Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Add the ability to disable the global CSP in a controller
e.g:
class LegacyPagesController < ApplicationController
content_security_policy false, only: :index
end
- Loading branch information
|
|
@@ -1,3 +1,11 @@ |
|
|
* Add the ability to disable the global CSP in a controller, e.g: |
|
|
|
|
|
class LegacyPagesController < ApplicationController |
|
|
content_security_policy false, only: :index |
|
|
end |
|
|
|
|
|
*Andrew White* |
|
|
|
|
|
* Add alias method `to_hash` to `to_h` for `cookies`. |
|
|
Add alias method `to_h` to `to_hash` for `session`. |
|
|
|
|
|
|
@@ -14,13 +14,17 @@ module ContentSecurityPolicy |
|
|
end |
|
|
|
|
|
module ClassMethods |
|
|
def content_security_policy(**options, &block) |
|
|
def content_security_policy(enabled = true, **options, &block) |
|
|
before_action(options) do |
|
|
if block_given? |
|
|
policy = request.content_security_policy.clone |
|
|
yield policy |
|
|
request.content_security_policy = policy |
|
|
end |
|
|
|
|
|
unless enabled |
|
|
request.content_security_policy = nil |
|
|
end |
|
|
end |
|
|
end |
|
|
|
|
|
|
@@ -258,6 +258,8 @@ class PolicyController < ActionController::Base |
|
|
p.script_src :self |
|
|
end |
|
|
|
|
|
content_security_policy(false, only: :no_policy) |
|
|
|
|
|
content_security_policy_report_only only: :report_only |
|
|
|
|
|
def index |
|
@@ -280,6 +282,10 @@ def script_src |
|
|
head :ok |
|
|
end |
|
|
|
|
|
def no_policy |
|
|
head :ok |
|
|
end |
|
|
|
|
|
private |
|
|
def condition? |
|
|
params[:condition] == "true" |
|
@@ -294,6 +300,7 @@ def condition? |
|
|
get "/conditional", to: "policy#conditional" |
|
|
get "/report-only", to: "policy#report_only" |
|
|
get "/script-src", to: "policy#script_src" |
|
|
get "/no-policy", to: "policy#no_policy" |
|
|
end |
|
|
end |
|
|
|
|
@@ -353,6 +360,13 @@ def test_adds_nonce_to_script_src_content_security_policy |
|
|
assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='" |
|
|
end |
|
|
|
|
|
def test_generates_no_content_security_policy |
|
|
get "/no-policy" |
|
|
|
|
|
assert_nil response.headers["Content-Security-Policy"] |
|
|
assert_nil response.headers["Content-Security-Policy-Report-Only"] |
|
|
end |
|
|
|
|
|
private |
|
|
|
|
|
def env_config |
|
|