class ActionDispatch::PermissionsPolicy

Action Dispatch PermissionsPolicy

Configures the HTTP Feature-Policy response header to specify which browser features the current document and its iframes can use.

Example global policy:

Rails.application.config.permissions_policy do |policy|
  policy.camera      :none
  policy.gyroscope   :none
  policy.microphone  :none
  policy.usb         :none
  policy.fullscreen  :self
  policy.payment     :self, "https://secure.example.com"
end

The Feature-Policy header has been renamed to Permissions-Policy. The Permissions-Policy requires a different implementation and isn’t yet supported by all browsers. To avoid having to rename this middleware in the future we use the new name for the middleware but keep the old header name and implementation for now.

Constants

DIRECTIVES

List of available permissions can be found at github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features

MAPPINGS

Attributes

directives[R]

Public Class Methods

new() { |self| ... } click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 113
def initialize
  @directives = {}
  yield self if block_given?
end

Public Instance Methods

build(context = nil) click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 132
def build(context = nil)
  build_directives(context).compact.join("; ")
end
initialize_copy(other) click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 118
def initialize_copy(other)
  @directives = other.directives.deep_dup
end

Private Instance Methods

apply_mapping(source) click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 150
def apply_mapping(source)
  MAPPINGS.fetch(source) do
    raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}"
  end
end
apply_mappings(sources) click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 137
def apply_mappings(sources)
  sources.map do |source|
    case source
    when Symbol
      apply_mapping(source)
    when String, Proc
      source
    else
      raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}"
    end
  end
end
build_directive(sources, context) click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 168
def build_directive(sources, context)
  sources.map { |source| resolve_source(source, context) }
end
build_directives(context) click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 156
def build_directives(context)
  @directives.map do |directive, sources|
    if sources.is_a?(Array)
      "#{directive} #{build_directive(sources, context).join(' ')}"
    elsif sources
      directive
    else
      nil
    end
  end
end
resolve_source(source, context) click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 172
def resolve_source(source, context)
  case source
  when String
    source
  when Symbol
    source.to_s
  when Proc
    if context.nil?
      raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}"
    else
      context.instance_exec(&source)
    end
  else
    raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}"
  end
end