@@ -14,6 +14,29 @@ module ContentSecurityPolicy
1414 end
1515
1616 module ClassMethods
17+ # Overrides parts of the globally configured Content-Security-Policy
18+ # header:
19+ #
20+ # class PostsController < ApplicationController
21+ # content_security_policy do |policy|
22+ # policy.base_uri "https://www.example.com"
23+ # end
24+ # end
25+ #
26+ # Options can be passed similar to +before_action+. For example, pass
27+ # <tt>only: :index</tt> to override the header on the index action only:
28+ #
29+ # class PostsController < ApplicationController
30+ # content_security_policy(only: :index) do |policy|
31+ # policy.default_src :self, :https
32+ # end
33+ # end
34+ #
35+ # Pass +false+ to remove the Content-Security-Policy header:
36+ #
37+ # class PostsController < ApplicationController
38+ # content_security_policy false, only: :index
39+ # end
1740 def content_security_policy ( enabled = true , **options , &block )
1841 before_action ( options ) do
1942 if block_given?
@@ -28,6 +51,18 @@ def content_security_policy(enabled = true, **options, &block)
2851 end
2952 end
3053
54+ # Overrides the globally configured Content-Security-Policy-Report-Only
55+ # header:
56+ #
57+ # class PostsController < ApplicationController
58+ # content_security_policy_report_only only: :index
59+ # end
60+ #
61+ # Pass +false+ to remove the Content-Security-Policy-Report-Only header:
62+ #
63+ # class PostsController < ApplicationController
64+ # content_security_policy_report_only false, only: :index
65+ # end
3166 def content_security_policy_report_only ( report_only = true , **options )
3267 before_action ( options ) do
3368 request . content_security_policy_report_only = report_only
0 commit comments