lib/roda/plugins/content_security_policy.rb in roda-3.85.0 vs lib/roda/plugins/content_security_policy.rb in roda-3.86.0

@@ -90,11 +90,14 @@
     #   # script-src 'self' 'unsafe-eval' example.com 'nonce-foobarbaz'; 
     #
     #   content_security_policy.get_script_src
     #   # => [:self, :unsafe_eval, 'example.com', [:nonce, 'foobarbaz']]
     #
-    # The clear method can be used to remove all settings from the policy.
+    # The clear method can be used to remove all settings from the policy. Empty policies
+    # do not set any headers. You can use +response.skip_content_security_policy!+ to skip
+    # setting a policy.  This is faster than calling +content_security_policy.clear+, since
+    # it does not duplicate the default policy.
     #
     # The following methods to set boolean settings are also defined:
     #
     # * block_all_mixed_content
     # * upgrade_insecure_requests
@@ -302,15 +305,22 @@
         # The current content security policy to be used for this response.
         def content_security_policy
           @content_security_policy ||= roda_class.opts[:content_security_policy].dup
         end
 
+        # Do not set a content security policy header for this response.
+        def skip_content_security_policy!
+          @skip_content_security_policy = true
+        end
+
         private
 
         # Set the appropriate content security policy header.
         def set_default_headers
           super
-          (@content_security_policy || roda_class.opts[:content_security_policy]).set_header(headers)
+          unless @skip_content_security_policy
+            (@content_security_policy || roda_class.opts[:content_security_policy]).set_header(headers)
+          end
         end
       end
     end
 
     register_plugin(:content_security_policy, ContentSecurityPolicy)