aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authoryuuji.yaginuma <yuuji.yaginuma@gmail.com>2019-07-18 09:31:51 +0900
committeryuuji.yaginuma <yuuji.yaginuma@gmail.com>2019-07-18 10:00:54 +0900
commitefae4c268bbecbfbf8020c3302183ce0887f083a (patch)
tree6d9ab6828d90188287fc815c84bdafd3deef4176 /actionpack
parentc5a24c8ebba543687c11f893584618a20316fe34 (diff)
downloadrails-efae4c268bbecbfbf8020c3302183ce0887f083a.tar.gz
rails-efae4c268bbecbfbf8020c3302183ce0887f083a.tar.bz2
rails-efae4c268bbecbfbf8020c3302183ce0887f083a.zip
Add support for script-src-attr / elem and style-src-attr / elem directives
These directives can be used in Chrome 75. Ref: https://www.chromestatus.com/feature/5141352765456384
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/lib/action_dispatch/http/content_security_policy.rb4
-rw-r--r--actionpack/test/dispatch/content_security_policy_test.rb24
2 files changed, 28 insertions, 0 deletions
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 7dedecef34..9c430b57e3 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -137,7 +137,11 @@ module ActionDispatch #:nodoc:
object_src: "object-src",
prefetch_src: "prefetch-src",
script_src: "script-src",
+ script_src_attr: "script-src-attr",
+ script_src_elem: "script-src-elem",
style_src: "style-src",
+ style_src_attr: "style-src-attr",
+ style_src_elem: "style-src-elem",
worker_src: "worker-src"
}.freeze
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index a4634626bb..3d60dc1661 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -128,12 +128,36 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
@policy.script_src false
assert_no_match %r{script-src}, @policy.build
+ @policy.script_src_attr :self
+ assert_match %r{script-src-attr 'self'}, @policy.build
+
+ @policy.script_src_attr false
+ assert_no_match %r{script-src-attr}, @policy.build
+
+ @policy.script_src_elem :self
+ assert_match %r{script-src-elem 'self'}, @policy.build
+
+ @policy.script_src_elem false
+ assert_no_match %r{script-src-elem}, @policy.build
+
@policy.style_src :self
assert_match %r{style-src 'self'}, @policy.build
@policy.style_src false
assert_no_match %r{style-src}, @policy.build
+ @policy.style_src_attr :self
+ assert_match %r{style-src-attr 'self'}, @policy.build
+
+ @policy.style_src_attr false
+ assert_no_match %r{style-src-attr}, @policy.build
+
+ @policy.style_src_elem :self
+ assert_match %r{style-src-elem 'self'}, @policy.build
+
+ @policy.style_src_elem false
+ assert_no_match %r{style-src-elem}, @policy.build
+
@policy.worker_src :self
assert_match %r{worker-src 'self'}, @policy.build