diff options
| author | Andrew White <andrew.white@unboxed.co> | 2018-03-08 14:01:15 +0000 |
|---|---|---|
| committer | Andrew White <andrew.white@unboxed.co> | 2018-03-08 14:01:15 +0000 |
| commit | af406a753c59266c61e9ebcd0f131fdc6533a124 (patch) | |
| tree | 50ab44037136e1e1313d15e98a95414732cc7a02 /actionpack/test/dispatch | |
| parent | f30ac99d0c814ab69488e08aa3841bf45208fb2c (diff) | |
| download | rails-af406a753c59266c61e9ebcd0f131fdc6533a124.tar.gz rails-af406a753c59266c61e9ebcd0f131fdc6533a124.tar.bz2 rails-af406a753c59266c61e9ebcd0f131fdc6533a124.zip | |
Add the ability to disable the global CSP in a controller
e.g:
class LegacyPagesController < ApplicationController
content_security_policy false, only: :index
end
Diffstat (limited to 'actionpack/test/dispatch')
| -rw-r--r-- | actionpack/test/dispatch/content_security_policy_test.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb index b88f90190a..205bce16d4 100644 --- a/actionpack/test/dispatch/content_security_policy_test.rb +++ b/actionpack/test/dispatch/content_security_policy_test.rb @@ -258,6 +258,8 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest p.script_src :self end + content_security_policy(false, only: :no_policy) + content_security_policy_report_only only: :report_only def index @@ -280,6 +282,10 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest head :ok end + def no_policy + head :ok + end + private def condition? params[:condition] == "true" @@ -294,6 +300,7 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest get "/conditional", to: "policy#conditional" get "/report-only", to: "policy#report_only" get "/script-src", to: "policy#script_src" + get "/no-policy", to: "policy#no_policy" end end @@ -353,6 +360,13 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='" end + def test_generates_no_content_security_policy + get "/no-policy" + + assert_nil response.headers["Content-Security-Policy"] + assert_nil response.headers["Content-Security-Policy-Report-Only"] + end + private def env_config |