diff options
| author | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2018-05-19 11:14:29 +0900 |
|---|---|---|
| committer | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2018-05-19 11:14:29 +0900 |
| commit | 0c85def8bae901631810e002f1cf7b61750b3a17 (patch) | |
| tree | d7c7b011cf18cc75fd39ccf2151cbacb7b94883d /actionpack | |
| parent | 9f95767979579f5761cb0d2bcccb67f3662349c5 (diff) | |
| download | rails-0c85def8bae901631810e002f1cf7b61750b3a17.tar.gz rails-0c85def8bae901631810e002f1cf7b61750b3a17.tar.bz2 rails-0c85def8bae901631810e002f1cf7b61750b3a17.zip | |
Add CSP nonce to `style-src` directive
For nonce, only `script-src` and` style-src` are meaningful in the
definition of Content Security Policy Level 2.
https://www.w3.org/TR/CSP2/#script-src-nonce-usage
https://www.w3.org/TR/CSP2/#style-src-nonce-usage
Therefore, I think that customization function not needs and it is enough
to enable both directives inside the framework.
Fixes #32920
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_dispatch/http/content_security_policy.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/dispatch/content_security_policy_test.rb | 15 |
2 files changed, 16 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index 35041fd072..855be5ce2e 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -132,7 +132,7 @@ module ActionDispatch #:nodoc: worker_src: "worker-src" }.freeze - NONCE_DIRECTIVES = %w[script-src].freeze + NONCE_DIRECTIVES = %w[script-src style-src].freeze private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb index 4f9a4ff2bd..13ad22b5c5 100644 --- a/actionpack/test/dispatch/content_security_policy_test.rb +++ b/actionpack/test/dispatch/content_security_policy_test.rb @@ -339,6 +339,11 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest p.script_src :self end + content_security_policy only: :style_src do |p| + p.default_src false + p.style_src :self + end + content_security_policy(false, only: :no_policy) content_security_policy_report_only only: :report_only @@ -363,6 +368,10 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest head :ok end + def style_src + head :ok + end + def no_policy head :ok end @@ -381,6 +390,7 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest get "/conditional", to: "policy#conditional" get "/report-only", to: "policy#report_only" get "/script-src", to: "policy#script_src" + get "/style-src", to: "policy#style_src" get "/no-policy", to: "policy#no_policy" end end @@ -441,6 +451,11 @@ class ContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest assert_policy "script-src 'self' 'nonce-iyhD0Yc0W+c='" end + def test_adds_nonce_to_style_src_content_security_policy + get "/style-src" + assert_policy "style-src 'self' 'nonce-iyhD0Yc0W+c='" + end + def test_generates_no_content_security_policy get "/no-policy" |