diff options
author | Andrew White <andrew.white@unboxed.co> | 2018-10-22 17:10:01 +0100 |
---|---|---|
committer | Andrew White <andrew.white@unboxed.co> | 2018-10-22 17:10:01 +0100 |
commit | ed91b75c937805cb52b3930f2549b7a179cdc421 (patch) | |
tree | 95c43d7fd2e2899fa6949b52b588cd6bce5a84ca /actionpack/lib/action_dispatch | |
parent | dc6761592009e9146552fc9d6299bf58a34e187a (diff) | |
download | rails-ed91b75c937805cb52b3930f2549b7a179cdc421.tar.gz rails-ed91b75c937805cb52b3930f2549b7a179cdc421.tar.bz2 rails-ed91b75c937805cb52b3930f2549b7a179cdc421.zip |
Apply mapping to symbols returned from dynamic CSP sources
Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
policy.default_src -> { :self }
would generate the header:
Content-Security-Policy: default-src self
and now it generates:
Content-Security-Policy: default-src 'self'
Diffstat (limited to 'actionpack/lib/action_dispatch')
-rw-r--r-- | actionpack/lib/action_dispatch/http/content_security_policy.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index 50953e32b5..15b7bd1233 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -257,7 +257,8 @@ module ActionDispatch #:nodoc: if context.nil? raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}" else - context.instance_exec(&source) + resolved = context.instance_exec(&source) + resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved end else raise RuntimeError, "Unexpected content security policy source: #{source.inspect}" |