Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
86f7c269
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
86f7c269
编写于
2月 18, 2018
作者:
G
Guillermo Iguaran
提交者:
GitHub
2月 18, 2018
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #32045 from eagletmt/skip-csp-header
Skip generating empty CSP header when no policy is configured
上级
5ece2e4a
53d863d4
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
31 addition
and
5 deletion
+31
-5
actionpack/lib/action_dispatch/http/content_security_policy.rb
...npack/lib/action_dispatch/http/content_security_policy.rb
+10
-2
actionpack/test/dispatch/content_security_policy_test.rb
actionpack/test/dispatch/content_security_policy_test.rb
+20
-2
railties/test/application/content_security_policy_test.rb
railties/test/application/content_security_policy_test.rb
+1
-1
未找到文件。
actionpack/lib/action_dispatch/http/content_security_policy.rb
浏览文件 @
86f7c269
...
...
@@ -21,7 +21,10 @@ def call(env)
return
response
if
policy_present?
(
headers
)
if
policy
=
request
.
content_security_policy
headers
[
header_name
(
request
)]
=
policy
.
build
(
request
.
controller_instance
)
built_policy
=
policy
.
build
(
request
.
controller_instance
)
if
built_policy
headers
[
header_name
(
request
)]
=
built_policy
end
end
response
...
...
@@ -172,7 +175,12 @@ def upgrade_insecure_requests(enabled = true)
end
def
build
(
context
=
nil
)
build_directives
(
context
).
compact
.
join
(
"; "
)
+
";"
built_directives
=
build_directives
(
context
).
compact
if
built_directives
.
empty?
nil
else
built_directives
.
join
(
"; "
)
+
";"
end
end
private
...
...
actionpack/test/dispatch/content_security_policy_test.rb
浏览文件 @
86f7c269
...
...
@@ -8,7 +8,7 @@ def setup
end
def
test_build
assert_
equal
";"
,
@policy
.
build
assert_
nil
@policy
.
build
@policy
.
script_src
:self
assert_equal
"script-src 'self';"
,
@policy
.
build
...
...
@@ -271,6 +271,10 @@ def report_only
head
:ok
end
def
empty_policy
head
:ok
end
private
def
condition?
params
[
:condition
]
==
"true"
...
...
@@ -284,12 +288,14 @@ def condition?
get
"/inline"
,
to:
"policy#inline"
get
"/conditional"
,
to:
"policy#conditional"
get
"/report-only"
,
to:
"policy#report_only"
get
"/empty-policy"
,
to:
"policy#empty_policy"
end
end
POLICY
=
ActionDispatch
::
ContentSecurityPolicy
.
new
do
|
p
|
p
.
default_src
:self
end
EMPTY_POLICY
=
ActionDispatch
::
ContentSecurityPolicy
.
new
class
PolicyConfigMiddleware
def
initialize
(
app
)
...
...
@@ -297,7 +303,12 @@ def initialize(app)
end
def
call
(
env
)
env
[
"action_dispatch.content_security_policy"
]
=
POLICY
env
[
"action_dispatch.content_security_policy"
]
=
if
env
[
"PATH_INFO"
]
==
"/empty-policy"
EMPTY_POLICY
else
POLICY
end
env
[
"action_dispatch.content_security_policy_report_only"
]
=
false
env
[
"action_dispatch.show_exceptions"
]
=
false
...
...
@@ -337,6 +348,13 @@ def test_generates_report_only_content_security_policy
assert_policy
"default-src 'self'; report-uri /violations;"
,
report_only:
true
end
def
test_empty_policy
get
"/empty-policy"
assert_response
:success
assert_not
response
.
headers
.
key?
(
"Content-Security-Policy"
)
assert_not
response
.
headers
.
key?
(
"Content-Security-Policy-Report-Only"
)
end
private
def
env_config
...
...
railties/test/application/content_security_policy_test.rb
浏览文件 @
86f7c269
...
...
@@ -34,7 +34,7 @@ def index
app
(
"development"
)
get
"/"
assert_
equal
";"
,
last_response
.
headers
[
"Content-Security-Policy"
]
assert_
not
last_response
.
headers
.
key?
(
"Content-Security-Policy"
)
end
test
"global content security policy in an initializer"
do
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录