include the HTTP Permissions-Policy on non-HTML Content-Types
[CVE-2024-28103] The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This change allows all Content-Types to serve the configured Permissions-Policy as there are many non-HTML Content-Types that would benefit from this header. (examples include image/svg+xml and application/xml)
This commit is contained in:
parent
f008c31717
commit
35858f1d9d
@ -37,7 +37,6 @@ def initialize(app)
|
|||||||
def call(env)
|
def call(env)
|
||||||
_, headers, _ = response = @app.call(env)
|
_, headers, _ = response = @app.call(env)
|
||||||
|
|
||||||
return response unless html_response?(headers)
|
|
||||||
return response if policy_present?(headers)
|
return response if policy_present?(headers)
|
||||||
|
|
||||||
request = ActionDispatch::Request.new(env)
|
request = ActionDispatch::Request.new(env)
|
||||||
@ -54,12 +53,6 @@ def call(env)
|
|||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
def html_response?(headers)
|
|
||||||
if content_type = headers[Rack::CONTENT_TYPE]
|
|
||||||
content_type.include?("html")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def policy_present?(headers)
|
def policy_present?(headers)
|
||||||
headers[ActionDispatch::Constants::FEATURE_POLICY]
|
headers[ActionDispatch::Constants::FEATURE_POLICY]
|
||||||
end
|
end
|
||||||
|
@ -69,12 +69,12 @@ def call(env)
|
|||||||
assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY]
|
assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY]
|
||||||
end
|
end
|
||||||
|
|
||||||
test "non-html requests will not set a policy" do
|
test "non-html requests will set a policy" do
|
||||||
@app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
|
@app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
|
||||||
|
|
||||||
get "/index"
|
get "/index"
|
||||||
|
|
||||||
assert_nil response.headers[ActionDispatch::Constants::FEATURE_POLICY]
|
assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY]
|
||||||
end
|
end
|
||||||
|
|
||||||
test "existing policies will not be overwritten" do
|
test "existing policies will not be overwritten" do
|
||||||
|
Loading…
Reference in New Issue
Block a user