aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--actionpack/CHANGELOG.md17
-rw-r--r--actionpack/lib/action_dispatch/http/content_security_policy.rb3
-rw-r--r--actionpack/test/dispatch/content_security_policy_test.rb4
3 files changed, 21 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 3858c211ea..8d0477ead3 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,20 @@
+* Apply mapping to symbols returned from dynamic CSP sources
+
+ Previously if a dynamic source returned a symbol such as :self it
+ would be converted to a string implicity, e.g:
+
+ policy.default_src -> { :self }
+
+ would generate the header:
+
+ Content-Security-Policy: default-src self
+
+ and now it generates:
+
+ Content-Security-Policy: default-src 'self'
+
+ *Andrew White*
+
* Add `ActionController::Parameters#each_value`.
*Lukáš Zapletal*
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 50953e32b5..15b7bd1233 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -257,7 +257,8 @@ module ActionDispatch #:nodoc:
if context.nil?
raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
else
- context.instance_exec(&source)
+ resolved = context.instance_exec(&source)
+ resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved
end
else
raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index 13ad22b5c5..8dd4b8edb1 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -264,8 +264,8 @@ class DefaultContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationT
end
POLICY = ActionDispatch::ContentSecurityPolicy.new do |p|
- p.default_src :self
- p.script_src :https
+ p.default_src -> { :self }
+ p.script_src -> { :https }
end
class PolicyConfigMiddleware