kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity

Fix content security policy no-arg directives

Browse source 
Many of the CSP3 no-arg directives are multiple words so calling `sub`
only transforms the first "_" to a "-" when we need to transform all of
them to have a valid directive.
This commit is contained in:
Mario Finelli 2020-02-13 20:03:43 -05:00
parent a4dd24add2
commit 5548212f47
No known key found for this signature in database
GPG key ID: 6C3ADDDE36FDA306
2 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
rack-protection/lib/rack/protection/content_security_policy.rb
View file

@ -62,7 +62,7 @@ module Rack
# Set these key values to boolean 'true' to include in policy
NO_ARG_DIRECTIVES.each do |d|
if options.key?(d) && options[d].is_a?(TrueClass)
directives << d.to_s.sub(/_/, '-')
directives << d.to_s.gsub(/_/, '-')
end
end

2
rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
View file

@ -33,7 +33,7 @@ describe Rack::Protection::ContentSecurityPolicy do
end
headers = get('/', {}, 'wants' => 'text/html').headers
expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure_requests")
expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure-requests")
end
it 'should ignore CSP3 no arg directives unless they are set to true' do