Class: SecureHeaders::ContentSecurityPolicy

Inherits:

Header

• Object
• Header
• SecureHeaders::ContentSecurityPolicy

Includes:

Constants

Defined in:

lib/secure_headers/headers/content_security_policy.rb,
lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb

Defined Under Namespace

Modules: Constants Classes: ScriptHashMiddleware

Constant Summary

Constants included from Constants

Constants::ALL_DIRECTIVES, Constants::DEFAULT_CSP_HEADER, Constants::DIRECTIVES, Constants::ENV_KEY, Constants::HEADER_NAME, Constants::NON_DEFAULT_SOURCES, Constants::OTHER, Constants::SOURCE_DIRECTIVES

Instance Attribute Summary

• #disable_fill_missing ⇒ Object (also: #disable_fill_missing?) readonly

  Returns the value of attribute disable_fill_missing.

• #ssl_request ⇒ Object (also: #ssl_request?) readonly

  Returns the value of attribute ssl_request.

Class Method Summary

• .add_to_env(request, controller, config) ⇒ Object
• .from_json(*json_configs) ⇒ Object
• .generate_nonce ⇒ Object
• .options_from_request(request) ⇒ Object
• .request_uri_from_request(request) ⇒ Object
• .set_nonce(controller, nonce = generate_nonce) ⇒ Object
• .symbol_to_hyphen_case(sym) ⇒ Object

Instance Method Summary

• #initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy constructor

  options param contains :controller used for setting instance variables for nonces/hashes :ssl_request used to determine if http_additions should be used :ua the user agent (or just use Firefox/Chrome/MSIE/etc).

• #name ⇒ Object

  Returns the name to use for the header.

• #nonce ⇒ Object

  Return or initialize the nonce value used for this header.

• #to_json ⇒ Object
• #value ⇒ Object

  Return the value of the CSP header.

Constructor Details

#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy

options param contains :controller used for setting instance variables for nonces/hashes :ssl_request used to determine if http_additions should be used :ua the user agent (or just use Firefox/Chrome/MSIE/etc)

:report used to determine what :ssl_request, :ua, and :request_uri are set to

# File 'lib/secure_headers/headers/content_security_policy.rb', line 97

def initialize(config=nil, options={})
  return unless config

  if options[:request]
    options = options.merge(self.class.options_from_request(options[:request]))
  end

  @controller = options[:controller]
  @ua = options[:ua]
  @ssl_request = !!options.delete(:ssl)
  @request_uri = options.delete(:request_uri)

  # Config values can be string, array, or lamdba values
  @config = config.inject({}) do |hash, (key, value)|
    config_val = value.respond_to?(:call) ? value.call(@controller) : value

    if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
      config_val = config_val.split if config_val.is_a? String
      if config_val.is_a?(Array)
        config_val = config_val.map do |val|
          translate_dir_value(val)
        end.flatten.uniq
      end
    end

    hash[key] = config_val
    hash
  end

  @http_additions = @config.delete(:http_additions)
  @app_name = @config.delete(:app_name)
  @report_uri = @config.delete(:report_uri)

  @disable_fill_missing = !!@config.delete(:disable_fill_missing)
  @enforce = !!@config.delete(:enforce)
  @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
  @tag_report_uri = !!@config.delete(:tag_report_uri)
  @script_hashes = @config.delete(:script_hashes) || []

  add_script_hashes if @script_hashes.any?
  fill_directives unless disable_fill_missing?
end

Instance Attribute Details

#disable_fill_missing ⇒ Object (readonly) Also known as: disable_fill_missing?

Returns the value of attribute disable_fill_missing.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 46

def disable_fill_missing
  @disable_fill_missing
end

#ssl_request ⇒ Object (readonly) Also known as: ssl_request?

Returns the value of attribute ssl_request.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 46

def ssl_request
  @ssl_request
end

Class Method Details

.add_to_env(request, controller, config) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 59

def add_to_env(request, controller, config)
  set_nonce(controller)
  options = options_from_request(request).merge(:controller => controller)
  request.env[Constants::ENV_KEY] = {
    :config => config,
    :options => options,
  }
end

.from_json(*json_configs) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 175

def self.from_json(*json_configs)
  json_configs.inject({}) do |combined_config, one_config|
    one_config = one_config.gsub(/(\w+)-src/, "\\1_src")
    config = JSON.parse(one_config, :symbolize_names => true)
    combined_config.merge(config) do |_, lhs, rhs|
      lhs | rhs
    end
  end
end

.generate_nonce ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 51

def generate_nonce
  SecureRandom.base64(32).chomp
end

.options_from_request(request) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 68

def options_from_request(request)
  {
    :ssl => request.ssl?,
    :ua => request.env['HTTP_USER_AGENT'],
    :request_uri => request_uri_from_request(request),
  }
end

.request_uri_from_request(request) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 76

def request_uri_from_request(request)
  if request.respond_to?(:original_url)
    # rails 3.1+
    request.original_url
  else
    # rails 2/3.0
    request.url
  end
end

.set_nonce(controller, nonce = generate_nonce) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 55

def set_nonce(controller, nonce = generate_nonce)
  controller.instance_variable_set(:@content_security_policy_nonce, nonce)
end

.symbol_to_hyphen_case(sym) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 86

def symbol_to_hyphen_case sym
  sym.to_s.gsub('_', '-')
end

Instance Method Details

#name ⇒ Object

Returns the name to use for the header. Either “Content-Security-Policy” or “Content-Security-Policy-Report-Only”

# File 'lib/secure_headers/headers/content_security_policy.rb', line 151

def name
  base = HEADER_NAME
  if !@enforce
    base += "-Report-Only"
  end
  base
end

#nonce ⇒ Object

Return or initialize the nonce value used for this header. If a reference to a controller is passed in the config, this method will check if a nonce has already been set and use it.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 144

def nonce
  @nonce ||= @controller.instance_variable_get(:@content_security_policy_nonce) || self.class.generate_nonce
end

#to_json ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 170

def to_json
  build_value
  @config.to_json.gsub(/(\w+)_src/, "\\1-src")
end

#value ⇒ Object

Return the value of the CSP header

# File 'lib/secure_headers/headers/content_security_policy.rb', line 161

def value
  return @config if @config.is_a?(String)
  if @config
    build_value
  else
    DEFAULT_CSP_HEADER
  end
end