Skip to content

Commit

Permalink
Merge pull request rails#42126 from lfalcao/master
Browse files Browse the repository at this point in the history
Add support for require-trusted-types-for and trusted-types
  • Loading branch information
pixeltrix authored May 8, 2021
2 parents 70b6cee + 0f79315 commit 523a526
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 34 deletions.
6 changes: 6 additions & 0 deletions actionpack/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
* Add support for 'require-trusted-types-for' and 'trusted-types' headers.

Fixes #42034

*lfalcao*

* Remove inline styles and address basic accessibility issues on rescue templates.

*Jacob Herrington*
Expand Down
72 changes: 38 additions & 34 deletions actionpack/lib/action_dispatch/http/content_security_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -106,43 +106,47 @@ def generate_content_security_policy_nonce
end

MAPPINGS = {
self: "'self'",
unsafe_eval: "'unsafe-eval'",
unsafe_inline: "'unsafe-inline'",
none: "'none'",
http: "http:",
https: "https:",
data: "data:",
mediastream: "mediastream:",
blob: "blob:",
filesystem: "filesystem:",
report_sample: "'report-sample'",
strict_dynamic: "'strict-dynamic'",
ws: "ws:",
wss: "wss:"
self: "'self'",
unsafe_eval: "'unsafe-eval'",
unsafe_inline: "'unsafe-inline'",
none: "'none'",
http: "http:",
https: "https:",
data: "data:",
mediastream: "mediastream:",
allow_duplicates: "'allow-duplicates'",
blob: "blob:",
filesystem: "filesystem:",
report_sample: "'report-sample'",
script: "'script'",
strict_dynamic: "'strict-dynamic'",
ws: "ws:",
wss: "wss:"
}.freeze

DIRECTIVES = {
base_uri: "base-uri",
child_src: "child-src",
connect_src: "connect-src",
default_src: "default-src",
font_src: "font-src",
form_action: "form-action",
frame_ancestors: "frame-ancestors",
frame_src: "frame-src",
img_src: "img-src",
manifest_src: "manifest-src",
media_src: "media-src",
object_src: "object-src",
prefetch_src: "prefetch-src",
script_src: "script-src",
script_src_attr: "script-src-attr",
script_src_elem: "script-src-elem",
style_src: "style-src",
style_src_attr: "style-src-attr",
style_src_elem: "style-src-elem",
worker_src: "worker-src"
base_uri: "base-uri",
child_src: "child-src",
connect_src: "connect-src",
default_src: "default-src",
font_src: "font-src",
form_action: "form-action",
frame_ancestors: "frame-ancestors",
frame_src: "frame-src",
img_src: "img-src",
manifest_src: "manifest-src",
media_src: "media-src",
object_src: "object-src",
prefetch_src: "prefetch-src",
require_trusted_types_for: "require-trusted-types-for",
script_src: "script-src",
script_src_attr: "script-src-attr",
script_src_elem: "script-src-elem",
style_src: "style-src",
style_src_attr: "style-src-attr",
style_src_elem: "style-src-elem",
trusted_types: "trusted-types",
worker_src: "worker-src"
}.freeze

DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
Expand Down
18 changes: 18 additions & 0 deletions actionpack/test/dispatch/content_security_policy_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,24 @@ def test_other_directives
@policy.require_sri_for
assert_no_match %r{require-sri-for}, @policy.build

@policy.require_trusted_types_for :script
assert_match %r{require-trusted-types-for 'script'}, @policy.build

@policy.require_trusted_types_for
assert_no_match %r{require-trusted-types-for}, @policy.build

@policy.trusted_types :none
assert_match %r{trusted-types 'none'}, @policy.build

@policy.trusted_types "foo", "bar"
assert_match %r{trusted-types foo bar}, @policy.build

@policy.trusted_types "foo", "bar", :allow_duplicates
assert_match %r{trusted-types foo bar 'allow-duplicates'}, @policy.build

@policy.trusted_types
assert_no_match %r{trusted-types}, @policy.build

@policy.upgrade_insecure_requests
assert_match %r{upgrade-insecure-requests}, @policy.build

Expand Down

0 comments on commit 523a526

Please sign in to comment.