rack-disable_css_animations 0.5.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/rack/disable_css_animations/version.rb +1 -1
- data/lib/rack/disable_css_animations.rb +10 -2
- data/test/test_disable_css_animations.rb +26 -0
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bad6feef29bab1e1a2a8e97b26657b599173d23b85fbb484a9b4cfe3efb05030
|
|
4
|
+
data.tar.gz: 3bca0f36e15ed91ecd7bae9deecec5d344cb82ae7cc27aae1e9064dd596a45e8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d4344c6fe201e54525d0c939c67466fe876fb305d88ec2dddd0d4d433d30efa4f4b28367e83d4bcdee5c2b0aa922fb4260d981426c57ced8711989fa8ad8fc85
|
|
7
|
+
data.tar.gz: d9bdb2f55b3dbe8e4ac7f2c3d5b50e35cf53b6f0082302623f6b56786eef363d35660af0915018573d6b0504c507fb4693eda74529e4c3d41b247724005e35bb
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,10 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.5.1
|
|
4
|
+
|
|
5
|
+
- Recognize the `Content-Security-Policy-Report-Only` header (in both canonical and lowercase form) when no enforcing `Content-Security-Policy` header is present, so the injected `<style>` tag's nonce matches in apps running CSP in report-only mode.
|
|
6
|
+
- Insert the middleware before `ActionDispatch::ContentSecurityPolicy::Middleware` so the CSP header has already been added to the response by the time we read it. Previously the middleware ran before CSP on the response, so the header was always absent.
|
|
7
|
+
|
|
3
8
|
## 0.5.0
|
|
4
9
|
|
|
5
10
|
- Add CSP nonce support: when the response's `Content-Security-Policy` header sets a `style-src 'nonce-…'`, the injected `<style>` tag now carries a matching `nonce` attribute so it is not blocked by CSP.
|
|
@@ -4,7 +4,11 @@ module Rack
|
|
|
4
4
|
class DisableCSSAnimations
|
|
5
5
|
if defined?(Rails)
|
|
6
6
|
class Rails < Rails::Railtie
|
|
7
|
-
|
|
7
|
+
initializer "rack-disable_css_animations.insert_middleware" do |app|
|
|
8
|
+
app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, DisableCSSAnimations
|
|
9
|
+
rescue RuntimeError
|
|
10
|
+
app.middleware.use DisableCSSAnimations
|
|
11
|
+
end
|
|
8
12
|
end
|
|
9
13
|
end
|
|
10
14
|
|
|
@@ -34,7 +38,11 @@ module Rack
|
|
|
34
38
|
end
|
|
35
39
|
|
|
36
40
|
def csp_header
|
|
37
|
-
@headers["Content-Security-Policy"] ||
|
|
41
|
+
@headers["Content-Security-Policy"] ||
|
|
42
|
+
@headers["content-security-policy"] ||
|
|
43
|
+
@headers["Content-Security-Policy-Report-Only"] ||
|
|
44
|
+
@headers["content-security-policy-report-only"] ||
|
|
45
|
+
""
|
|
38
46
|
end
|
|
39
47
|
|
|
40
48
|
def directive_nonces
|
|
@@ -81,4 +81,30 @@ class TestDisableCSSAnimations < Minitest::Test
|
|
|
81
81
|
|
|
82
82
|
assert_includes last_response.body, %(<style nonce="lower1">)
|
|
83
83
|
end
|
|
84
|
+
|
|
85
|
+
def test_report_only_csp_header_nonce_is_used_when_enforcing_header_absent
|
|
86
|
+
self.response_headers["Content-Security-Policy-Report-Only"] = "style-src 'nonce-reportonly1'"
|
|
87
|
+
|
|
88
|
+
get "/"
|
|
89
|
+
|
|
90
|
+
assert_includes last_response.body, %(<style nonce="reportonly1">)
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def test_lowercase_report_only_csp_header_is_also_recognized
|
|
94
|
+
self.response_headers = { "Content-Type" => "text/html", "content-security-policy-report-only" => "style-src 'nonce-reportonly2'" }
|
|
95
|
+
|
|
96
|
+
get "/"
|
|
97
|
+
|
|
98
|
+
assert_includes last_response.body, %(<style nonce="reportonly2">)
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
def test_enforcing_header_takes_precedence_over_report_only
|
|
102
|
+
self.response_headers["Content-Security-Policy"] = "style-src 'nonce-enforced'"
|
|
103
|
+
self.response_headers["Content-Security-Policy-Report-Only"] = "style-src 'nonce-reportonly'"
|
|
104
|
+
|
|
105
|
+
get "/"
|
|
106
|
+
|
|
107
|
+
assert_includes last_response.body, %(<style nonce="enforced">)
|
|
108
|
+
refute_includes last_response.body, "reportonly"
|
|
109
|
+
end
|
|
84
110
|
end
|