aboutsummaryrefslogtreecommitdiffstats
path: root/railties/test/application/content_security_policy_test.rb
diff options
context:
space:
mode:
authorYuji Yaginuma <yuuji.yaginuma@gmail.com>2019-07-03 08:23:48 +0900
committerGitHub <noreply@github.com>2019-07-03 08:23:48 +0900
commit141b30630cc9ec15dd5aa88e062383adedd335de (patch)
treec39e6ebe6850e7e8816b1cf8069460d98ff92b29 /railties/test/application/content_security_policy_test.rb
parent41503f3d08418fb2dfe0eb85ac797059d9590051 (diff)
parent09d55b302266cf002a4b307f8d37a105d2838a18 (diff)
downloadrails-141b30630cc9ec15dd5aa88e062383adedd335de.tar.gz
rails-141b30630cc9ec15dd5aa88e062383adedd335de.tar.bz2
rails-141b30630cc9ec15dd5aa88e062383adedd335de.zip
Merge pull request #36534 from y-yagi/fixes_35137
Add the ability to set the CSP nonce only to the specified directives
Diffstat (limited to 'railties/test/application/content_security_policy_test.rb')
-rw-r--r--railties/test/application/content_security_policy_test.rb32
1 files changed, 32 insertions, 0 deletions
diff --git a/railties/test/application/content_security_policy_test.rb b/railties/test/application/content_security_policy_test.rb
index 3338bcb47d..0bb6ee917a 100644
--- a/railties/test/application/content_security_policy_test.rb
+++ b/railties/test/application/content_security_policy_test.rb
@@ -119,6 +119,38 @@ module ApplicationTests
assert_policy "default-src 'self' https:", report_only: true
end
+ test "global content security policy nonce directives in an initializer" do
+ controller :pages, <<-RUBY
+ class PagesController < ApplicationController
+ def index
+ render html: "<h1>Welcome to Rails!</h1>"
+ end
+ end
+ RUBY
+
+ app_file "config/initializers/content_security_policy.rb", <<-RUBY
+ Rails.application.config.content_security_policy do |p|
+ p.default_src :self, :https
+ p.script_src :self, :https
+ p.style_src :self, :https
+ end
+
+ Rails.application.config.content_security_policy_nonce_generator = proc { "iyhD0Yc0W+c=" }
+ Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
+ RUBY
+
+ app_file "config/routes.rb", <<-RUBY
+ Rails.application.routes.draw do
+ root to: "pages#index"
+ end
+ RUBY
+
+ app("development")
+
+ get "/"
+ assert_policy "default-src 'self' https:; script-src 'self' https: 'nonce-iyhD0Yc0W+c='; style-src 'self' https:"
+ end
+
test "override content security policy in a controller" do
controller :pages, <<-RUBY
class PagesController < ApplicationController