aboutsummaryrefslogtreecommitdiffstats
path: root/railties/test/application/content_security_policy_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Remove trailing semi-colon from CSPAndrew White2018-02-191-6/+6
| | | | | | | | | Although the spec[1] is defined in such a way that a trailing semi-colon is valid it also doesn't allow a semi-colon by itself to indicate an empty policy. Therefore it's easier (and valid) just to omit it rather than to detect whether the policy is empty or not. [1]: https://www.w3.org/TR/CSP2/#policy-syntax
* Don't accidentally create an empty CSPAndrew White2018-02-191-2/+28
| | | | | | Setting up the request environment was accidentally creating a CSP as a consequence of accessing the option - only set the instance variable if a block is passed.
* Revert "Merge pull request #32045 from eagletmt/skip-csp-header"Andrew White2018-02-191-1/+1
| | | | | | | | | This reverts commit 86f7c269073a3a9e6ddec9b957deaa2716f2627d, reversing changes made to 5ece2e4a4459065b5efd976aebd209bbf0cab89b. If a policy is set then we should generate it even if it's empty. However what is happening is that we're accidentally generating an empty policy when the initializer is commented out by default.
* Skip generating empty CSP header when no policy is configuredKohei Suzuki2018-02-181-1/+1
| | | | | | | | `Rails.application.config.content_security_policy` is configured with no policies by default. In this case, Content-Security-Policy header should not be generated instead of generating the header with no directives. Firefox also warns "Content Security Policy: Couldn't process unknown directive ''".
* Add DSL for configuring Content-Security-Policy headerAndrew White2017-11-271-0/+197
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy