From: Anton Khorev <tony29@yandex.ru>
Date: Sat, 4 Jan 2025 15:47:51 +0000 (+0300)
Subject: Fix options passed by allow_thirdparty_images
X-Git-Tag: live~34^2~1
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/201796cced984aec11422518b1ff22ac6d94a873

Fix options passed by allow_thirdparty_images
---

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 32b53bad7..1ef49bf46 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -20,7 +20,7 @@ class ApplicationController < ActionController::Base
   helper_method :oauth_token
 
   def self.allow_thirdparty_images(**options)
-    content_security_policy(options) do |policy|
+    content_security_policy(**options) do |policy|
       policy.img_src("*", :data)
     end
   end
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index ba1af9509..7b554711f 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -57,6 +57,8 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     get user_new_path, :params => { :cookie_test => "true" }
     assert_response :success
 
+    assert_no_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"])
+
     assert_select "html", :count => 1 do
       assert_select "head", :count => 1 do
         assert_select "title", :text => /Sign Up/, :count => 1
@@ -297,6 +299,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
 
     get user_path(user)
     assert_response :success
+    assert_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"])
     assert_select "div.content-heading" do
       assert_select "a[href^='/user/#{ERB::Util.u(user.display_name)}/history']", 1
       assert_select "a[href='/user/#{ERB::Util.u(user.display_name)}/traces']", 1