Module: SecureHeaders::ViewHelpers

Includes:

HashHelper

Defined in:

lib/secure_headers/view_helper.rb

Defined Under Namespace

Classes: UnexpectedHashedScriptException

Constant Summary

SECURE_HEADERS_RAKE_TASK =

"rake secure_headers:generate_hashes"

Instance Method Summary

• #content_security_policy_nonce(type) ⇒ Object

  Public: use the content security policy nonce for this request directly.

• #content_security_policy_script_nonce ⇒ Object
• #content_security_policy_style_nonce ⇒ Object
• #hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block) ⇒ Object

  Checks to see if the hashed code is expected and adds the hash source value to the current CSP.

• #hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block) ⇒ Object
• #nonced_javascript_tag(content_or_options = {}, &block) ⇒ Object

  Public: create a script tag using the content security policy nonce.

• #nonced_style_tag(content_or_options = {}, &block) ⇒ Object

  Public: create a style tag using the content security policy nonce.

Methods included from HashHelper

#hash_source

Instance Method Details

#content_security_policy_nonce(type) ⇒ Object

Public: use the content security policy nonce for this request directly. Instructs secure_headers to append a nonce to style/script-src directives.

Returns a non-html-safe nonce value.

# File 'lib/secure_headers/view_helper.rb', line 28

def content_security_policy_nonce(type)
  case type
  when :script
    SecureHeaders.content_security_policy_script_nonce(@_request)
  when :style
    SecureHeaders.content_security_policy_style_nonce(@_request)
  end
end

#content_security_policy_script_nonce ⇒ Object

# File 'lib/secure_headers/view_helper.rb', line 37

def content_security_policy_script_nonce
  content_security_policy_nonce(:script)
end

#content_security_policy_style_nonce ⇒ Object

# File 'lib/secure_headers/view_helper.rb', line 41

def content_security_policy_style_nonce
  content_security_policy_nonce(:style)
end

#hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block) ⇒ Object

Checks to see if the hashed code is expected and adds the hash source value to the current CSP.

By default, in development/test/etc. an exception will be raised.

# File 'lib/secure_headers/view_helper.rb', line 50

def hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block)
  hashed_tag(
    :script,
    :script_src,
    Configuration.instance_variable_get(:@script_hashes),
    raise_error_on_unrecognized_hash,
    block
  )
end

#hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block) ⇒ Object

# File 'lib/secure_headers/view_helper.rb', line 60

def hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block)
  hashed_tag(
    :style,
    :style_src,
    Configuration.instance_variable_get(:@style_hashes),
    raise_error_on_unrecognized_hash,
    block
  )
end

#nonced_javascript_tag(content_or_options = {}, &block) ⇒ Object

Public: create a script tag using the content security policy nonce. Instructs secure_headers to append a nonce to style/script-src directives.

Returns an html-safe script tag with the nonce attribute.

# File 'lib/secure_headers/view_helper.rb', line 20

def nonced_javascript_tag(content_or_options = {}, &block)
  nonced_tag(:script, content_or_options, block)
end

#nonced_style_tag(content_or_options = {}, &block) ⇒ Object

Public: create a style tag using the content security policy nonce. Instructs secure_headers to append a nonce to style/script-src directives.

Returns an html-safe style tag with the nonce attribute.

# File 'lib/secure_headers/view_helper.rb', line 12

def nonced_style_tag(content_or_options = {}, &block)
  nonced_tag(:style, content_or_options, block)
end