From ed91b75c937805cb52b3930f2549b7a179cdc421 Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Mon, 22 Oct 2018 17:10:01 +0100
Subject: Apply mapping to symbols returned from dynamic CSP sources

Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:

  policy.default_src -> { :self }

would generate the header:

  Content-Security-Policy: default-src self

and now it generates:

  Content-Security-Policy: default-src 'self'
---
 actionpack/lib/action_dispatch/http/content_security_policy.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 50953e32b5..15b7bd1233 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -257,7 +257,8 @@ module ActionDispatch #:nodoc:
           if context.nil?
             raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
           else
-            context.instance_exec(&source)
+            resolved = context.instance_exec(&source)
+            resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved
           end
         else
           raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
-- 
cgit v1.2.3


From a150a026591b7b9dcaba5a2ef5fce02f7d990aba Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Mon, 22 Oct 2018 17:15:33 +0100
Subject: Use request object for context if there's no controller

There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.

Fixes #34200.
---
 actionpack/lib/action_dispatch/http/content_security_policy.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index 15b7bd1233..b1e5a28be5 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -22,7 +22,8 @@ module ActionDispatch #:nodoc:
 
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
-          headers[header_name(request)] = policy.build(request.controller_instance, nonce)
+          context = request.controller_instance || request
+          headers[header_name(request)] = policy.build(context, nonce)
         end
 
         response
-- 
cgit v1.2.3