aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew White <andrew.white@unboxed.co>2018-10-22 17:15:33 +0100
committerAndrew White <andrew.white@unboxed.co>2018-10-22 17:16:52 +0100
commita150a026591b7b9dcaba5a2ef5fce02f7d990aba (patch)
tree52a5dc9b0be1bf671bc471936d6d3fc60f28baef
parented91b75c937805cb52b3930f2549b7a179cdc421 (diff)
downloadrails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.tar.gz
rails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.tar.bz2
rails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.zip
Use request object for context if there's no controller
There is no controller instance when using a redirect route or a mounted rack application so pass the request object as the context when resolving dynamic CSP sources in this scenario. Fixes #34200.
-rw-r--r--actionpack/CHANGELOG.md10
-rw-r--r--actionpack/lib/action_dispatch/http/content_security_policy.rb3
-rw-r--r--actionpack/test/dispatch/content_security_policy_test.rb10
3 files changed, 20 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 8d0477ead3..5554d4e6b8 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,13 @@
+* Use request object for context if there's no controller
+
+ There is no controller instance when using a redirect route or a
+ mounted rack application so pass the request object as the context
+ when resolving dynamic CSP sources in this scenario.
+
+ Fixes #34200.
+
+ *Andrew White*
+
* Apply mapping to symbols returned from dynamic CSP sources
Previously if a dynamic source returned a symbol such as :self it
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 15b7bd1233..b1e5a28be5 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -22,7 +22,8 @@ module ActionDispatch #:nodoc:
if policy = request.content_security_policy
nonce = request.content_security_policy_nonce
- headers[header_name(request)] = policy.build(request.controller_instance, nonce)
+ context = request.controller_instance || request
+ headers[header_name(request)] = policy.build(context, nonce)
end
response
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index 8dd4b8edb1..c8c885f35c 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -260,6 +260,7 @@ class DefaultContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationT
ROUTES.draw do
scope module: "default_content_security_policy_integration_test" do
get "/", to: "policy#index"
+ get "/redirect", to: redirect("/")
end
end
@@ -295,14 +296,19 @@ class DefaultContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationT
def test_adds_nonce_to_script_src_content_security_policy_only_once
get "/"
get "/"
+ assert_response :success
+ assert_policy "default-src 'self'; script-src https: 'nonce-iyhD0Yc0W+c='"
+ end
+
+ def test_redirect_works_with_dynamic_sources
+ get "/redirect"
+ assert_response :redirect
assert_policy "default-src 'self'; script-src https: 'nonce-iyhD0Yc0W+c='"
end
private
def assert_policy(expected, report_only: false)
- assert_response :success
-
if report_only
expected_header = "Content-Security-Policy-Report-Only"
unexpected_header = "Content-Security-Policy"