Class: ActionDispatch::PermissionsPolicy
Relationships & Source Files | |
Namespace Children | |
Modules:
| |
Classes:
| |
Inherits: | Object |
Defined in: | actionpack/lib/action_dispatch/http/permissions_policy.rb |
Overview
Configures the HTTP Feature-Policy response header to specify which browser features the current document and its iframes can use.
Example global policy:
Rails.application.config. do |policy|
policy.camera :none
policy.gyroscope :none
policy.microphone :none
policy.usb :none
policy.fullscreen :self
policy.payment :self, "https://secure.example.com"
end
The Feature-Policy header has been renamed to Permissions-Policy. The Permissions-Policy requires a different implementation and isn’t yet supported by all browsers. To avoid having to rename this middleware in the future we use the new name for the middleware but keep the old header name and implementation for now.
Constant Summary
-
DIRECTIVES =
private
List of available permissions can be found at github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
{ accelerometer: "accelerometer", ambient_light_sensor: "ambient-light-sensor", autoplay: "autoplay", camera: "camera", display_capture: "display-capture", encrypted_media: "encrypted-media", fullscreen: "fullscreen", geolocation: "geolocation", gyroscope: "gyroscope", hid: "hid", idle_detection: "idle-detection", keyboard_map: "keyboard-map", magnetometer: "magnetometer", microphone: "microphone", midi: "midi", payment: "payment", picture_in_picture: "picture-in-picture", screen_wake_lock: "screen-wake-lock", serial: "serial", sync_xhr: "sync-xhr", usb: "usb", web_share: "web-share", }.freeze
-
MAPPINGS =
private
# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 77{ self: "'self'", none: "'none'", }.freeze
Class Method Summary
- .new {|_self| ... } ⇒ PermissionsPolicy constructor
Instance Attribute Summary
- #directives readonly
Instance Method Summary
- #build(context = nil)
- #initialize_copy(other)
- #apply_mapping(source) private
- #apply_mappings(sources) private
- #build_directive(sources, context) private
- #build_directives(context) private
- #resolve_source(source, context) private
Constructor Details
.new {|_self| ... } ⇒ PermissionsPolicy
# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 113
def initialize @directives = {} yield self if block_given? end
Instance Attribute Details
#directives (readonly)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 111
attr_reader :directives
Instance Method Details
#apply_mapping(source) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 150
def apply_mapping(source) MAPPINGS.fetch(source) do raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}" end end
#apply_mappings(sources) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 137
def apply_mappings(sources) sources.map do |source| case source when Symbol apply_mapping(source) when String, Proc source else raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}" end end end
#build(context = nil)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 132
def build(context = nil) build_directives(context).compact.join("; ") end
#build_directive(sources, context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 168
def build_directive(sources, context) sources.map { |source| resolve_source(source, context) } end
#build_directives(context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 156
def build_directives(context) @directives.map do |directive, sources| if sources.is_a?(Array) "#{directive} #{build_directive(sources, context).join(' ')}" elsif sources directive else nil end end end
#initialize_copy(other)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 118
def initialize_copy(other) @directives = other.directives.deep_dup end
#resolve_source(source, context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 172
def resolve_source(source, context) case source when String source when Symbol source.to_s when Proc if context.nil? raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}" else context.instance_exec(&source) end else raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}" end end