Module: SecureHeaders::PolicyManagement::ClassMethods

Defined in:
lib/secure_headers/headers/policy_management.rb

Instance Method Summary collapse

Instance Method Details

#combine_policies(original, additions) ⇒ Object

Public: combine the values from two different configs.

original - the main config additions - values to be merged in

raises an error if the original config is OPT_OUT

  1. for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),

additions will overwrite the original value.

  1. if a value in additions does not exist in the original config, the

default-src value is included to match original behavior.

  1. if a value in additions does exist in the original config, the two

values are joined.



222
223
224
225
226
227
228
229
230
 
# File 'lib/secure_headers/headers/policy_management.rb', line 222

def combine_policies(original, additions)
  if original == {}
    raise ContentSecurityPolicyConfigError.new("Attempted to override an opt-out CSP config.")
  end

  original = Configuration.send(:deep_copy, original)
  populate_fetch_source_with_default!(original, additions)
  merge_policy_additions(original, additions)
end

#make_header(config) ⇒ Object

Public: generate a header name, value array that is user-agent-aware.

Returns a default policy if no configuration is provided, or a header name and value based on the config.



171
172
173
174
175
 
# File 'lib/secure_headers/headers/policy_management.rb', line 171

def make_header(config)
  return if config.nil? || config == OPT_OUT
  header = new(config)
  [header.name, header.value]
end

#ua_to_variation(user_agent) ⇒ Object 



232
233
234
235
236
237
238
239
 
# File 'lib/secure_headers/headers/policy_management.rb', line 232

def ua_to_variation(user_agent)
  family = user_agent.browser
  if family && VARIATIONS.key?(family)
    family
  else
    OTHER
  end
end

#validate_config!(config) ⇒ Object

Public: Validates each source expression.

Does not validate the invididual values of the source expression (e.g. script_src => h*t*t*p: will not raise an exception)

Raises:



181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
 
# File 'lib/secure_headers/headers/policy_management.rb', line 181

def validate_config!(config)
  return if config.nil? || config.opt_out?
  raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
  if config.directive_value(:script_src).nil?
    raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous. Use `script_src: OPT_OUT` to override")
  end
  if !config.report_only? && config.directive_value(:report_only)
    raise ContentSecurityPolicyConfigError.new("Only the csp_report_only config should set :report_only to true")
  end

  if config.report_only? && config.directive_value(:report_only) == false
    raise ContentSecurityPolicyConfigError.new("csp_report_only config must have :report_only set to true")
  end

  ContentSecurityPolicyConfig.attrs.each do |key|
    value = config.directive_value(key)
    next unless value

    if META_CONFIGS.include?(key)
      raise ContentSecurityPolicyConfigError.new("#{key} must be a boolean value") unless boolean?(value) || value.nil?
    elsif NONCES.include?(key)
      raise ContentSecurityPolicyConfigError.new("#{key} must be a non-nil value") if value.nil?
    else
      validate_directive!(key, value)
    end
  end
end