Module: SecureHeaders::PolicyManagement::ClassMethods

Defined in:

lib/secure_headers/headers/policy_management.rb

Instance Method Summary

• #combine_policies(original, additions) ⇒ Object

  Public: combine the values from two different configs.

• #make_header(config, user_agent) ⇒ Object

  Public: generate a header name, value array that is user-agent-aware.

• #nonces_supported?(user_agent) ⇒ Boolean

  Public: check if a user agent supports CSP nonces.

• #ua_to_variation(user_agent) ⇒ Object
• #validate_config!(config) ⇒ Object

  Public: Validates each source expression.

Instance Method Details

#combine_policies(original, additions) ⇒ Object

Public: combine the values from two different configs.

original - the main config additions - values to be merged in

raises an error if the original config is OPT_OUT

1. for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),

additions will overwrite the original value.

1. if a value in additions does not exist in the original config, the

default-src value is included to match original behavior.

1. if a value in additions does exist in the original config, the two

values are joined.

# File 'lib/secure_headers/headers/policy_management.rb', line 235

def combine_policies(original, additions)
  if original == {}
    raise ContentSecurityPolicyConfigError.new("Attempted to override an opt-out CSP config.")
  end

  original = Configuration.send(:deep_copy, original)
  populate_fetch_source_with_default!(original, additions)
  merge_policy_additions(original, additions)
end

#make_header(config, user_agent) ⇒ Object

Public: generate a header name, value array that is user-agent-aware.

Returns a default policy if no configuration is provided, or a header name and value based on the config.

# File 'lib/secure_headers/headers/policy_management.rb', line 190

def make_header(config, user_agent)
  header = new(config, user_agent)
  [header.name, header.value]
end

#nonces_supported?(user_agent) ⇒ Boolean

Public: check if a user agent supports CSP nonces

user_agent - a String or a UserAgent object

Returns:

• (Boolean)

# File 'lib/secure_headers/headers/policy_management.rb', line 216

def nonces_supported?(user_agent)
  user_agent = UserAgent.parse(user_agent) if user_agent.is_a?(String)
  MODERN_BROWSERS.include?(user_agent.browser) ||
    user_agent.browser == "Safari" && (user_agent.version || CSP::FALLBACK_VERSION) >= CSP::VERSION_10
end

#ua_to_variation(user_agent) ⇒ Object

# File 'lib/secure_headers/headers/policy_management.rb', line 245

def ua_to_variation(user_agent)
  family = user_agent.browser
  if family && VARIATIONS.key?(family)
    family
  else
    OTHER
  end
end

#validate_config!(config) ⇒ Object

Public: Validates each source expression.

Does not validate the invididual values of the source expression (e.g. script_src => h*t*t*p: will not raise an exception)

Raises:

• (ContentSecurityPolicyConfigError)

# File 'lib/secure_headers/headers/policy_management.rb', line 199

def validate_config!(config)
  return if config.nil? || config.opt_out?
  raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
  ContentSecurityPolicyConfig.attrs.each do |key|
    value = config.directive_value(key)
    next unless value
    if META_CONFIGS.include?(key)
      raise ContentSecurityPolicyConfigError.new("#{key} must be a boolean value") unless boolean?(value) || value.nil?
    else
      validate_directive!(key, value)
    end
  end
end