123456789_123456789_123456789_123456789_123456789_

Class: ActionDispatch::ContentSecurityPolicy::Middleware

Relationships & Source Files
Inherits: Object
Defined in: actionpack/lib/action_dispatch/http/content_security_policy.rb

Class Method Summary

Instance Method Summary

Constructor Details

.new(app) ⇒ Middleware

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 30

def initialize(app)
  @app = app
end

Instance Method Details

#call(env)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 34

def call(env)
  status, headers, _ = response = @app.call(env)

  # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the
  # new CSP headers might not match nonces in the cached HTML.
  return response if status == 304

  return response if policy_present?(headers)

  request = ActionDispatch::Request.new env

  if policy = request.content_security_policy
    nonce = request.content_security_policy_nonce
    nonce_directives = request.content_security_policy_nonce_directives
    context = request.controller_instance || request
    headers[header_name(request)] = policy.build(context, nonce, nonce_directives)
  end

  response
end

#header_name(request) (private)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 56

def header_name(request)
  if request.content_security_policy_report_only
    ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
  else
    ActionDispatch::Constants::CONTENT_SECURITY_POLICY
  end
end

#policy_present?(headers) ⇒ Boolean (private)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 64

def policy_present?(headers)
  headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] ||
    headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
end