tapioca icon indicating copy to clipboard operation
tapioca copied to clipboard
verified publisher icon Shopify

Cannot use the `append_content_security_policy_directives` method in `ApplicationController`

Open pvcresin opened this issue 1 month ago • 2 comments

The append_content_security_policy_directives from SecureHeaders can be referenced in ApplicationController as follows:

class ApplicationController < ActionController::Base
  def foo
    append_content_security_policy_directives(xxxx)
  end
end

However, Sorbet seems unable to find append_content_security_policy_directives.

Method append_content_security_policy_directives does not exist on ApplicationController

By the way, the method is generated in RBI as follows:

# sorbet/rbi/gems/[email protected]
module SecureHeaders
  def append_content_security_policy_directives(additions); end
  # ...
end

Therefore, it's possible that ActionController and SecureHeaders are not linked correctly.

pvcresin avatar Dec 09 '25 05:12 pvcresin

Looks like SecureHeaders is mixed in using ActiveSupport.on_load here. DynamicMixin compiler doesn't see this include and therefore doesn't reflect the dynamic mixin in the RBI.

Instead, you can define a shim in sorbet/rbi/shims/secure_headers.rbi that contains something like this to resolve the error:

class ActionController::Base
  include SecureHeaders
end

Further investigation is needed to see exactly why the DynamicMixin compiler isn't picking this up.

KaanOzkan avatar Dec 09 '25 21:12 KaanOzkan

Thank you for the details. As you said, I'm addressing this by placing the exact same RBI in sorbet/rbi/shims/secure_headers.rbi.

pvcresin avatar Dec 10 '25 02:12 pvcresin