diff options
| author | yuuji.yaginuma <yuuji.yaginuma@gmail.com> | 2018-03-05 21:42:49 +0900 |
|---|---|---|
| committer | Yuji Yaginuma <yuuji.yaginuma@gmail.com> | 2018-03-08 21:17:18 +0900 |
| commit | f30ac99d0c814ab69488e08aa3841bf45208fb2c (patch) | |
| tree | 0dc57e49d036f3e47124c8422655274cadb98de8 /railties | |
| parent | ed0c8e9577483c31120239bc138952b235f570b3 (diff) | |
| download | rails-f30ac99d0c814ab69488e08aa3841bf45208fb2c.tar.gz rails-f30ac99d0c814ab69488e08aa3841bf45208fb2c.tar.bz2 rails-f30ac99d0c814ab69488e08aa3841bf45208fb2c.zip | |
Allow using inline style and script in the internal controllers
We use inline style and script for the view held inside Rails like
welcome page and mailer preview.
Therefore, if inline is prohibited by CSP, they will not work properly.
I think that this is not as expected.
For that reason, I have made it possible to use inline style and script
regardless of application settings.
Diffstat (limited to 'railties')
| -rw-r--r-- | railties/lib/rails/application_controller.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/railties/lib/rails/application_controller.rb b/railties/lib/rails/application_controller.rb index fa8793d81a..39f7791c18 100644 --- a/railties/lib/rails/application_controller.rb +++ b/railties/lib/rails/application_controller.rb @@ -4,6 +4,15 @@ class Rails::ApplicationController < ActionController::Base # :nodoc: self.view_paths = File.expand_path("templates", __dir__) layout "application" + before_action :disable_content_security_policy_nonce! + + content_security_policy do |policy| + if policy + policy.script_src :unsafe_inline + policy.style_src :unsafe_inline + end + end + private def require_local! @@ -15,4 +24,8 @@ class Rails::ApplicationController < ActionController::Base # :nodoc: def local_request? Rails.application.config.consider_all_requests_local || request.local? end + + def disable_content_security_policy_nonce! + request.content_security_policy_nonce_generator = nil + end end |