Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate content security policy for non-HTML responses #44635

Merged
merged 2 commits into from Mar 8, 2022

Conversation

imtayadeway
Copy link
Contributor

Summary

One feature of the content security policy DSL, though undocumented,
is that it will not generate headers for non-HTML responses, even if a
configuration is explicitly provided. While it may not seem obvious
that anyone would want to send this header in an API response, Mozilla
Observatory, for instance, recommends the following for API responses:

Content-Security-Policy: default-src 'none'; frame-ancestors 'none'

(source: https://observatory.mozilla.org/faq/)

The Secure Headers gem also makes recommendations about the content
security policy for API responses: https://github.com/github/secure_headers#api-configurations

As such, this removes the HTML guard clause from the
ContentSecurityPolicy middleware.

Other Information

Pulled out of #39398 based on #39398 (comment)

One feature of the content security policy DSL, though undocumented,
is that it will not generate headers for non-HTML responses, even if a
configuration is explicitly provided. While it may not seem obvious
that anyone would want to send this header in an API response, Mozilla
Observatory, for instance, recommends the following for API responses:

`Content-Security-Policy: default-src 'none'; frame-ancestors 'none'`

(source: https://observatory.mozilla.org/faq/)

The Secure Headers gem also makes recommendations about the content
security policy for API responses: https://github.com/github/secure_headers#api-configurations

As such, this removes the HTML guard clause from the
`ContentSecurityPolicy` middleware.
Co-authored-by: Alex Ghiculescu <alex@tanda.co>
@tenderlove tenderlove merged commit 8516bb6 into rails:main Mar 8, 2022
eileencodes pushed a commit that referenced this pull request Apr 26, 2022
Generate content security policy for non-HTML responses
eileencodes pushed a commit that referenced this pull request Apr 26, 2022
Generate content security policy for non-HTML responses
eileencodes pushed a commit that referenced this pull request Apr 26, 2022
Generate content security policy for non-HTML responses
eileencodes pushed a commit that referenced this pull request Apr 26, 2022
Generate content security policy for non-HTML responses
jhawthorn pushed a commit to jhawthorn/rails that referenced this pull request Apr 27, 2022
Generate content security policy for non-HTML responses
composerinteralia pushed a commit to composerinteralia/rails that referenced this pull request Apr 28, 2022
Generate content security policy for non-HTML responses
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants