Module: SecureHeaders::PolicyManagement::ClassMethods
- Defined in:
- lib/secure_headers/headers/policy_management.rb
Instance Method Summary collapse
-
#combine_policies(original, additions) ⇒ Object
Public: combine the values from two different configs.
-
#make_header(config) ⇒ Object
Public: generate a header name, value array that is user-agent-aware.
- #ua_to_variation(user_agent) ⇒ Object
-
#validate_config!(config) ⇒ Object
Public: Validates each source expression.
Instance Method Details
#combine_policies(original, additions) ⇒ Object
Public: combine the values from two different configs.
original - the main config additions - values to be merged in
raises an error if the original config is OPT_OUT
-
for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),
additions will overwrite the original value.
-
if a value in additions does not exist in the original config, the
default-src value is included to match original behavior.
-
if a value in additions does exist in the original config, the two
values are joined.
222 223 224 225 226 227 228 229 230 |
# File 'lib/secure_headers/headers/policy_management.rb', line 222 def combine_policies(original, additions) if original == {} raise ContentSecurityPolicyConfigError.new("Attempted to override an opt-out CSP config.") end original = Configuration.send(:deep_copy, original) populate_fetch_source_with_default!(original, additions) merge_policy_additions(original, additions) end |
#make_header(config) ⇒ Object
Public: generate a header name, value array that is user-agent-aware.
Returns a default policy if no configuration is provided, or a header name and value based on the config.
171 172 173 174 175 |
# File 'lib/secure_headers/headers/policy_management.rb', line 171 def make_header(config) return if config.nil? || config == OPT_OUT header = new(config) [header.name, header.value] end |
#ua_to_variation(user_agent) ⇒ Object
232 233 234 235 236 237 238 239 |
# File 'lib/secure_headers/headers/policy_management.rb', line 232 def ua_to_variation(user_agent) family = user_agent.browser if family && VARIATIONS.key?(family) family else OTHER end end |
#validate_config!(config) ⇒ Object
Public: Validates each source expression.
Does not validate the invididual values of the source expression (e.g. script_src => h*t*t*p: will not raise an exception)
181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 |
# File 'lib/secure_headers/headers/policy_management.rb', line 181 def validate_config!(config) return if config.nil? || config.opt_out? raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src) if config.directive_value(:script_src).nil? raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous. Use `script_src: OPT_OUT` to override") end if !config.report_only? && config.directive_value(:report_only) raise ContentSecurityPolicyConfigError.new("Only the csp_report_only config should set :report_only to true") end if config.report_only? && config.directive_value(:report_only) == false raise ContentSecurityPolicyConfigError.new("csp_report_only config must have :report_only set to true") end ContentSecurityPolicyConfig.attrs.each do |key| value = config.directive_value(key) next unless value if META_CONFIGS.include?(key) raise ContentSecurityPolicyConfigError.new("#{key} must be a boolean value") unless boolean?(value) || value.nil? elsif NONCES.include?(key) raise ContentSecurityPolicyConfigError.new("#{key} must be a non-nil value") if value.nil? else validate_directive!(key, value) end end end |