Module: SecureHeaders::PolicyManagement::ClassMethods

Defined in:

lib/secure_headers/headers/policy_management.rb

Instance Method Summary

• #combine_policies(original, additions) ⇒ Object

  Public: combine the values from two different configs.

• #idempotent_additions?(config, additions) ⇒ Boolean

  Public: determine if merging additions will cause a change to the actual value of the config.

• #make_header(config, user_agent) ⇒ Object

  Public: generate a header name, value array that is user-agent-aware.

• #ua_to_variation(user_agent) ⇒ Object
• #validate_config!(config) ⇒ Object

  Public: Validates each source expression.

Instance Method Details

#combine_policies(original, additions) ⇒ Object

Public: combine the values from two different configs.

original - the main config additions - values to be merged in

raises an error if the original config is OPT_OUT

1. for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),

additions will overwrite the original value.

1. if a value in additions does not exist in the original config, the

default-src value is included to match original behavior.

1. if a value in additions does exist in the original config, the two

values are joined.

# File 'lib/secure_headers/headers/policy_management.rb', line 216

def combine_policies(original, additions)
  if original == OPT_OUT
    raise ContentSecurityPolicyConfigError.new("Attempted to override an opt-out CSP config.")
  end

  original = Configuration.send(:deep_copy, original)
  populate_fetch_source_with_default!(original, additions)
  merge_policy_additions(original, additions)
end

#idempotent_additions?(config, additions) ⇒ Boolean

Public: determine if merging additions will cause a change to the actual value of the config.

e.g. config = { script_src: %w(example.org google.com)} and additions = { script_src: %w(google.com)} then idempotent_additions? would return because google.com is already in the config.

Returns:

• (Boolean)

# File 'lib/secure_headers/headers/policy_management.rb', line 198

def idempotent_additions?(config, additions)
  return false if config == OPT_OUT
  config == combine_policies(config, additions)
end

#make_header(config, user_agent) ⇒ Object

Public: generate a header name, value array that is user-agent-aware.

Returns a default policy if no configuration is provided, or a header name and value based on the config.

# File 'lib/secure_headers/headers/policy_management.rb', line 171

def make_header(config, user_agent)
  header = new(config, user_agent)
  [header.name, header.value]
end

#ua_to_variation(user_agent) ⇒ Object

# File 'lib/secure_headers/headers/policy_management.rb', line 226

def ua_to_variation(user_agent)
  family = user_agent.browser
  if family && VARIATIONS.key?(family)
    family
  else
    OTHER
  end
end

#validate_config!(config) ⇒ Object

Public: Validates each source expression.

Does not validate the invididual values of the source expression (e.g. script_src => h*t*t*p: will not raise an exception)

Raises:

• (ContentSecurityPolicyConfigError)

# File 'lib/secure_headers/headers/policy_management.rb', line 180

def validate_config!(config)
  return if config.nil? || config == OPT_OUT
  raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config[:default_src]
  config.each do |key, value|
    if META_CONFIGS.include?(key)
      raise ContentSecurityPolicyConfigError.new("#{key} must be a boolean value") unless boolean?(value) || value.nil?
    else
      validate_directive!(key, value)
    end
  end
end