From a150a026591b7b9dcaba5a2ef5fce02f7d990aba Mon Sep 17 00:00:00 2001
From: Andrew White <andrew.white@unboxed.co>
Date: Mon, 22 Oct 2018 17:15:33 +0100
Subject: Use request object for context if there's no controller

There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.

Fixes #34200.
---
 actionpack/test/dispatch/content_security_policy_test.rb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'actionpack/test')

diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index 8dd4b8edb1..c8c885f35c 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -260,6 +260,7 @@ class DefaultContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationT
   ROUTES.draw do
     scope module: "default_content_security_policy_integration_test" do
       get "/", to: "policy#index"
+      get "/redirect", to: redirect("/")
     end
   end
 
@@ -295,14 +296,19 @@ class DefaultContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationT
   def test_adds_nonce_to_script_src_content_security_policy_only_once
     get "/"
     get "/"
+    assert_response :success
+    assert_policy "default-src 'self'; script-src https: 'nonce-iyhD0Yc0W+c='"
+  end
+
+  def test_redirect_works_with_dynamic_sources
+    get "/redirect"
+    assert_response :redirect
     assert_policy "default-src 'self'; script-src https: 'nonce-iyhD0Yc0W+c='"
   end
 
   private
 
     def assert_policy(expected, report_only: false)
-      assert_response :success
-
       if report_only
         expected_header = "Content-Security-Policy-Report-Only"
         unexpected_header = "Content-Security-Policy"
-- 
cgit v1.2.3