Add CSP nonce to `style-src` directive

For nonce, only `script-src` and` style-src` are meaningful in the definition of Content Security Policy Level 2. https://www.w3.org/TR/CSP2/#script-src-nonce-usage https://www.w3.org/TR/CSP2/#style-src-nonce-usage Therefore, I think that customization function not needs and it is enough to enable both directives inside the framework. Fixes #32920
author: yuuji.yaginuma <yuuji.yaginuma@gmail.com> 2018-05-19 11:14:29 +0900
committer: yuuji.yaginuma <yuuji.yaginuma@gmail.com> 2018-05-19 11:14:29 +0900
commit: 0c85def8bae901631810e002f1cf7b61750b3a17 (patch)
tree: d7c7b011cf18cc75fd39ccf2151cbacb7b94883d /actionpack/lib
parent: 9f95767979579f5761cb0d2bcccb67f3662349c5 (diff)
download: rails-0c85def8bae901631810e002f1cf7b61750b3a17.tar.gz
rails-0c85def8bae901631810e002f1cf7b61750b3a17.tar.bz2
rails-0c85def8bae901631810e002f1cf7b61750b3a17.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 35041fd072..855be5ce2e 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -132,7 +132,7 @@ module ActionDispatch #:nodoc:
       worker_src:      "worker-src"
     }.freeze
 
-    NONCE_DIRECTIVES = %w[script-src].freeze
+    NONCE_DIRECTIVES = %w[script-src style-src].freeze
 
     private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES
author	yuuji.yaginuma <yuuji.yaginuma@gmail.com>	2018-05-19 11:14:29 +0900
committer	yuuji.yaginuma <yuuji.yaginuma@gmail.com>	2018-05-19 11:14:29 +0900
commit	0c85def8bae901631810e002f1cf7b61750b3a17 (patch)
tree	d7c7b011cf18cc75fd39ccf2151cbacb7b94883d /actionpack/lib
parent	9f95767979579f5761cb0d2bcccb67f3662349c5 (diff)
download	rails-0c85def8bae901631810e002f1cf7b61750b3a17.tar.gz rails-0c85def8bae901631810e002f1cf7b61750b3a17.tar.bz2 rails-0c85def8bae901631810e002f1cf7b61750b3a17.zip