Class: SecureHeaders::ContentSecurityPolicy
- Includes:
- Constants
- Defined in:
- lib/secure_headers/headers/content_security_policy.rb,
lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
Defined Under Namespace
Modules: Constants Classes: ScriptHashMiddleware
Constant Summary
Constants included from Constants
Constants::ALL_DIRECTIVES, Constants::DEFAULT_CSP_HEADER, Constants::DIRECTIVES, Constants::ENV_KEY, Constants::HEADER_NAME, Constants::NON_DEFAULT_SOURCES, Constants::OTHER, Constants::SOURCE_DIRECTIVES
Instance Attribute Summary collapse
-
#disable_fill_missing ⇒ Object
(also: #disable_fill_missing?)
readonly
Returns the value of attribute disable_fill_missing.
-
#ssl_request ⇒ Object
(also: #ssl_request?)
readonly
Returns the value of attribute ssl_request.
Class Method Summary collapse
- .add_to_env(request, controller, config) ⇒ Object
- .from_json(*json_configs) ⇒ Object
- .generate_nonce ⇒ Object
- .options_from_request(request) ⇒ Object
- .request_uri_from_request(request) ⇒ Object
- .set_nonce(controller, nonce = generate_nonce) ⇒ Object
- .symbol_to_hyphen_case(sym) ⇒ Object
Instance Method Summary collapse
-
#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy
constructor
options
param contains :controller used for setting instance variables for nonces/hashes :ssl_request used to determine if http_additions should be used :ua the user agent (or just use Firefox/Chrome/MSIE/etc). -
#name ⇒ Object
Returns the name to use for the header.
-
#nonce ⇒ Object
Return or initialize the nonce value used for this header.
- #to_json ⇒ Object
-
#value ⇒ Object
Return the value of the CSP header.
Constructor Details
#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy
options
param contains :controller used for setting instance variables for nonces/hashes :ssl_request used to determine if http_additions should be used :ua the user agent (or just use Firefox/Chrome/MSIE/etc)
:report used to determine what :ssl_request, :ua, and :request_uri are set to
97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 97 def initialize(config=nil, ={}) return unless config if [:request] = .merge(self.class.([:request])) end @controller = [:controller] @ua = [:ua] @ssl_request = !!.delete(:ssl) @request_uri = .delete(:request_uri) # Config values can be string, array, or lamdba values @config = config.inject({}) do |hash, (key, value)| config_val = value.respond_to?(:call) ? value.call(@controller) : value if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings config_val = config_val.split if config_val.is_a? String if config_val.is_a?(Array) config_val = config_val.map do |val| translate_dir_value(val) end.flatten.uniq end end hash[key] = config_val hash end @http_additions = @config.delete(:http_additions) @app_name = @config.delete(:app_name) @report_uri = @config.delete(:report_uri) @disable_fill_missing = !!@config.delete(:disable_fill_missing) @enforce = !!@config.delete(:enforce) @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri) @tag_report_uri = !!@config.delete(:tag_report_uri) @script_hashes = @config.delete(:script_hashes) || [] add_script_hashes if @script_hashes.any? fill_directives unless disable_fill_missing? end |
Instance Attribute Details
#disable_fill_missing ⇒ Object (readonly) Also known as: disable_fill_missing?
Returns the value of attribute disable_fill_missing.
46 47 48 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 46 def disable_fill_missing @disable_fill_missing end |
#ssl_request ⇒ Object (readonly) Also known as: ssl_request?
Returns the value of attribute ssl_request.
46 47 48 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 46 def ssl_request @ssl_request end |
Class Method Details
.add_to_env(request, controller, config) ⇒ Object
59 60 61 62 63 64 65 66 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 59 def add_to_env(request, controller, config) set_nonce(controller) = (request).merge(:controller => controller) request.env[Constants::ENV_KEY] = { :config => config, :options => , } end |
.from_json(*json_configs) ⇒ Object
175 176 177 178 179 180 181 182 183 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 175 def self.from_json(*json_configs) json_configs.inject({}) do |combined_config, one_config| one_config = one_config.gsub(/(\w+)-src/, "\\1_src") config = JSON.parse(one_config, :symbolize_names => true) combined_config.merge(config) do |_, lhs, rhs| lhs | rhs end end end |
.generate_nonce ⇒ Object
51 52 53 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 51 def generate_nonce SecureRandom.base64(32).chomp end |
.options_from_request(request) ⇒ Object
68 69 70 71 72 73 74 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 68 def (request) { :ssl => request.ssl?, :ua => request.env['HTTP_USER_AGENT'], :request_uri => request_uri_from_request(request), } end |
.request_uri_from_request(request) ⇒ Object
76 77 78 79 80 81 82 83 84 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 76 def request_uri_from_request(request) if request.respond_to?(:original_url) # rails 3.1+ request.original_url else # rails 2/3.0 request.url end end |
.set_nonce(controller, nonce = generate_nonce) ⇒ Object
55 56 57 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 55 def set_nonce(controller, nonce = generate_nonce) controller.instance_variable_set(:@content_security_policy_nonce, nonce) end |
.symbol_to_hyphen_case(sym) ⇒ Object
86 87 88 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 86 def symbol_to_hyphen_case sym sym.to_s.gsub('_', '-') end |
Instance Method Details
#name ⇒ Object
Returns the name to use for the header. Either “Content-Security-Policy” or “Content-Security-Policy-Report-Only”
151 152 153 154 155 156 157 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 151 def name base = HEADER_NAME if !@enforce base += "-Report-Only" end base end |
#nonce ⇒ Object
Return or initialize the nonce value used for this header. If a reference to a controller is passed in the config, this method will check if a nonce has already been set and use it.
144 145 146 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 144 def nonce @nonce ||= @controller.instance_variable_get(:@content_security_policy_nonce) || self.class.generate_nonce end |
#to_json ⇒ Object
170 171 172 173 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 170 def to_json build_value @config.to_json.gsub(/(\w+)_src/, "\\1-src") end |
#value ⇒ Object
Return the value of the CSP header
161 162 163 164 165 166 167 168 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 161 def value return @config if @config.is_a?(String) if @config build_value else DEFAULT_CSP_HEADER end end |