Add CHANGELOG.md entry for #31162 [ci skip]

author: Andrew White <andrew.white@unboxed.co> 2017-11-27 08:35:40 +0000
committer: Andrew White <andrew.white@unboxed.co> 2017-11-27 08:35:40 +0000
commit: 723f29c0dd172ae41d710b239e2a000b16aad01a (patch)
tree: 19489d2bd68fa0de9085009b9b629257e463f8e9 /actionpack
parent: afc2b424e27fe48f83d5d1be73a8fadc38499c0c (diff)
download: rails-723f29c0dd172ae41d710b239e2a000b16aad01a.tar.gz
rails-723f29c0dd172ae41d710b239e2a000b16aad01a.tar.bz2
rails-723f29c0dd172ae41d710b239e2a000b16aad01a.zip
1 files changed, 60 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index e01f88e902..d48aa1081f 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,63 @@
+*   Add DSL for configuring Content-Security-Policy header
+
+    The DSL allows you to configure a global Content-Security-Policy
+    header and then override within a controller. For more information
+    about the Content-Security-Policy header see MDN:
+
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+    
+    Example global policy:
+    
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy do
+          p.default_src :self, :https
+          p.font_src    :self, :https, :data
+          p.img_src     :self, :https, :data
+          p.object_src  :none
+          p.script_src  :self, :https
+          p.style_src   :self, :https, :unsafe_inline
+        end
+    
+    Example controller overrides:
+    
+        # Override policy inline
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.upgrade_insecure_requests true
+          end
+        end
+
+        # Using literal values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri "https://www.example.com"
+          end
+        end
+
+        # Using mixed static and dynamic values
+        class PostsController < ApplicationController
+          content_security_policy do |p|
+            p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
+          end
+        end
+        
+    Allows you to also only report content violations for migrating
+    legacy content using the `content_security_policy_report_only`
+    configuration attribute, e.g;
+    
+        # config/initializers/content_security_policy.rb
+        Rails.application.config.content_security_policy_report_only = true
+        
+        # controller override
+        class PostsController < ApplicationController
+          self.content_security_policy_report_only = true
+        end
+    
+    Note that this feature does not validate the header for performance
+    reasons since the header is calculated at runtime.
+    
+    *Andrew White*
+
 *   Make `assert_recognizes` to traverse mounted engines
 
     *Yuichiro Kaneko*
author	Andrew White <andrew.white@unboxed.co>	2017-11-27 08:35:40 +0000
committer	Andrew White <andrew.white@unboxed.co>	2017-11-27 08:35:40 +0000
commit	723f29c0dd172ae41d710b239e2a000b16aad01a (patch)
tree	19489d2bd68fa0de9085009b9b629257e463f8e9 /actionpack
parent	afc2b424e27fe48f83d5d1be73a8fadc38499c0c (diff)
download	rails-723f29c0dd172ae41d710b239e2a000b16aad01a.tar.gz rails-723f29c0dd172ae41d710b239e2a000b16aad01a.tar.bz2 rails-723f29c0dd172ae41d710b239e2a000b16aad01a.zip