Class: ActionDispatch::PermissionsPolicy
| Relationships & Source Files | |
| Namespace Children | |
|
Modules:
| |
|
Classes:
| |
| Inherits: | Object |
| Defined in: | actionpack/lib/action_dispatch/http/permissions_policy.rb |
Overview
Configures the HTTP Feature-Policy response header to specify which browser features the current document and its iframes can use.
Example global policy:
Rails.application.config. do |policy|
policy.camera :none
policy.gyroscope :none
policy.microphone :none
policy.usb :none
policy.fullscreen :self
policy.payment :self, "https://secure.example.com"
endThe Feature-Policy header has been renamed to Permissions-Policy. The Permissions-Policy requires a different implementation and isn't yet supported by all browsers. To avoid having to rename this middleware in the future we use the new name for the middleware but keep the old header name and implementation for now.
Constant Summary
-
DIRECTIVES =
private
# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 84
List of available permissions can be found at https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
{ accelerometer: "accelerometer", ambient_light_sensor: "ambient-light-sensor", attribution_reporting: "attribution-reporting", autoplay: "autoplay", battery: "battery", bluetooth: "bluetooth", camera: "camera", ch_ua: "ch-ua", ch_ua_arch: "ch-ua-arch", ch_ua_bitness: "ch-ua-bitness", ch_ua_full_version: "ch-ua-full-version", ch_ua_full_version_list: "ch-ua-full-version-list", ch_ua_high_entropy_values: "ch-ua-high-entropy-values", ch_ua_mobile: "ch-ua-mobile", ch_ua_model: "ch-ua-model", ch_ua_platform: "ch-ua-platform", ch_ua_platform_version: "ch-ua-platform-version", ch_ua_wow64: "ch-ua-wow64", compute_pressure: "compute-pressure", cross_origin_isolated: "cross-origin-isolated", direct_sockets: "direct-sockets", display_capture: "display-capture", encrypted_media: "encrypted-media", execution_while_not_rendered: "execution-while-not-rendered", execution_while_out_of_viewport: "execution-while-out-of-viewport", fullscreen: "fullscreen", geolocation: "geolocation", gyroscope: "gyroscope", hid: "hid", identity_credentials_get: "identity-credentials-get", idle_detection: "idle-detection", keyboard_map: "keyboard-map", magnetometer: "magnetometer", mediasession: "mediasession", microphone: "microphone", midi: "midi", navigation_override: "navigation-override", otp_credentials: "otp-credentials", payment: "payment", picture_in_picture: "picture-in-picture", publickey_credentials_get: "publickey-credentials-get", screen_wake_lock: "screen-wake-lock", serial: "serial", storage_access: "storage-access", sync_xhr: "sync-xhr", usb: "usb", web_share: "web-share", window_management: "window-management", xr_spatial_tracking: "xr-spatial-tracking", }.freeze -
MAPPINGS =
private
# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 77{ self: "'self'", none: "'none'", }.freeze
Class Method Summary
- .new {|_self| ... } ⇒ PermissionsPolicy constructor
Instance Attribute Summary
- #directives readonly
Instance Method Summary
- #build(context = nil)
- #initialize_copy(other)
- #apply_mapping(source) private
- #apply_mappings(sources) private
- #build_directive(sources, context) private
- #build_directives(context) private
- #resolve_source(source, context) private
Constructor Details
.new {|_self| ... } ⇒ PermissionsPolicy
# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 140
def initialize @directives = {} yield self if block_given? end
Instance Attribute Details
#directives (readonly)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 138
attr_reader :directives
Instance Method Details
#apply_mapping(source) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 177
def apply_mapping(source) MAPPINGS.fetch(source) do raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}" end end
#apply_mappings(sources) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 164
def apply_mappings(sources) sources.map do |source| case source when Symbol apply_mapping(source) when String, Proc source else raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}" end end end
#build(context = nil)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 159
def build(context = nil) build_directives(context).compact.join("; ") end
#build_directive(sources, context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 195
def build_directive(sources, context) sources.map { |source| resolve_source(source, context) } end
#build_directives(context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 183
def build_directives(context) @directives.map do |directive, sources| if sources.is_a?(Array) "#{directive} #{build_directive(sources, context).join(' ')}" elsif sources directive else nil end end end
#initialize_copy(other)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 145
def initialize_copy(other) @directives = other.directives.deep_dup end
#resolve_source(source, context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 199
def resolve_source(source, context) case source when String source when Symbol source.to_s when Proc if context.nil? raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}" else context.instance_exec(&source) end else raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}" end end