Class: ActionDispatch::PermissionsPolicy
| Relationships & Source Files | |
| Namespace Children | |
|
Modules:
| |
|
Classes:
| |
| Inherits: | Object |
| Defined in: | actionpack/lib/action_dispatch/http/permissions_policy.rb |
Overview
Configures the HTTP Feature-Policy response header to specify which browser features the current document and its iframes can use.
Example global policy:
Rails.application.config. do |policy|
policy.camera :none
policy.gyroscope :none
policy.microphone :none
policy.usb :none
policy.fullscreen :self
policy.payment :self, "https://secure.example.com"
endThe Feature-Policy header has been renamed to Permissions-Policy. The Permissions-Policy requires a different implementation and isn’t yet supported by all browsers. To avoid having to rename this middleware in the future we use the new name for the middleware but keep the old header name and implementation for now.
Constant Summary
-
DIRECTIVES =
private
# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 89
List of available permissions can be found at github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
{ accelerometer: "accelerometer", ambient_light_sensor: "ambient-light-sensor", autoplay: "autoplay", camera: "camera", encrypted_media: "encrypted-media", fullscreen: "fullscreen", geolocation: "geolocation", gyroscope: "gyroscope", hid: "hid", idle_detection: "idle-detection", magnetometer: "magnetometer", microphone: "microphone", midi: "midi", payment: "payment", picture_in_picture: "picture-in-picture", screen_wake_lock: "screen-wake-lock", serial: "serial", sync_xhr: "sync-xhr", usb: "usb", web_share: "web-share", }.freeze -
MAPPINGS =
private
# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 82{ self: "'self'", none: "'none'", }.freeze
Class Method Summary
- .new {|_self| ... } ⇒ PermissionsPolicy constructor
Instance Attribute Summary
- #directives readonly
Instance Method Summary
- #build(context = nil)
- #initialize_copy(other)
- #apply_mapping(source) private
- #apply_mappings(sources) private
- #build_directive(sources, context) private
- #build_directives(context) private
- #resolve_source(source, context) private
Constructor Details
.new {|_self| ... } ⇒ PermissionsPolicy
# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 116
def initialize @directives = {} yield self if block_given? end
Instance Attribute Details
#directives (readonly)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 114
attr_reader :directives
Instance Method Details
#apply_mapping(source) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 172
def apply_mapping(source) MAPPINGS.fetch(source) do raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}" end end
#apply_mappings(sources) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 159
def apply_mappings(sources) sources.map do |source| case source when Symbol apply_mapping(source) when String, Proc source else raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}" end end end
#build(context = nil)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 154
def build(context = nil) build_directives(context).compact.join("; ") end
#build_directive(sources, context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 190
def build_directive(sources, context) sources.map { |source| resolve_source(source, context) } end
#build_directives(context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 178
def build_directives(context) @directives.map do |directive, sources| if sources.is_a?(Array) "#{directive} #{build_directive(sources, context).join(' ')}" elsif sources directive else nil end end end
#initialize_copy(other)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 121
def initialize_copy(other) @directives = other.directives.deep_dup end
#resolve_source(source, context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/permissions_policy.rb', line 194
def resolve_source(source, context) case source when String source when Symbol source.to_s when Proc if context.nil? raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}" else context.instance_exec(&source) end else raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}" end end