📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 35
def call(env)
status, headers, _ = response = @app.call(env)
# Returning CSP headers with a 304 Not Modified is harmful, since nonces in the
# new CSP headers might not match nonces in the cached HTML.
return response if status == 304
return response if policy_present?(headers)
request = ActionDispatch::Request.new env
if policy = request.content_security_policy
nonce = request.content_security_policy_nonce
nonce_directives = request.content_security_policy_nonce_directives
context = request.controller_instance || request
headers[header_name(request)] = policy.build(context, nonce, nonce_directives)
end
response
end
🔎 See on GitHub