diff options
| author | Andrew White <andrew.white@unboxed.co> | 2018-10-22 17:10:01 +0100 |
|---|---|---|
| committer | Andrew White <andrew.white@unboxed.co> | 2018-10-22 17:10:01 +0100 |
| commit | ed91b75c937805cb52b3930f2549b7a179cdc421 (patch) | |
| tree | 95c43d7fd2e2899fa6949b52b588cd6bce5a84ca /actionpack/lib | |
| parent | dc6761592009e9146552fc9d6299bf58a34e187a (diff) | |
| download | rails-ed91b75c937805cb52b3930f2549b7a179cdc421.tar.gz rails-ed91b75c937805cb52b3930f2549b7a179cdc421.tar.bz2 rails-ed91b75c937805cb52b3930f2549b7a179cdc421.zip | |
Apply mapping to symbols returned from dynamic CSP sources
Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
policy.default_src -> { :self }
would generate the header:
Content-Security-Policy: default-src self
and now it generates:
Content-Security-Policy: default-src 'self'
Diffstat (limited to 'actionpack/lib')
| -rw-r--r-- | actionpack/lib/action_dispatch/http/content_security_policy.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index 50953e32b5..15b7bd1233 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -257,7 +257,8 @@ module ActionDispatch #:nodoc: if context.nil? raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}" else - context.instance_exec(&source) + resolved = context.instance_exec(&source) + resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved end else raise RuntimeError, "Unexpected content security policy source: #{source.inspect}" |