Merge pull request #1595 from mfinelli/csp-fix-no-arg-directives

Fix content security policy no-arg directives
2020-03-11 00:25:38 -04:00 · 2020-03-11 00:25:38 -04:00 · 2527f46bc4
parent 2aae16cb3c 49f21894d3
commit 2527f46bc4
2 changed files with 2 additions and 2 deletions
--- a/rack-protection/lib/rack/protection/content_security_policy.rb
+++ b/rack-protection/lib/rack/protection/content_security_policy.rb
@ -62,7 +62,7 @@ module Rack
        # Set these key values to boolean 'true' to include in policy
        NO_ARG_DIRECTIVES.each do |d|
          if options.key?(d) && options[d].is_a?(TrueClass)
-            directives << d.to_s.sub(/_/, '-')
+            directives << d.to_s.tr('_', '-')
          end
        end

--- a/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
+++ b/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
@ -33,7 +33,7 @@ describe Rack::Protection::ContentSecurityPolicy do
    end

    headers = get('/', {}, 'wants' => 'text/html').headers
-    expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure_requests")
+    expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure-requests")
  end

  it 'should ignore CSP3 no arg directives unless they are set to true' do