diff options
author | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2019-07-18 09:31:51 +0900 |
---|---|---|
committer | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2019-07-18 10:00:54 +0900 |
commit | efae4c268bbecbfbf8020c3302183ce0887f083a (patch) | |
tree | 6d9ab6828d90188287fc815c84bdafd3deef4176 /actionpack | |
parent | c5a24c8ebba543687c11f893584618a20316fe34 (diff) | |
download | rails-efae4c268bbecbfbf8020c3302183ce0887f083a.tar.gz rails-efae4c268bbecbfbf8020c3302183ce0887f083a.tar.bz2 rails-efae4c268bbecbfbf8020c3302183ce0887f083a.zip |
Add support for script-src-attr / elem and style-src-attr / elem directives
These directives can be used in Chrome 75.
Ref: https://www.chromestatus.com/feature/5141352765456384
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/lib/action_dispatch/http/content_security_policy.rb | 4 | ||||
-rw-r--r-- | actionpack/test/dispatch/content_security_policy_test.rb | 24 |
2 files changed, 28 insertions, 0 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb index 7dedecef34..9c430b57e3 100644 --- a/actionpack/lib/action_dispatch/http/content_security_policy.rb +++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb @@ -137,7 +137,11 @@ module ActionDispatch #:nodoc: object_src: "object-src", prefetch_src: "prefetch-src", script_src: "script-src", + script_src_attr: "script-src-attr", + script_src_elem: "script-src-elem", style_src: "style-src", + style_src_attr: "style-src-attr", + style_src_elem: "style-src-elem", worker_src: "worker-src" }.freeze diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb index a4634626bb..3d60dc1661 100644 --- a/actionpack/test/dispatch/content_security_policy_test.rb +++ b/actionpack/test/dispatch/content_security_policy_test.rb @@ -128,12 +128,36 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase @policy.script_src false assert_no_match %r{script-src}, @policy.build + @policy.script_src_attr :self + assert_match %r{script-src-attr 'self'}, @policy.build + + @policy.script_src_attr false + assert_no_match %r{script-src-attr}, @policy.build + + @policy.script_src_elem :self + assert_match %r{script-src-elem 'self'}, @policy.build + + @policy.script_src_elem false + assert_no_match %r{script-src-elem}, @policy.build + @policy.style_src :self assert_match %r{style-src 'self'}, @policy.build @policy.style_src false assert_no_match %r{style-src}, @policy.build + @policy.style_src_attr :self + assert_match %r{style-src-attr 'self'}, @policy.build + + @policy.style_src_attr false + assert_no_match %r{style-src-attr}, @policy.build + + @policy.style_src_elem :self + assert_match %r{style-src-elem 'self'}, @policy.build + + @policy.style_src_elem false + assert_no_match %r{style-src-elem}, @policy.build + @policy.worker_src :self assert_match %r{worker-src 'self'}, @policy.build |