From 5910c1d24107d7e5e0f43fb342c37bdb388e56bf Mon Sep 17 00:00:00 2001 From: Prathamesh Sonpatki Date: Mon, 27 Nov 2017 15:46:18 +0530 Subject: [PATCH] Fix CHANGELOG for CSP PR #31162 [ci skip] --- actionpack/CHANGELOG.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index d48aa1081f2e9..1843f058e0598 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -5,11 +5,11 @@ about the Content-Security-Policy header see MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - + Example global policy: - + # config/initializers/content_security_policy.rb - Rails.application.config.content_security_policy do + Rails.application.config.content_security_policy do |p| p.default_src :self, :https p.font_src :self, :https, :data p.img_src :self, :https, :data @@ -17,9 +17,9 @@ p.script_src :self, :https p.style_src :self, :https, :unsafe_inline end - + Example controller overrides: - + # Override policy inline class PostsController < ApplicationController content_security_policy do |p| @@ -40,22 +40,22 @@ p.base_uri :self, -> { "https://#{current_user.domain}.example.com" } end end - + Allows you to also only report content violations for migrating legacy content using the `content_security_policy_report_only` configuration attribute, e.g; - + # config/initializers/content_security_policy.rb Rails.application.config.content_security_policy_report_only = true - + # controller override class PostsController < ApplicationController self.content_security_policy_report_only = true end - + Note that this feature does not validate the header for performance reasons since the header is calculated at runtime. - + *Andrew White* * Make `assert_recognizes` to traverse mounted engines