diff options
| author | Andrew White <andrew.white@unboxed.co> | 2018-10-22 17:10:01 +0100 |
|---|---|---|
| committer | Andrew White <andrew.white@unboxed.co> | 2018-10-22 17:10:01 +0100 |
| commit | ed91b75c937805cb52b3930f2549b7a179cdc421 (patch) | |
| tree | 95c43d7fd2e2899fa6949b52b588cd6bce5a84ca | |
| parent | dc6761592009e9146552fc9d6299bf58a34e187a (diff) | |
| download | rails-ed91b75c937805cb52b3930f2549b7a179cdc421.tar.gz rails-ed91b75c937805cb52b3930f2549b7a179cdc421.tar.bz2 rails-ed91b75c937805cb52b3930f2549b7a179cdc421.zip | |
Apply mapping to symbols returned from dynamic CSP sources
Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
policy.default_src -> { :self }
would generate the header:
Content-Security-Policy: default-src self
and now it generates:
Content-Security-Policy: default-src 'self'
| -rw-r--r-- | actionpack/CHANGELOG.md | 17 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/http/content_security_policy.rb | 3 | ||||
| -rw-r--r-- | actionpack/test/dispatch/content_security_policy_test.rb | 4 |
3 files changed, 21 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 3858c211ea..8d0477ead3 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,20 @@ +* Apply mapping to symbols returned from dynamic CSP sources + + Previously if a dynamic source returned a symbol such as :self it + would be converted to a string implicity, e.g: + + policy.default_src -> { :self } + + would generate the header: + + Content-Security-Policy: default-src self + + and now it generates: + + Content-Security-Policy: default-src 'self' + + *Andrew White* + * Add `ActionController::Parameters#each_value`. *Lukáš Zapletal* diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index 50953e32b5..15b7bd1233 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -257,7 +257,8 @@ module ActionDispatch #:nodoc: if context.nil? raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}" else - context.instance_exec(&source) + resolved = context.instance_exec(&source) + resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved end else raise RuntimeError, "Unexpected content security policy source: #{source.inspect}" diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb index 13ad22b5c5..8dd4b8edb1 100644 --- a/actionpack/test/dispatch/content_security_policy_test.rb +++ b/actionpack/test/dispatch/content_security_policy_test.rb @@ -264,8 +264,8 @@ class DefaultContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationT end POLICY = ActionDispatch::ContentSecurityPolicy.new do |p| - p.default_src :self - p.script_src :https + p.default_src -> { :self } + p.script_src -> { :https } end class PolicyConfigMiddleware |