Class: SecureHeaders::ContentSecurityPolicy

Inherits:

Header

• Object
• Header
• SecureHeaders::ContentSecurityPolicy

Includes:

Constants

Defined in:

lib/secure_headers/headers/content_security_policy.rb,
lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb

Defined Under Namespace

Modules: Constants Classes: ScriptHashMiddleware

Constant Summary

Constants included from Constants

Constants::ALL_DIRECTIVES, Constants::CHROME_DIRECTIVES, Constants::CONFIG_KEY, Constants::DEFAULT_CSP_HEADER, Constants::DIRECTIVES_1_0, Constants::DIRECTIVES_2_0, Constants::DIRECTIVES_3_0, Constants::DIRECTIVES_DRAFT, Constants::ENV_KEY, Constants::FIREFOX_DIRECTIVES, Constants::FIREFOX_UNSUPPORTED_DIRECTIVES, Constants::HEADER_NAME, Constants::SAFARI_DIRECTIVES, Constants::USER_AGENT_PARSER

Instance Attribute Summary

• #ssl_request ⇒ Object (also: #ssl_request?) readonly

  Returns the value of attribute ssl_request.

Class Method Summary

• .add_to_env(request, controller, config) ⇒ Object
• .from_json(*json_configs) ⇒ Object
• .generate_nonce ⇒ Object
• .options_from_request(request) ⇒ Object
• .request_uri_from_request(request) ⇒ Object
• .set_nonce(controller, nonce = generate_nonce) ⇒ Object
• .symbol_to_hyphen_case(sym) ⇒ Object

Instance Method Summary

• #initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy constructor

  options param contains :controller used for setting instance variables for nonces/hashes :ssl_request used to determine if http_additions should be used :ua the user agent (or just use Firefox/Chrome/MSIE/etc).

• #name ⇒ Object

  Returns the name to use for the header.

• #nonce ⇒ Object

  Return or initialize the nonce value used for this header.

• #to_json ⇒ Object
• #value ⇒ Object

  Return the value of the CSP header.

Constructor Details

#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy

options param contains :controller used for setting instance variables for nonces/hashes :ssl_request used to determine if http_additions should be used :ua the user agent (or just use Firefox/Chrome/MSIE/etc)

:report used to determine what :ssl_request, :ua, and :request_uri are set to

# File 'lib/secure_headers/headers/content_security_policy.rb', line 126

def initialize(config=nil, options={})
  return unless config

  if options[:request]
    options = options.merge(self.class.options_from_request(options[:request]))
  end

  @controller = options[:controller]
  @ua = options[:ua]
  @ssl_request = !!options.delete(:ssl)
  @request_uri = options.delete(:request_uri)

  # Config values can be string, array, or lamdba values
  @config = config.inject({}) do |hash, (key, value)|
    config_val = if value.respond_to?(:call)
      warn "[DEPRECATION] secure_headers 3.x will not support procs as config values."
      value.call(@controller)
    else
      value
    end

    if ALL_DIRECTIVES.include?(key.to_sym) # directives need to be normalized to arrays of strings
      if config_val.is_a? String
        warn "[DEPRECATION] A String was supplied for directive #{key}. secure_headers 3.x will require all directives to be arrays of strings."
        config_val = config_val.split
      end
      if config_val.is_a?(Array)
        config_val = config_val.map do |val|
          translate_dir_value(val)
        end.flatten.uniq
      end
    end

    hash[key] = config_val
    hash
  end

  @http_additions = @config.delete(:http_additions)
  @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
  @tag_report_uri = !!@config.delete(:tag_report_uri)
  @script_hashes = @config.delete(:script_hashes) || []
  @app_name = @config.delete(:app_name)
  @app_name = @app_name.call(@controller) if @app_name.respond_to?(:call)
  @enforce = @config.delete(:enforce)
  @enforce = @enforce.call(@controller) if @enforce.respond_to?(:call)
  @enforce = !!@enforce

  # normalize and tag the report-uri
  if @config[:report_uri]
    @config[:report_uri] = @config[:report_uri].map do |report_uri|
      if report_uri.start_with?('//')
        report_uri = if @ssl_request
                       "https:" + report_uri
                     else
                       "http:" + report_uri
                     end
      end

      if @tag_report_uri
        report_uri = "#{report_uri}?enforce=#{@enforce}"
        report_uri += "&app_name=#{@app_name}" if @app_name
      end
      report_uri
    end
  end

  add_script_hashes if @script_hashes.any?
  strip_unsupported_directives
end

Instance Attribute Details

#ssl_request ⇒ Object (readonly) Also known as: ssl_request?

Returns the value of attribute ssl_request.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 76

def ssl_request
  @ssl_request
end

Class Method Details

.add_to_env(request, controller, config) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 88

def add_to_env(request, controller, config)
  set_nonce(controller)
  options = options_from_request(request).merge(:controller => controller)
  request.env[Constants::ENV_KEY] = {
    :config => config,
    :options => options,
  }
end

.from_json(*json_configs) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 236

def self.from_json(*json_configs)
  json_configs.inject({}) do |combined_config, one_config|
    config = JSON.parse(one_config).inject({}) do |hash, (key, value)|
      hash[key.gsub(/(\w+)-(\w+)/, "\\1_\\2").to_sym] = value
      hash
    end
    combined_config.merge(config) do |_, lhs, rhs|
      lhs | rhs
    end
  end
end

.generate_nonce ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 80

def generate_nonce
  SecureRandom.base64(32).chomp
end

.options_from_request(request) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 97

def options_from_request(request)
  {
    :ssl => request.ssl?,
    :ua => request.env['HTTP_USER_AGENT'],
    :request_uri => request_uri_from_request(request),
  }
end

.request_uri_from_request(request) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 105

def request_uri_from_request(request)
  if request.respond_to?(:original_url)
    # rails 3.1+
    request.original_url
  else
    # rails 2/3.0
    request.url
  end
end

.set_nonce(controller, nonce = generate_nonce) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 84

def set_nonce(controller, nonce = generate_nonce)
  controller.instance_variable_set(:@content_security_policy_nonce, nonce)
end

.symbol_to_hyphen_case(sym) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 115

def symbol_to_hyphen_case sym
  sym.to_s.gsub('_', '-')
end

Instance Method Details

#name ⇒ Object

Returns the name to use for the header. Either “Content-Security-Policy” or “Content-Security-Policy-Report-Only”

# File 'lib/secure_headers/headers/content_security_policy.rb', line 207

def name
  base = HEADER_NAME
  if !@enforce
    base += "-Report-Only"
  end
  base
end

#nonce ⇒ Object

Return or initialize the nonce value used for this header. If a reference to a controller is passed in the config, this method will check if a nonce has already been set and use it.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 200

def nonce
  @nonce ||= @controller.instance_variable_get(:@content_security_policy_nonce) || self.class.generate_nonce
end

#to_json ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 226

def to_json
  build_value
  @config.inject({}) do |hash, (key, value)|
    if ALL_DIRECTIVES.include?(key)
      hash[key.to_s.gsub(/(\w+)_(\w+)/, "\\1-\\2")] = value
    end
    hash
  end.to_json
end

#value ⇒ Object

Return the value of the CSP header

# File 'lib/secure_headers/headers/content_security_policy.rb', line 217

def value
  return @config if @config.is_a?(String)
  if @config
    build_value
  else
    DEFAULT_CSP_HEADER
  end
end