class ActionDispatch::ContentSecurityPolicy::Middleware
Constants
- CONTENT_TYPE
- POLICY
- POLICY_REPORT_ONLY
Public Class Methods
new(app)
click to toggle source
# File lib/action_dispatch/http/content_security_policy.rb, line 30 def initialize(app) @app = app end
Public Instance Methods
call(env)
click to toggle source
# File lib/action_dispatch/http/content_security_policy.rb, line 34 def call(env) request = ActionDispatch::Request.new env status, headers, _ = response = @app.call(env) # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new # CSP headers might not match nonces in the cached HTML. return response if status == 304 return response if policy_present?(headers) if policy = request.content_security_policy nonce = request.content_security_policy_nonce nonce_directives = request.content_security_policy_nonce_directives context = request.controller_instance || request headers[header_name(request)] = policy.build(context, nonce, nonce_directives) end response end
Private Instance Methods
header_name(request)
click to toggle source
# File lib/action_dispatch/http/content_security_policy.rb, line 55 def header_name(request) if request.content_security_policy_report_only POLICY_REPORT_ONLY else POLICY end end
policy_present?(headers)
click to toggle source
# File lib/action_dispatch/http/content_security_policy.rb, line 63 def policy_present?(headers) headers[POLICY] || headers[POLICY_REPORT_ONLY] end