Add the ability to disable the global CSP in a controller

e.g: class LegacyPagesController < ApplicationController content_security_policy false, only: :index end
author: Andrew White <andrew.white@unboxed.co> 2018-03-08 14:01:15 +0000
committer: Andrew White <andrew.white@unboxed.co> 2018-03-08 14:01:15 +0000
commit: af406a753c59266c61e9ebcd0f131fdc6533a124 (patch)
tree: 50ab44037136e1e1313d15e98a95414732cc7a02 /actionpack/test
parent: f30ac99d0c814ab69488e08aa3841bf45208fb2c (diff)
download: rails-af406a753c59266c61e9ebcd0f131fdc6533a124.tar.gz
rails-af406a753c59266c61e9ebcd0f131fdc6533a124.tar.bz2
rails-af406a753c59266c61e9ebcd0f131fdc6533a124.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index b88f90190a..205bce16d4 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -258,6 +258,8 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
       p.script_src :self
     end
 
+    content_security_policy(false, only: :no_policy)
+
     content_security_policy_report_only only: :report_only
 
     def index
@@ -280,6 +282,10 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
       head :ok
     end
 
+    def no_policy
+      head :ok
+    end
+
     private
       def condition?
         params[:condition] == "true"
@@ -294,6 +300,7 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
       get "/conditional", to: "policy#conditional"
       get "/report-only", to: "policy#report_only"
       get "/script-src", to: "policy#script_src"
+      get "/no-policy", to: "policy#no_policy"
     end
   end
 
@@ -353,6 +360,13 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
     assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='"
   end
 
+  def test_generates_no_content_security_policy
+    get "/no-policy"
+
+    assert_nil response.headers["Content-Security-Policy"]
+    assert_nil response.headers["Content-Security-Policy-Report-Only"]
+  end
+
   private
 
     def env_config
author	Andrew White <andrew.white@unboxed.co>	2018-03-08 14:01:15 +0000
committer	Andrew White <andrew.white@unboxed.co>	2018-03-08 14:01:15 +0000
commit	af406a753c59266c61e9ebcd0f131fdc6533a124 (patch)
tree	50ab44037136e1e1313d15e98a95414732cc7a02 /actionpack/test
parent	f30ac99d0c814ab69488e08aa3841bf45208fb2c (diff)
download	rails-af406a753c59266c61e9ebcd0f131fdc6533a124.tar.gz rails-af406a753c59266c61e9ebcd0f131fdc6533a124.tar.bz2 rails-af406a753c59266c61e9ebcd0f131fdc6533a124.zip