Module: SecureHeaders::PolicyManagement::ClassMethods
- Defined in:
- lib/secure_headers/headers/policy_management.rb
Instance Method Summary collapse
-
#combine_policies(original, additions) ⇒ Object
Public: combine the values from two different configs.
-
#make_header(config) ⇒ Object
Public: generate a header name, value array that is user-agent-aware.
- #ua_to_variation(user_agent) ⇒ Object
-
#validate_config!(config) ⇒ Object
Public: Validates each source expression.
Instance Method Details
#combine_policies(original, additions) ⇒ Object
Public: combine the values from two different configs.
original - the main config additions - values to be merged in
raises an error if the original config is OPT_OUT
-
for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),
additions will overwrite the original value.
-
if a value in additions does not exist in the original config, the
default-src value is included to match original behavior.
-
if a value in additions does exist in the original config, the two
values are joined.
250 251 252 253 254 255 256 257 258 |
# File 'lib/secure_headers/headers/policy_management.rb', line 250 def combine_policies(original, additions) if original == {} raise ContentSecurityPolicyConfigError.new("Attempted to override an opt-out CSP config.") end original = Configuration.send(:deep_copy, original) populate_fetch_source_with_default!(original, additions) merge_policy_additions(original, additions) end |
#make_header(config) ⇒ Object
Public: generate a header name, value array that is user-agent-aware.
Returns a default policy if no configuration is provided, or a header name and value based on the config.
199 200 201 202 203 |
# File 'lib/secure_headers/headers/policy_management.rb', line 199 def make_header(config) return if config.nil? || config == OPT_OUT header = new(config) [header.name, header.value] end |
#ua_to_variation(user_agent) ⇒ Object
260 261 262 263 264 265 266 267 |
# File 'lib/secure_headers/headers/policy_management.rb', line 260 def ua_to_variation(user_agent) family = user_agent.browser if family && VARIATIONS.key?(family) family else OTHER end end |
#validate_config!(config) ⇒ Object
Public: Validates each source expression.
Does not validate the invididual values of the source expression (e.g. script_src => h*t*t*p: will not raise an exception)
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 |
# File 'lib/secure_headers/headers/policy_management.rb', line 209 def validate_config!(config) return if config.nil? || config.opt_out? raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src) if config.directive_value(:script_src).nil? raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous. Use `script_src: OPT_OUT` to override") end if !config.report_only? && config.directive_value(:report_only) raise ContentSecurityPolicyConfigError.new("Only the csp_report_only config should set :report_only to true") end if config.report_only? && config.directive_value(:report_only) == false raise ContentSecurityPolicyConfigError.new("csp_report_only config must have :report_only set to true") end ContentSecurityPolicyConfig.attrs.each do |key| value = config.directive_value(key) next unless value if META_CONFIGS.include?(key) raise ContentSecurityPolicyConfigError.new("#{key} must be a boolean value") unless boolean?(value) || value.nil? elsif NONCES.include?(key) raise ContentSecurityPolicyConfigError.new("#{key} must be a non-nil value") if value.nil? else validate_directive!(key, value) end end end |