Merge pull request #45859 from kratob/no-csp-response-for-304
Do not return CSP headers for 304 Not Modified responses
This commit is contained in:
commit
2045cef03b
@ -33,7 +33,11 @@ def initialize(app)
|
||||
|
||||
def call(env)
|
||||
request = ActionDispatch::Request.new env
|
||||
_, headers, _ = response = @app.call(env)
|
||||
status, headers, _ = response = @app.call(env)
|
||||
|
||||
# Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
|
||||
# CSP headers might not match nonces in the cached HTML.
|
||||
return response if status == 304
|
||||
|
||||
return response if policy_present?(headers)
|
||||
|
||||
|
@ -440,6 +440,10 @@ def api
|
||||
render json: {}
|
||||
end
|
||||
|
||||
def not_modified
|
||||
head :not_modified
|
||||
end
|
||||
|
||||
private
|
||||
def condition?
|
||||
params[:condition] == "true"
|
||||
@ -457,6 +461,7 @@ def condition?
|
||||
get "/style-src", to: "policy#style_src"
|
||||
get "/no-policy", to: "policy#no_policy"
|
||||
get "/api", to: "policy#api"
|
||||
get "/not-modified", to: "policy#not_modified"
|
||||
end
|
||||
end
|
||||
|
||||
@ -533,6 +538,13 @@ def test_generates_api_security_policy
|
||||
assert_policy "default-src 'none'; frame-ancestors 'none'"
|
||||
end
|
||||
|
||||
def test_generates_no_content_security_policy_for_not_modified
|
||||
get "/not-modified"
|
||||
|
||||
assert_nil response.headers["Content-Security-Policy"]
|
||||
assert_nil response.headers["Content-Security-Policy-Report-Only"]
|
||||
end
|
||||
|
||||
private
|
||||
def assert_policy(expected, report_only: false)
|
||||
assert_response :success
|
||||
|
Loading…
Reference in New Issue
Block a user