kotovalexarian-likes-github
/
rails--rails
mirror of https://github.com/rails/rails.git
1
0
Fork 0
Code Releases Activity
rails--rails/actionpack/test/dispatch
History
Tim Wade 803f87567f
Generate content security policy for non-HTML responses 
One feature of the content security policy DSL, though undocumented,
is that it will not generate headers for non-HTML responses, even if a
configuration is explicitly provided. While it may not seem obvious
that anyone would want to send this header in an API response, Mozilla
Observatory, for instance, recommends the following for API responses:

`Content-Security-Policy: default-src 'none'; frame-ancestors 'none'`

(source: https://observatory.mozilla.org/faq/)

The Secure Headers gem also makes recommendations about the content
security policy for API responses: https://github.com/github/secure_headers#api-configurations

As such, this removes the HTML guard clause from the
`ContentSecurityPolicy` middleware.
 		2022-03-07 16:24:14 -08:00
..
request Use static message when raising HTTP request parameter parse errors 2021-08-28 11:56:05 -05:00
routing Delete concerns_executes_block_in_context_of_current_mapper test 2022-02-06 14:45:54 +00:00
session Stringify keys in session.merge! 2022-02-05 11:23:45 +01:00
system_testing Remove deprecated `ActionDispatch::SystemTestCase#host!` 2021-11-17 21:51:14 +00:00
actionable_exceptions_test.rb Only allow ActionableErrors if show_detailed_exceptions is enabled 2020-06-17 07:59:57 -07:00
callbacks_test.rb Enable `Layout/EmptyLinesAroundAccessModifier` cop 2019-06-13 12:00:45 +09:00
content_disposition_test.rb Escape # in RFC 5987 pattern 2020-08-31 10:31:30 -04:00
content_security_policy_test.rb Generate content security policy for non-HTML responses 2022-03-07 16:24:14 -08:00
cookies_test.rb Consider onion services secure for cookies 2021-11-26 14:52:09 -05:00
debug_exceptions_test.rb Pass log_rescued_responses as environment config 2021-07-19 00:08:30 +01:00
debug_locks_test.rb
exception_wrapper_test.rb Skip logging backtrace when exception is in `rescue_responses` 2021-06-24 23:04:12 -04:00
executor_test.rb Fix style and misspell in action dispatch executor test 2022-02-11 14:55:33 -05:00
header_test.rb
host_authorization_test.rb Allow IPs with port in the HostAuthorization middleware 2021-12-15 21:41:50 +00:00
live_response_test.rb Allow 'private, no-store' Cache-Control header 2021-04-05 14:20:17 +10:00
mapper_test.rb Allow multiline to be passed in routes when using wildcards. 2021-10-13 19:14:20 -04:00
middleware_stack_test.rb Add back Rack::Runtime to the default middleware stack. 2021-09-15 18:37:34 -04:00
mime_type_test.rb Prevent catastrophic backtracking during mime parsing 2021-05-04 13:49:41 -07:00
mount_test.rb mounted routes with non-word characters 2019-04-15 15:11:13 +02:00
permissions_policy_test.rb Use Feature-Policy header name for now 2020-11-19 16:08:09 +01:00
prefix_generation_test.rb Remove body content from redirect responses 2022-02-25 13:31:54 -04:00
rack_cache_test.rb
reloader_test.rb
request_id_test.rb Fix tests with Ruby 3 2020-10-30 02:20:04 +00:00
request_test.rb Replace ableist language 2021-10-05 22:27:09 -04:00
response_test.rb Remove X-Download-Options default header 2022-01-06 10:03:17 +01:00
routing_assertions_test.rb chore: fix spelling 2021-04-15 15:49:48 +10:00
routing_test.rb Remove body content from redirect responses 2022-02-25 13:31:54 -04:00
runner_test.rb
server_timing_test.rb Add Server Timing middleware (#36289) 2021-09-19 21:27:07 -07:00
show_exceptions_test.rb Raise more specific exception for invalid mime type from user-agent 2020-10-07 11:49:56 -04:00
ssl_test.rb quietly handle unknown HTTP methods in Action Dispatch SSL middleware 2020-12-28 07:27:50 -05:00
static_test.rb Allow rails to serve brotli encoded assets 2020-06-01 08:57:02 -07:00
test_request_test.rb Replace more ableist language 2021-10-07 11:47:28 -04:00
test_response_test.rb Remove deprecated methods in ActionDispatch::TestResponse 2019-01-17 16:08:31 -05:00
uploaded_file_test.rb Restore UploadedFile compatibility with IO.copy_stream 2019-02-23 23:36:58 +01:00
url_generation_test.rb Fix setting `trailing_slash: true` in route definition 2022-02-15 10:44:33 +01:00