Merge pull request #1595 from mfinelli/csp-fix-no-arg-directives

Fix content security policy no-arg directives
sinatra · Mar 11, 2020 · 2527f46 · 2527f46
2 parents 2aae16c + 49f2189
commit 2527f46
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/rack-protection/lib/rack/protection/content_security_policy.rb b/rack-protection/lib/rack/protection/content_security_policy.rb
@@ -62,7 +62,7 @@ def csp_policy
         # Set these key values to boolean 'true' to include in policy
         NO_ARG_DIRECTIVES.each do |d|
           if options.key?(d) && options[d].is_a?(TrueClass)
-            directives << d.to_s.sub(/_/, '-')
+            directives << d.to_s.tr('_', '-')
           end
         end
 

diff --git a/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb b/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
@@ -33,7 +33,7 @@
     end
 
     headers = get('/', {}, 'wants' => 'text/html').headers
-    expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure_requests")
+    expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure-requests")
   end
 
   it 'should ignore CSP3 no arg directives unless they are set to true' do