豆豆友情提示:这是一个非官方 GitHub 代理镜像,主要用于网络测试或访问加速。请勿在此进行登录、注册或处理任何敏感信息。进行这些操作请务必访问官方网站 github.com。 Raw 内容也通过此代理提供。
Skip to content

Commit 1ff4bd6

Browse files
oreoshakeoreoshake
committed
don't strip schemes from report-uris
1 parent e903e89 commit 1ff4bd6

File tree

2 files changed

+7
-1
lines changed

2 files changed

+7
-1
lines changed

lib/secure_headers/headers/content_security_policy.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -313,7 +313,8 @@ def build_directive(directive_name)
313313
end
314314

315315
# remove schemes and dedup source expressions
316-
dedup_source_list(strip_source_schemes(source_list)).join(" ")
316+
source_list = strip_source_schemes(source_list) unless directive_name == REPORT_URI
317+
dedup_source_list(source_list).join(" ")
317318
end
318319
[symbol_to_hyphen_case(directive_name), value].join(" ")
319320
end

spec/lib/secure_headers/headers/content_security_policy_spec.rb

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,11 @@ module SecureHeaders
8585
expect(csp.value).to eq("default-src example.org")
8686
end
8787

88+
it "does not remove schemes from report-uri values" do
89+
csp = ContentSecurityPolicy.new(default_src: %w(https:), report_uri: %w(https://example.org))
90+
expect(csp.value).to eq("default-src https:; report-uri https://example.org")
91+
end
92+
8893
it "removes nil from source lists" do
8994
csp = ContentSecurityPolicy.new(default_src: ["https://example.org", nil])
9095
expect(csp.value).to eq("default-src example.org")

0 commit comments

Comments
 (0)