diff options
author | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2018-05-19 11:14:29 +0900 |
---|---|---|
committer | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2018-05-19 11:14:29 +0900 |
commit | 0c85def8bae901631810e002f1cf7b61750b3a17 (patch) | |
tree | d7c7b011cf18cc75fd39ccf2151cbacb7b94883d /actionpack/lib | |
parent | 9f95767979579f5761cb0d2bcccb67f3662349c5 (diff) | |
download | rails-0c85def8bae901631810e002f1cf7b61750b3a17.tar.gz rails-0c85def8bae901631810e002f1cf7b61750b3a17.tar.bz2 rails-0c85def8bae901631810e002f1cf7b61750b3a17.zip |
Add CSP nonce to `style-src` directive
For nonce, only `script-src` and` style-src` are meaningful in the
definition of Content Security Policy Level 2.
https://www.w3.org/TR/CSP2/#script-src-nonce-usage
https://www.w3.org/TR/CSP2/#style-src-nonce-usage
Therefore, I think that customization function not needs and it is enough
to enable both directives inside the framework.
Fixes #32920
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_dispatch/http/content_security_policy.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index 35041fd072..855be5ce2e 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -132,7 +132,7 @@ module ActionDispatch #:nodoc: worker_src: "worker-src" }.freeze - NONCE_DIRECTIVES = %w[script-src].freeze + NONCE_DIRECTIVES = %w[script-src style-src].freeze private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES |