From ed91b75c937805cb52b3930f2549b7a179cdc421 Mon Sep 17 00:00:00 2001 From: Andrew White Date: Mon, 22 Oct 2018 17:10:01 +0100 Subject: Apply mapping to symbols returned from dynamic CSP sources Previously if a dynamic source returned a symbol such as :self it would be converted to a string implicity, e.g: policy.default_src -> { :self } would generate the header: Content-Security-Policy: default-src self and now it generates: Content-Security-Policy: default-src 'self' --- actionpack/CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 3858c211ea..8d0477ead3 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,20 @@ +* Apply mapping to symbols returned from dynamic CSP sources + + Previously if a dynamic source returned a symbol such as :self it + would be converted to a string implicity, e.g: + + policy.default_src -> { :self } + + would generate the header: + + Content-Security-Policy: default-src self + + and now it generates: + + Content-Security-Policy: default-src 'self' + + *Andrew White* + * Add `ActionController::Parameters#each_value`. *Lukáš Zapletal* -- cgit v1.2.3 From a150a026591b7b9dcaba5a2ef5fce02f7d990aba Mon Sep 17 00:00:00 2001 From: Andrew White Date: Mon, 22 Oct 2018 17:15:33 +0100 Subject: Use request object for context if there's no controller There is no controller instance when using a redirect route or a mounted rack application so pass the request object as the context when resolving dynamic CSP sources in this scenario. Fixes #34200. --- actionpack/CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'actionpack/CHANGELOG.md') diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 8d0477ead3..5554d4e6b8 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,13 @@ +* Use request object for context if there's no controller + + There is no controller instance when using a redirect route or a + mounted rack application so pass the request object as the context + when resolving dynamic CSP sources in this scenario. + + Fixes #34200. + + *Andrew White* + * Apply mapping to symbols returned from dynamic CSP sources Previously if a dynamic source returned a symbol such as :self it -- cgit v1.2.3