Class: ActionDispatch::ContentSecurityPolicy::Middleware
- Inherits:
-
Object
- Object
- ActionDispatch::ContentSecurityPolicy::Middleware
- Defined in:
- lib/action_dispatch/http/content_security_policy.rb
Constant Summary collapse
- CONTENT_TYPE =
"Content-Type"
- POLICY =
"Content-Security-Policy"
- POLICY_REPORT_ONLY =
"Content-Security-Policy-Report-Only"
Instance Method Summary collapse
- #call(env) ⇒ Object
-
#initialize(app) ⇒ Middleware
constructor
A new instance of Middleware.
Constructor Details
#initialize(app) ⇒ Middleware
Returns a new instance of Middleware.
33 34 35 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 33 def initialize(app) @app = app end |
Instance Method Details
#call(env) ⇒ Object
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 37 def call(env) request = ActionDispatch::Request.new env status, headers, _ = response = @app.call(env) # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new # CSP headers might not match nonces in the cached HTML. return response if status == 304 return response if policy_present?(headers) if policy = request.content_security_policy nonce = request.content_security_policy_nonce nonce_directives = request.content_security_policy_nonce_directives context = request.controller_instance || request headers[header_name(request)] = policy.build(context, nonce, nonce_directives) end response end |