Module: SecureHeaders::PolicyManagement

Included in:: ContentSecurityPolicy

Defined in:: lib/secure_headers/headers/policy_management.rb

Defined Under Namespace

Constant Summary collapse

MODERN_BROWSERS =

%w(Chrome Opera Firefox)

DEFAULT_VALUE =

"default-src https:".freeze

DEFAULT_CONFIG =

{ default_src: %w(https:) }.freeze

HEADER_NAME =

"Content-Security-Policy".freeze

REPORT_ONLY =

"Content-Security-Policy-Report-Only".freeze

HEADER_NAMES =

[HEADER_NAME, REPORT_ONLY]

DATA_PROTOCOL =

"data:".freeze

BLOB_PROTOCOL =

"blob:".freeze

SELF =

"'self'".freeze

NONE =

"'none'".freeze

STAR =

"*".freeze

UNSAFE_INLINE =

"'unsafe-inline'".freeze

UNSAFE_EVAL =

"'unsafe-eval'".freeze

DEPRECATED_SOURCE_VALUES = leftover deprecated values that will be in common use upon upgrading.

[SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze

DEFAULT_SRC =

:default_src

CONNECT_SRC =

:connect_src

FONT_SRC =

:font_src

FRAME_SRC =

:frame_src

IMG_SRC =

:img_src

MEDIA_SRC =

:media_src

OBJECT_SRC =

:object_src

SANDBOX =

:sandbox

SCRIPT_SRC =

:script_src

STYLE_SRC =

:style_src

REPORT_URI =

:report_uri

DIRECTIVES_1_0 =

[
  DEFAULT_SRC,
  CONNECT_SRC,
  FONT_SRC,
  FRAME_SRC,
  IMG_SRC,
  MEDIA_SRC,
  OBJECT_SRC,
  SANDBOX,
  SCRIPT_SRC,
  STYLE_SRC,
  REPORT_URI
].freeze

BASE_URI =

:base_uri

CHILD_SRC =

:child_src

FORM_ACTION =

:form_action

FRAME_ANCESTORS =

:frame_ancestors

PLUGIN_TYPES =

:plugin_types

NON_FETCH_SOURCES = These are directives that do not inherit the default-src value. This is useful when calling #combine_policies.

[
  BASE_URI,
  FORM_ACTION,
  FRAME_ANCESTORS,
  PLUGIN_TYPES,
  REPORT_URI
]

DIRECTIVES_2_0 =

[
  DIRECTIVES_1_0,
  BASE_URI,
  CHILD_SRC,
  FORM_ACTION,
  FRAME_ANCESTORS,
  PLUGIN_TYPES
].flatten.freeze

MANIFEST_SRC = All the directives currently under consideration for CSP level 3. w3c.github.io/webappsec/specs/CSP2/

:manifest_src

REFLECTED_XSS =

:reflected_xss

DIRECTIVES_3_0 =

[
  DIRECTIVES_2_0,
  MANIFEST_SRC,
  REFLECTED_XSS
].flatten.freeze

BLOCK_ALL_MIXED_CONTENT = All the directives that are not currently in a formal spec, but have been implemented somewhere.

:block_all_mixed_content

UPGRADE_INSECURE_REQUESTS =

:upgrade_insecure_requests

DIRECTIVES_DRAFT =

[
  BLOCK_ALL_MIXED_CONTENT,
  UPGRADE_INSECURE_REQUESTS
].freeze

EDGE_DIRECTIVES =

DIRECTIVES_1_0

SAFARI_DIRECTIVES =

DIRECTIVES_1_0

FIREFOX_UNSUPPORTED_DIRECTIVES =

[
  BLOCK_ALL_MIXED_CONTENT,
  CHILD_SRC,
  PLUGIN_TYPES
].freeze

FIREFOX_DIRECTIVES =

(
  DIRECTIVES_2_0 + DIRECTIVES_DRAFT - FIREFOX_UNSUPPORTED_DIRECTIVES
).freeze

CHROME_DIRECTIVES =

(
  DIRECTIVES_2_0 + DIRECTIVES_DRAFT
).freeze

ALL_DIRECTIVES =

[DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT].flatten.uniq.sort

BODY_DIRECTIVES = Think of default-src and report-uri as the beginning and end respectively, everything else is in between.

ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]

VARIATIONS =

{
  "Chrome" => CHROME_DIRECTIVES,
  "Opera" => CHROME_DIRECTIVES,
  "Firefox" => FIREFOX_DIRECTIVES,
  "Safari" => SAFARI_DIRECTIVES,
  "Edge" => EDGE_DIRECTIVES,
  "Other" => CHROME_DIRECTIVES
}.freeze

OTHER =

"Other".freeze

DIRECTIVE_VALUE_TYPES =

{
  BASE_URI                  => :source_list,
  BLOCK_ALL_MIXED_CONTENT   => :boolean,
  CHILD_SRC                 => :source_list,
  CONNECT_SRC               => :source_list,
  DEFAULT_SRC               => :source_list,
  FONT_SRC                  => :source_list,
  FORM_ACTION               => :source_list,
  FRAME_ANCESTORS           => :source_list,
  FRAME_SRC                 => :source_list,
  IMG_SRC                   => :source_list,
  MANIFEST_SRC              => :source_list,
  MEDIA_SRC                 => :source_list,
  OBJECT_SRC                => :source_list,
  PLUGIN_TYPES              => :source_list,
  REFLECTED_XSS             => :string,
  REPORT_URI                => :source_list,
  SANDBOX                   => :string,
  SCRIPT_SRC                => :source_list,
  STYLE_SRC                 => :source_list,
  UPGRADE_INSECURE_REQUESTS => :boolean
}.freeze

CONFIG_KEY =

:csp

STAR_REGEXP =

Regexp.new(Regexp.escape(STAR))

HTTP_SCHEME_REGEX =

%r{\Ahttps?://}

WILDCARD_SOURCES =

[
  UNSAFE_EVAL,
  UNSAFE_INLINE,
  STAR,
  DATA_PROTOCOL,
  BLOB_PROTOCOL
].freeze

META_CONFIGS =

[
  :report_only,
  :preserve_schemes
].freeze

Class Method Summary collapse

.included(base) ⇒ Object

Class Method Details

.included(base) ⇒ `Object`



3
4
5