aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
diff options
context:
space:
mode:
authorAndrew White <andrew.white@unboxed.co>2018-03-08 14:14:09 +0000
committerAndrew White <andrew.white@unboxed.co>2018-03-08 14:14:09 +0000
commit190744cd8ed014915803fa805996be04dc750d9d (patch)
tree66aca1907aac710c55e710f91392f40c49472b1d /actionpack/lib
parentaf406a753c59266c61e9ebcd0f131fdc6533a124 (diff)
downloadrails-190744cd8ed014915803fa805996be04dc750d9d.tar.gz
rails-190744cd8ed014915803fa805996be04dc750d9d.tar.bz2
rails-190744cd8ed014915803fa805996be04dc750d9d.zip
Always yield a CSP policy instance
If the app has the CSP disabled globally allow a controller action to enable the policy for that request.
Diffstat (limited to 'actionpack/lib')
-rw-r--r--actionpack/lib/action_controller/metal/content_security_policy.rb6
1 files changed, 5 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/content_security_policy.rb b/actionpack/lib/action_controller/metal/content_security_policy.rb
index 67682e7f4f..b8fab4ebe3 100644
--- a/actionpack/lib/action_controller/metal/content_security_policy.rb
+++ b/actionpack/lib/action_controller/metal/content_security_policy.rb
@@ -17,7 +17,7 @@ module ActionController #:nodoc:
def content_security_policy(enabled = true, **options, &block)
before_action(options) do
if block_given?
- policy = request.content_security_policy.clone
+ policy = current_content_security_policy
yield policy
request.content_security_policy = policy
end
@@ -44,5 +44,9 @@ module ActionController #:nodoc:
def content_security_policy_nonce
request.content_security_policy_nonce
end
+
+ def current_content_security_policy
+ request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new
+ end
end
end