From af406a753c59266c61e9ebcd0f131fdc6533a124 Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Thu, 8 Mar 2018 14:01:15 +0000
Subject: Add the ability to disable the global CSP in a controller

e.g:

    class LegacyPagesController < ApplicationController
      content_security_policy false, only: :index
    end
---
 actionpack/lib/action_controller/metal/content_security_policy.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/metal/content_security_policy.rb b/actionpack/lib/action_controller/metal/content_security_policy.rb
index 95f2f3242d..67682e7f4f 100644
--- a/actionpack/lib/action_controller/metal/content_security_policy.rb
+++ b/actionpack/lib/action_controller/metal/content_security_policy.rb
@@ -14,13 +14,17 @@ module ActionController #:nodoc:
     end
 
     module ClassMethods
-      def content_security_policy(**options, &block)
+      def content_security_policy(enabled = true, **options, &block)
         before_action(options) do
           if block_given?
             policy = request.content_security_policy.clone
             yield policy
             request.content_security_policy = policy
           end
+
+          unless enabled
+            request.content_security_policy = nil
+          end
         end
       end
 
-- 
cgit v1.2.3