Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CSP dynamic sources #34286

Merged
merged 2 commits into from Oct 23, 2018

Conversation

Projects
None yet
1 participant
@pixeltrix
Copy link
Member

commented Oct 22, 2018

A couple of small bug fixes to dynamic CSP sources:

  1. Dynamic sources that return a symbol should be mapped, e.g:

    policy.default_src -> { :self }

    would generate the header:

     Content-Security-Policy: default-src self
    

    and now it generates:

    Content-Security-Policy: default-src 'self'
    
  2. Having a dynamic source should not blow up in redirect/mounted rack app routes - fixes #34200.

pixeltrix added some commits Oct 22, 2018

Apply mapping to symbols returned from dynamic CSP sources
Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:

  policy.default_src -> { :self }

would generate the header:

  Content-Security-Policy: default-src self

and now it generates:

  Content-Security-Policy: default-src 'self'
Use request object for context if there's no controller
There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.

Fixes #34200.
@pixeltrix

This comment has been minimized.

Copy link
Member Author

commented Oct 22, 2018

I'll backport this to 5-2-stable once GitHub / Travis CI has settled down.

@rails-bot rails-bot bot added the actionpack label Oct 22, 2018

@pixeltrix pixeltrix merged commit 759b3af into master Oct 23, 2018

3 checks passed

codeclimate All good!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@pixeltrix pixeltrix deleted the fix-csp-dynamic-sources branch Oct 23, 2018

@pixeltrix

This comment has been minimized.

Copy link
Member Author

commented Oct 23, 2018

Backported to 5-2-stable in 4725b2f and cff030a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.