diff options
author | Andrew White <andrew.white@unboxed.co> | 2018-03-08 14:01:15 +0000 |
---|---|---|
committer | Andrew White <andrew.white@unboxed.co> | 2018-03-08 14:01:15 +0000 |
commit | af406a753c59266c61e9ebcd0f131fdc6533a124 (patch) | |
tree | 50ab44037136e1e1313d15e98a95414732cc7a02 | |
parent | f30ac99d0c814ab69488e08aa3841bf45208fb2c (diff) | |
download | rails-af406a753c59266c61e9ebcd0f131fdc6533a124.tar.gz rails-af406a753c59266c61e9ebcd0f131fdc6533a124.tar.bz2 rails-af406a753c59266c61e9ebcd0f131fdc6533a124.zip |
Add the ability to disable the global CSP in a controller
e.g:
class LegacyPagesController < ApplicationController
content_security_policy false, only: :index
end
-rw-r--r-- | actionpack/lib/action_controller/metal/content_security_policy.rb | 6 | ||||
-rw-r--r-- | actionpack/test/dispatch/content_security_policy_test.rb | 14 |
2 files changed, 19 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/content_security_policy.rb b/actionpack/lib/action_controller/metal/content_security_policy.rb index 95f2f3242d..67682e7f4f 100644 --- a/actionpack/lib/action_controller/metal/content_security_policy.rb +++ b/actionpack/lib/action_controller/metal/content_security_policy.rb @@ -14,13 +14,17 @@ module ActionController #:nodoc: end module ClassMethods - def content_security_policy(**options, &block) + def content_security_policy(enabled = true, **options, &block) before_action(options) do if block_given? policy = request.content_security_policy.clone yield policy request.content_security_policy = policy end + + unless enabled + request.content_security_policy = nil + end end end diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb index b88f90190a..205bce16d4 100644 --- a/actionpack/test/dispatch/content_security_policy_test.rb +++ b/actionpack/test/dispatch/content_security_policy_test.rb @@ -258,6 +258,8 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest p.script_src :self end + content_security_policy(false, only: :no_policy) + content_security_policy_report_only only: :report_only def index @@ -280,6 +282,10 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest head :ok end + def no_policy + head :ok + end + private def condition? params[:condition] == "true" @@ -294,6 +300,7 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest get "/conditional", to: "policy#conditional" get "/report-only", to: "policy#report_only" get "/script-src", to: "policy#script_src" + get "/no-policy", to: "policy#no_policy" end end @@ -353,6 +360,13 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='" end + def test_generates_no_content_security_policy + get "/no-policy" + + assert_nil response.headers["Content-Security-Policy"] + assert_nil response.headers["Content-Security-Policy-Report-Only"] + end + private def env_config |