Class: ActionDispatch::ContentSecurityPolicy::Middleware

Inherits:

Object

Object
ActionDispatch::ContentSecurityPolicy::Middleware

show all

Defined in:: lib/action_dispatch/http/content_security_policy.rb

Constant Summary collapse

CONTENT_TYPE =

"Content-Type"

POLICY =

"Content-Security-Policy"

POLICY_REPORT_ONLY =

"Content-Security-Policy-Report-Only"

Instance Method Summary collapse

#call(env) ⇒ Object
#initialize(app) ⇒ Middleware constructor

A new instance of Middleware.

Constructor Details

#initialize(app) ⇒ `Middleware`

Returns a new instance of Middleware.



30
31
32

# File 'lib/action_dispatch/http/content_security_policy.rb', line 30

def initialize(app)
  @app = app
end

Instance Method Details

#call(env) ⇒ `Object`

# File 'lib/action_dispatch/http/content_security_policy.rb', line 34

def call(env)
  request = ActionDispatch::Request.new env
  status, headers, _ = response = @app.call(env)

  # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
  # CSP headers might not match nonces in the cached HTML.
  return response if status == 304

  return response if policy_present?(headers)

  if policy = request.content_security_policy
    nonce = request.content_security_policy_nonce
    nonce_directives = request.content_security_policy_nonce_directives
    context = request.controller_instance || request
    headers[header_name(request)] = policy.build(context, nonce, nonce_directives)
  end

  response
end

Class: ActionDispatch::ContentSecurityPolicy::Middleware

Constant Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(app) ⇒ Middleware

Instance Method Details

#call(env) ⇒ Object

#initialize(app) ⇒ `Middleware`

#call(env) ⇒ `Object`