class ActionDispatch::ContentSecurityPolicy::Middleware

Constants

CONTENT_TYPE
POLICY
POLICY_REPORT_ONLY

Public Class Methods

new(app) click to toggle source
# File lib/action_dispatch/http/content_security_policy.rb, line 30
def initialize(app)
  @app = app
end

Public Instance Methods

call(env) click to toggle source
# File lib/action_dispatch/http/content_security_policy.rb, line 34
def call(env)
  request = ActionDispatch::Request.new env
  status, headers, _ = response = @app.call(env)

  # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
  # CSP headers might not match nonces in the cached HTML.
  return response if status == 304

  return response if policy_present?(headers)

  if policy = request.content_security_policy
    nonce = request.content_security_policy_nonce
    nonce_directives = request.content_security_policy_nonce_directives
    context = request.controller_instance || request
    headers[header_name(request)] = policy.build(context, nonce, nonce_directives)
  end

  response
end

Private Instance Methods

header_name(request) click to toggle source
# File lib/action_dispatch/http/content_security_policy.rb, line 55
def header_name(request)
  if request.content_security_policy_report_only
    POLICY_REPORT_ONLY
  else
    POLICY
  end
end
policy_present?(headers) click to toggle source
# File lib/action_dispatch/http/content_security_policy.rb, line 63
def policy_present?(headers)
  headers[POLICY] || headers[POLICY_REPORT_ONLY]
end