44 lines
1.6 KiB
Diff
44 lines
1.6 KiB
Diff
From b329b261dd32a61316f2831788d6078ca0563ab6 Mon Sep 17 00:00:00 2001
|
|
From: Zack Deveau <zack.ref@gmail.com>
|
|
Date: Wed, 28 Feb 2024 16:49:11 -0500
|
|
Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types
|
|
|
|
[CVE-2024-28103]
|
|
The application configurable Permissions-Policy is only
|
|
served on responses with an HTML related Content-Type.
|
|
|
|
This change allows all Content-Types to serve the
|
|
configured Permissions-Policy as there are many non-HTML
|
|
Content-Types that would benefit from this header.
|
|
(examples include image/svg+xml and application/xml)
|
|
---
|
|
.../http/permissions_policy.rb | 7 ---
|
|
.../test/dispatch/permissions_policy_test.rb | 51 +++++++++++++++++++
|
|
2 files changed, 51 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb
|
|
index d1917a7193696..b190faa3e894f 100644
|
|
--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb
|
|
+++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb
|
|
@@ -21,7 +21,6 @@ def call(env)
|
|
request = ActionDispatch::Request.new(env)
|
|
_, headers, _ = response = @app.call(env)
|
|
|
|
- return response unless html_response?(headers)
|
|
return response if policy_present?(headers)
|
|
|
|
if policy = request.permissions_policy
|
|
@@ -36,12 +35,6 @@ def call(env)
|
|
end
|
|
|
|
private
|
|
- def html_response?(headers)
|
|
- if content_type = headers[CONTENT_TYPE]
|
|
- /html/.match?(content_type)
|
|
- end
|
|
- end
|
|
-
|
|
def policy_present?(headers)
|
|
headers[POLICY]
|
|
end
|