Use request object for context if there's no controller

There is no controller instance when using a redirect route or a mounted rack application so pass the request object as the context when resolving dynamic CSP sources in this scenario. Fixes #34200.
author: Andrew White <andrew.white@unboxed.co> 2018-10-22 17:15:33 +0100
committer: Andrew White <andrew.white@unboxed.co> 2018-10-22 17:16:52 +0100
commit: a150a026591b7b9dcaba5a2ef5fce02f7d990aba (patch)
tree: 52a5dc9b0be1bf671bc471936d6d3fc60f28baef /actionpack/lib
parent: ed91b75c937805cb52b3930f2549b7a179cdc421 (diff)
download: rails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.tar.gz
rails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.tar.bz2
rails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 15b7bd1233..b1e5a28be5 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -22,7 +22,8 @@ module ActionDispatch #:nodoc:
 
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
-          headers[header_name(request)] = policy.build(request.controller_instance, nonce)
+          context = request.controller_instance || request
+          headers[header_name(request)] = policy.build(context, nonce)
         end
 
         response
author	Andrew White <andrew.white@unboxed.co>	2018-10-22 17:15:33 +0100
committer	Andrew White <andrew.white@unboxed.co>	2018-10-22 17:16:52 +0100
commit	a150a026591b7b9dcaba5a2ef5fce02f7d990aba (patch)
tree	52a5dc9b0be1bf671bc471936d6d3fc60f28baef /actionpack/lib
parent	ed91b75c937805cb52b3930f2549b7a179cdc421 (diff)
download	rails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.tar.gz rails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.tar.bz2 rails-a150a026591b7b9dcaba5a2ef5fce02f7d990aba.zip