diff options
| author | Yuji Yaginuma <yuuji.yaginuma@gmail.com> | 2019-07-03 08:23:48 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-03 08:23:48 +0900 |
| commit | 141b30630cc9ec15dd5aa88e062383adedd335de (patch) | |
| tree | c39e6ebe6850e7e8816b1cf8069460d98ff92b29 /actionpack/test | |
| parent | 41503f3d08418fb2dfe0eb85ac797059d9590051 (diff) | |
| parent | 09d55b302266cf002a4b307f8d37a105d2838a18 (diff) | |
| download | rails-141b30630cc9ec15dd5aa88e062383adedd335de.tar.gz rails-141b30630cc9ec15dd5aa88e062383adedd335de.tar.bz2 rails-141b30630cc9ec15dd5aa88e062383adedd335de.zip | |
Merge pull request #36534 from y-yagi/fixes_35137
Add the ability to set the CSP nonce only to the specified directives
Diffstat (limited to 'actionpack/test')
| -rw-r--r-- | actionpack/test/dispatch/content_security_policy_test.rb | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb index 30c340ae9e..a4634626bb 100644 --- a/actionpack/test/dispatch/content_security_policy_test.rb +++ b/actionpack/test/dispatch/content_security_policy_test.rb @@ -542,3 +542,57 @@ class DisabledContentSecurityPolicyIntegrationTest < ActionDispatch::Integration assert_equal "default-src https://example.com", response.headers["Content-Security-Policy"] end end + +class NonceDirectiveContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest + class PolicyController < ActionController::Base + def index + head :ok + end + end + + ROUTES = ActionDispatch::Routing::RouteSet.new + ROUTES.draw do + scope module: "nonce_directive_content_security_policy_integration_test" do + get "/", to: "policy#index" + end + end + + POLICY = ActionDispatch::ContentSecurityPolicy.new do |p| + p.default_src -> { :self } + p.script_src -> { :https } + p.style_src -> { :https } + end + + class PolicyConfigMiddleware + def initialize(app) + @app = app + end + + def call(env) + env["action_dispatch.content_security_policy"] = POLICY + env["action_dispatch.content_security_policy_nonce_generator"] = proc { "iyhD0Yc0W+c=" } + env["action_dispatch.content_security_policy_report_only"] = false + env["action_dispatch.content_security_policy_nonce_directives"] = %w(script-src) + env["action_dispatch.show_exceptions"] = false + + @app.call(env) + end + end + + APP = build_app(ROUTES) do |middleware| + middleware.use PolicyConfigMiddleware + middleware.use ActionDispatch::ContentSecurityPolicy::Middleware + end + + def app + APP + end + + def test_generate_nonce_only_specified_in_nonce_directives + get "/" + + assert_response :success + assert_match "script-src https: 'nonce-iyhD0Yc0W+c='", response.headers["Content-Security-Policy"] + assert_no_match "style-src https: 'nonce-iyhD0Yc0W+c='", response.headers["Content-Security-Policy"] + end +end |