failure screenshot 2021-12-11 11:58:51 +01:00
testing Add missing ruby2_keywords in RoutingAssertions 2022-02-24 12:10:37 +01:00
journey.rb Remove unused journey code 2020-04-25 00:40:37 +09:00
railtie.rb Pass log_rescued_responses as environment config 2021-07-19 00:08:30 +01:00
routing.rb Eager load ActionDispatch::Routing::RoutesProxy 2022-03-04 16:11:57 +01:00
system_test_case.rb Add fallback host for SystemTestCase driven by RackTest 2021-09-21 20:09:16 +02:00