diff options
author | Yuji Yaginuma <yuuji.yaginuma@gmail.com> | 2019-07-03 08:23:48 +0900 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-07-03 08:23:48 +0900 |
commit | 141b30630cc9ec15dd5aa88e062383adedd335de (patch) | |
tree | c39e6ebe6850e7e8816b1cf8069460d98ff92b29 /railties/test/application/content_security_policy_test.rb | |
parent | 41503f3d08418fb2dfe0eb85ac797059d9590051 (diff) | |
parent | 09d55b302266cf002a4b307f8d37a105d2838a18 (diff) | |
download | rails-141b30630cc9ec15dd5aa88e062383adedd335de.tar.gz rails-141b30630cc9ec15dd5aa88e062383adedd335de.tar.bz2 rails-141b30630cc9ec15dd5aa88e062383adedd335de.zip |
Merge pull request #36534 from y-yagi/fixes_35137
Add the ability to set the CSP nonce only to the specified directives
Diffstat (limited to 'railties/test/application/content_security_policy_test.rb')
-rw-r--r-- | railties/test/application/content_security_policy_test.rb | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/railties/test/application/content_security_policy_test.rb b/railties/test/application/content_security_policy_test.rb index 3338bcb47d..0bb6ee917a 100644 --- a/railties/test/application/content_security_policy_test.rb +++ b/railties/test/application/content_security_policy_test.rb @@ -119,6 +119,38 @@ module ApplicationTests assert_policy "default-src 'self' https:", report_only: true end + test "global content security policy nonce directives in an initializer" do + controller :pages, <<-RUBY + class PagesController < ApplicationController + def index + render html: "<h1>Welcome to Rails!</h1>" + end + end + RUBY + + app_file "config/initializers/content_security_policy.rb", <<-RUBY + Rails.application.config.content_security_policy do |p| + p.default_src :self, :https + p.script_src :self, :https + p.style_src :self, :https + end + + Rails.application.config.content_security_policy_nonce_generator = proc { "iyhD0Yc0W+c=" } + Rails.application.config.content_security_policy_nonce_directives = %w(script-src) + RUBY + + app_file "config/routes.rb", <<-RUBY + Rails.application.routes.draw do + root to: "pages#index" + end + RUBY + + app("development") + + get "/" + assert_policy "default-src 'self' https:; script-src 'self' https: 'nonce-iyhD0Yc0W+c='; style-src 'self' https:" + end + test "override content security policy in a controller" do controller :pages, <<-RUBY class PagesController < ApplicationController |