include the HTTP Permissions-Policy on non-HTML Content-Types
[CVE-2024-28103] The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This change allows all Content-Types to serve the configured Permissions-Policy as there are many non-HTML Content-Types that would benefit from this header. (examples include image/svg+xml and application/xml)
This commit is contained in:
parent
f008c31717
commit
35858f1d9d
@ -37,7 +37,6 @@ def initialize(app)
|
||||
def call(env)
|
||||
_, headers, _ = response = @app.call(env)
|
||||
|
||||
return response unless html_response?(headers)
|
||||
return response if policy_present?(headers)
|
||||
|
||||
request = ActionDispatch::Request.new(env)
|
||||
@ -54,12 +53,6 @@ def call(env)
|
||||
end
|
||||
|
||||
private
|
||||
def html_response?(headers)
|
||||
if content_type = headers[Rack::CONTENT_TYPE]
|
||||
content_type.include?("html")
|
||||
end
|
||||
end
|
||||
|
||||
def policy_present?(headers)
|
||||
headers[ActionDispatch::Constants::FEATURE_POLICY]
|
||||
end
|
||||
|
@ -69,12 +69,12 @@ def call(env)
|
||||
assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY]
|
||||
end
|
||||
|
||||
test "non-html requests will not set a policy" do
|
||||
test "non-html requests will set a policy" do
|
||||
@app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
|
||||
|
||||
get "/index"
|
||||
|
||||
assert_nil response.headers[ActionDispatch::Constants::FEATURE_POLICY]
|
||||
assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY]
|
||||
end
|
||||
|
||||
test "existing policies will not be overwritten" do
|
||||
|
Loading…
Reference in New Issue
Block a user