Class: ActionDispatch::ContentSecurityPolicy::Middleware
| Relationships & Source Files | |
| Inherits: | Object |
| Defined in: | actionpack/lib/action_dispatch/http/content_security_policy.rb |
Class Method Summary
- .new(app) ⇒ Middleware constructor
Instance Method Summary
- #call(env)
- #header_name(request) private
- #policy_present?(headers) ⇒ Boolean private
Constructor Details
.new(app) ⇒ Middleware
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 30
def initialize(app) @app = app end
Instance Method Details
#call(env)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 34
def call(env) status, headers, _ = response = @app.call(env) # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the # new CSP headers might not match nonces in the cached HTML. return response if status == 304 return response if policy_present?(headers) request = ActionDispatch::Request.new env if policy = request.content_security_policy nonce = request.content_security_policy_nonce nonce_directives = request.content_security_policy_nonce_directives context = request.controller_instance || request headers[header_name(request)] = policy.build(context, nonce, nonce_directives) end response end
#header_name(request) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 56
def header_name(request) if request.content_security_policy_report_only ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY else ActionDispatch::Constants::CONTENT_SECURITY_POLICY end end
#policy_present?(headers) ⇒ Boolean (private)
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 64
def policy_present?(headers) headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] || headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY] end