diff options
| author | Andrew White <pixeltrix@users.noreply.github.com> | 2018-04-19 08:24:21 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-04-19 08:24:21 +0100 |
| commit | fb2af6f849c8d25732f2c17352c59f2dc8b8320d (patch) | |
| tree | 9ea30543b6b2f68f15d9c0b711054ee035a4b8fe /actionpack/lib/action_dispatch | |
| parent | 7d25b651fa9011b040fab2f19fb315679519edb2 (diff) | |
| parent | ef2af628a9ec1cc4e7b6997a021dd3f85cfe4665 (diff) | |
| download | rails-fb2af6f849c8d25732f2c17352c59f2dc8b8320d.tar.gz rails-fb2af6f849c8d25732f2c17352c59f2dc8b8320d.tar.bz2 rails-fb2af6f849c8d25732f2c17352c59f2dc8b8320d.zip | |
Merge branch 'master' into fix-as-timezone-all
Diffstat (limited to 'actionpack/lib/action_dispatch')
| -rw-r--r-- | actionpack/lib/action_dispatch/http/content_security_policy.rb | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index c1f80a1ffc..17e72b46ff 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -21,13 +21,8 @@ module ActionDispatch #:nodoc: return response if policy_present?(headers) if policy = request.content_security_policy - if policy.directives["script-src"] - if nonce = request.content_security_policy_nonce - policy.directives["script-src"] << "'nonce-#{nonce}'" - end - end - - headers[header_name(request)] = policy.build(request.controller_instance) + nonce = request.content_security_policy_nonce + headers[header_name(request)] = policy.build(request.controller_instance, nonce) end response @@ -136,7 +131,9 @@ module ActionDispatch #:nodoc: worker_src: "worker-src" }.freeze - private_constant :MAPPINGS, :DIRECTIVES + NONCE_DIRECTIVES = %w[script-src].freeze + + private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES attr_reader :directives @@ -205,8 +202,8 @@ module ActionDispatch #:nodoc: end end - def build(context = nil) - build_directives(context).compact.join("; ") + def build(context = nil, nonce = nil) + build_directives(context, nonce).compact.join("; ") end private @@ -229,10 +226,14 @@ module ActionDispatch #:nodoc: end end - def build_directives(context) + def build_directives(context, nonce) @directives.map do |directive, sources| if sources.is_a?(Array) - "#{directive} #{build_directive(sources, context).join(' ')}" + if nonce && nonce_directive?(directive) + "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'" + else + "#{directive} #{build_directive(sources, context).join(' ')}" + end elsif sources directive else @@ -261,5 +262,9 @@ module ActionDispatch #:nodoc: raise RuntimeError, "Unexpected content security policy source: #{source.inspect}" end end + + def nonce_directive?(directive) + NONCE_DIRECTIVES.include?(directive) + end end end |