class ActionDispatch::PermissionsPolicy
Action Dispatch PermissionsPolicy
¶ ↑
Configures the HTTP Feature-Policy response header to specify which browser features the current document and its iframes can use.
Example global policy:
Rails.application.config.permissions_policy do |policy| policy.camera :none policy.gyroscope :none policy.microphone :none policy.usb :none policy.fullscreen :self policy.payment :self, "https://secure.example.com" end
The Feature-Policy header has been renamed to Permissions-Policy. The Permissions-Policy requires a different implementation and isn’t yet supported by all browsers. To avoid having to rename this middleware in the future we use the new name for the middleware but keep the old header name and implementation for now.
Constants
- DIRECTIVES
List of available permissions can be found at github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
- MAPPINGS
Attributes
directives[R]
Public Class Methods
new() { |self| ... }
click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 113 def initialize @directives = {} yield self if block_given? end
Public Instance Methods
build(context = nil)
click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 132 def build(context = nil) build_directives(context).compact.join("; ") end
initialize_copy(other)
click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 118 def initialize_copy(other) @directives = other.directives.deep_dup end
Private Instance Methods
apply_mapping(source)
click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 150 def apply_mapping(source) MAPPINGS.fetch(source) do raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}" end end
apply_mappings(sources)
click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 137 def apply_mappings(sources) sources.map do |source| case source when Symbol apply_mapping(source) when String, Proc source else raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}" end end end
build_directive(sources, context)
click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 168 def build_directive(sources, context) sources.map { |source| resolve_source(source, context) } end
build_directives(context)
click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 156 def build_directives(context) @directives.map do |directive, sources| if sources.is_a?(Array) "#{directive} #{build_directive(sources, context).join(' ')}" elsif sources directive else nil end end end
resolve_source(source, context)
click to toggle source
# File lib/action_dispatch/http/permissions_policy.rb, line 172 def resolve_source(source, context) case source when String source when Symbol source.to_s when Proc if context.nil? raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}" else context.instance_exec(&source) end else raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}" end end