Class: SecureHeaders::ContentSecurityPolicy

Inherits:

Object

Object
SecureHeaders::ContentSecurityPolicy

show all

Includes:: Constants

Defined in:: lib/secure_headers/headers/content_security_policy.rb,
lib/secure_headers/headers/content_security_policy/browser_strategy.rb,
lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb,
lib/secure_headers/headers/content_security_policy/webkit_browser_strategy.rb,
lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb

Defined Under Namespace

Modules: Constants Classes: BrowserStrategy, FirefoxBrowserStrategy, IeBrowserStrategy, WebkitBrowserStrategy

Constant Summary

Constants included from Constants

Constants::FF_CSP_ENDPOINT, Constants::FIREFOX_CSP_HEADER, Constants::FIREFOX_CSP_HEADER_NAME, Constants::FIREFOX_DIRECTIVES, Constants::META, Constants::STANDARD_HEADER_NAME, Constants::WEBKIT_CSP_HEADER, Constants::WEBKIT_CSP_HEADER_NAME, Constants::WEBKIT_DIRECTIVES

Instance Attribute Summary collapse

#browser ⇒ Object readonly

Returns the value of attribute browser.
#config ⇒ Object readonly

Returns the value of attribute config.
#experimental ⇒ Object readonly

Returns the value of attribute experimental.
#report_uri ⇒ Object readonly

Returns the value of attribute report_uri.
#request_uri ⇒ Object readonly

Returns the value of attribute request_uri.
#ssl_request ⇒ Object (also: #ssl_request?) readonly

Returns the value of attribute ssl_request.

Instance Method Summary collapse

#configure(opts) ⇒ Object
#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy constructor

options param contains :experimental use experimental block for config :ssl_request used to determine if http_additions should be used :request_uri used to determine if firefox should send the report directly or use the forwarding endpoint :ua the user agent (or just use Firefox/Chrome/MSIE/etc).
#name ⇒ Object
#value ⇒ Object

Constructor Details

#initialize(config = nil, options = {}) ⇒ `ContentSecurityPolicy`

options param contains :experimental use experimental block for config :ssl_request used to determine if http_additions should be used :request_uri used to determine if firefox should send the report directly or use the forwarding endpoint :ua the user agent (or just use Firefox/Chrome/MSIE/etc)

:report used to determine what :ssl_request, :ua, and :request_uri are set to

# File 'lib/secure_headers/headers/content_security_policy.rb', line 37

def initialize(config=nil, options={})
  @experimental = !!options.delete(:experimental)
  @controller = options.delete(:controller)
  if options[:request]
    parse_request(options[:request])
  else
    @browser = Brwsr::Browser.new(:ua => options[:ua])
    # fails open, assumes http. Bad idea? Will always include http additions.
    # could also fail if not supplied.
    @ssl_request = !!options.delete(:ssl)
    # a nil value here means we always assume we are not on the same host,
    # which causes all FF csp reports to go through the forwarder
    @request_uri = options.delete(:request_uri)
  end

  configure(config) if config
end

Instance Attribute Details

#browser ⇒ `Object` (readonly)

Returns the value of attribute browser.



23
24
25

# File 'lib/secure_headers/headers/content_security_policy.rb', line 23

def browser
  @browser
end

#config ⇒ `Object` (readonly)

Returns the value of attribute config.



23
24
25

# File 'lib/secure_headers/headers/content_security_policy.rb', line 23

def config
  @config
end

#experimental ⇒ `Object` (readonly)

Returns the value of attribute experimental.



23
24
25

# File 'lib/secure_headers/headers/content_security_policy.rb', line 23

def experimental
  @experimental
end

#report_uri ⇒ `Object` (readonly)

Returns the value of attribute report_uri.



23
24
25

# File 'lib/secure_headers/headers/content_security_policy.rb', line 23

def report_uri
  @report_uri
end

#request_uri ⇒ `Object` (readonly)

Returns the value of attribute request_uri.



23
24
25

# File 'lib/secure_headers/headers/content_security_policy.rb', line 23

def request_uri
  @request_uri
end

#ssl_request ⇒ `Object` (readonly) Also known as: ssl_request?

Returns the value of attribute ssl_request.



23
24
25

# File 'lib/secure_headers/headers/content_security_policy.rb', line 23

def ssl_request
  @ssl_request
end

Instance Method Details

#configure(opts) ⇒ `Object`

# File 'lib/secure_headers/headers/content_security_policy.rb', line 55

def configure opts
  @config = opts.dup

  experimental_config = @config.delete(:experimental)
  if @experimental && experimental_config
    @config[:http_additions] = experimental_config[:http_additions]
    @config.merge!(experimental_config)
  end

  META.each do |meta|
    self.send("#{meta}=", @config.delete(meta))
  end

  @report_uri = @config.delete(:report_uri)
  @script_nonce = @config.delete(:script_nonce)

  normalize_csp_options
  normalize_reporting_endpoint
  filter_unsupported_directives
end

#name ⇒ `Object`



76
77
78

# File 'lib/secure_headers/headers/content_security_policy.rb', line 76

def name
  browser_strategy.name
end

#value ⇒ `Object`

# File 'lib/secure_headers/headers/content_security_policy.rb', line 80

def value
  return @config if @config.is_a?(String)

  if @config
    build_value
  else
    browser_strategy.csp_header
  end
end

Class: SecureHeaders::ContentSecurityPolicy

Defined Under Namespace

Constant Summary

Constants included from Constants

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy

Instance Attribute Details

#browser ⇒ Object (readonly)

#config ⇒ Object (readonly)

#experimental ⇒ Object (readonly)

#report_uri ⇒ Object (readonly)

#request_uri ⇒ Object (readonly)

#ssl_request ⇒ Object (readonly) Also known as: ssl_request?