diff options
| author | Andrew White <andrew.white@unboxed.co> | 2018-03-08 14:14:09 +0000 |
|---|---|---|
| committer | Andrew White <andrew.white@unboxed.co> | 2018-03-08 14:14:09 +0000 |
| commit | 190744cd8ed014915803fa805996be04dc750d9d (patch) | |
| tree | 66aca1907aac710c55e710f91392f40c49472b1d /actionpack/lib | |
| parent | af406a753c59266c61e9ebcd0f131fdc6533a124 (diff) | |
| download | rails-190744cd8ed014915803fa805996be04dc750d9d.tar.gz rails-190744cd8ed014915803fa805996be04dc750d9d.tar.bz2 rails-190744cd8ed014915803fa805996be04dc750d9d.zip | |
Always yield a CSP policy instance
If the app has the CSP disabled globally allow a controller action
to enable the policy for that request.
Diffstat (limited to 'actionpack/lib')
| -rw-r--r-- | actionpack/lib/action_controller/metal/content_security_policy.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/content_security_policy.rb b/actionpack/lib/action_controller/metal/content_security_policy.rb index 67682e7f4f..b8fab4ebe3 100644 --- a/actionpack/lib/action_controller/metal/content_security_policy.rb +++ b/actionpack/lib/action_controller/metal/content_security_policy.rb @@ -17,7 +17,7 @@ module ActionController #:nodoc: def content_security_policy(enabled = true, **options, &block) before_action(options) do if block_given? - policy = request.content_security_policy.clone + policy = current_content_security_policy yield policy request.content_security_policy = policy end @@ -44,5 +44,9 @@ module ActionController #:nodoc: def content_security_policy_nonce request.content_security_policy_nonce end + + def current_content_security_policy + request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new + end end end |