kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity

Enclose CSP self in quotes

Browse source 
per https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives,
the quotes are required (see mpheram/sidekiq#3070)
This commit is contained in:
James Dabbs 2016-07-28 16:05:53 -04:00
parent 8fd566ecc0
commit af6902ef31
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
rack-protection/lib/rack/protection/content_security_policy.rb
View file

@ -44,7 +44,7 @@ module Rack
# treated as though it was loaded inside of an iframe with
# a sandbox attribute.
class ContentSecurityPolicy < Base
default_options :default_src => :none, :script_src => :self, :img_src => :self, :style_src => :self, :connect_src => :self, :report_only => false
default_options :default_src => :none, :script_src => "'self'", :img_src => "'self'", :style_src => "'self'", :connect_src => "'self'", :report_only => false
KEYS = [:default_src, :script_src, :connect_src, :font_src, :frame_src, :img_src, :media_src, :style_src, :object_src, :report_uri, :sandbox]

4
rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
View file

@ -4,7 +4,7 @@ describe Rack::Protection::ContentSecurityPolicy do
it 'should set the Content Security Policy' do
expect(
get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]
).to eq("default-src none; script-src self; connect-src self; img-src self; style-src self")
).to eq("default-src none; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'")
end
it 'should not set the Content Security Policy for other content types' do
@ -34,7 +34,7 @@ describe Rack::Protection::ContentSecurityPolicy do
headers = get('/', {}, 'wants' => 'text/html').headers
expect(headers["Content-Security-Policy"]).to be_nil
expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src none; script-src self; connect-src self; img-src self; style-src self; report-uri /my_amazing_csp_report_parser")
expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src none; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri /my_amazing_csp_report_parser")
end
it 'should not override the header if already set' do