Module: ActionController::ContentSecurityPolicy::ClassMethods

Defined in:: lib/action_controller/metal/content_security_policy.rb

Instance Method Summary collapse

#content_security_policy(enabled = true, **options, &block) ⇒ Object

Overrides parts of the globally configured Content-Security-Policy header:.
#content_security_policy_report_only(report_only = true, **options) ⇒ Object

Overrides the globally configured Content-Security-Policy-Report-Only header:.

Instance Method Details

#content_security_policy(enabled = true, **options, &block) ⇒ `Object`

Overrides parts of the globally configured Content-Security-Policy header:

class PostsController < ApplicationController
  content_security_policy do |policy|
    policy.base_uri "https://www.example.com"
  end
end

Options can be passed similar to before_action. For example, pass only: :index to override the header on the index action only:

class PostsController < ApplicationController
  content_security_policy(only: :index) do |policy|
    policy.default_src :self, :https
  end
end

Pass false to remove the Content-Security-Policy header:

class PostsController < ApplicationController
  content_security_policy false, only: :index
end

# File 'lib/action_controller/metal/content_security_policy.rb', line 39

def content_security_policy(enabled = true, **options, &block)
  before_action(options) do
    if block_given?
      policy = current_content_security_policy
      instance_exec(policy, &block)
      request.content_security_policy = policy
    end

    unless enabled
      request.content_security_policy = nil
    end
  end
end

#content_security_policy_report_only(report_only = true, **options) ⇒ `Object`

Overrides the globally configured Content-Security-Policy-Report-Only header:

class PostsController < ApplicationController
  content_security_policy_report_only only: :index
end

Pass false to remove the Content-Security-Policy-Report-Only header:

class PostsController < ApplicationController
  content_security_policy_report_only false, only: :index
end

# File 'lib/action_controller/metal/content_security_policy.rb', line 65

def content_security_policy_report_only(report_only = true, **options)
  before_action(options) do
    request.content_security_policy_report_only = report_only
  end
end

Module: ActionController::ContentSecurityPolicy::ClassMethods

Instance Method Summary collapse

Instance Method Details

#content_security_policy(enabled = true, **options, &block) ⇒ Object

#content_security_policy_report_only(report_only = true, **options) ⇒ Object

#content_security_policy(enabled = true, **options, &block) ⇒ `Object`

#content_security_policy_report_only(report_only = true, **options) ⇒ `Object`