Module: SecureHeaders::ViewHelpers

Includes:
HashHelper
Defined in:
lib/secure_headers/view_helper.rb

Defined Under Namespace

Classes: UnexpectedHashedScriptException

Constant Summary collapse

SECURE_HEADERS_RAKE_TASK = 
"rake secure_headers:generate_hashes"

Instance Method Summary collapse

Methods included from HashHelper

#hash_source

Instance Method Details

#_content_security_policy_nonce(type) ⇒ Object Also known as: content_security_policy_nonce

Public: use the content security policy nonce for this request directly. Instructs secure_headers to append a nonce to style/script-src directives.

Returns a non-html-safe nonce value.



69
70
71
72
73
74
75
76
 
# File 'lib/secure_headers/view_helper.rb', line 69

def _content_security_policy_nonce(type)
  case type
  when :script
    SecureHeaders.content_security_policy_script_nonce(@_request)
  when :style
    SecureHeaders.content_security_policy_style_nonce(@_request)
  end
end

#content_security_policy_script_nonceObject 



79
80
81
 
# File 'lib/secure_headers/view_helper.rb', line 79

def content_security_policy_script_nonce
  _content_security_policy_nonce(:script)
end

#content_security_policy_style_nonceObject 



83
84
85
 
# File 'lib/secure_headers/view_helper.rb', line 83

def content_security_policy_style_nonce
  _content_security_policy_nonce(:style)
end

#hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block) ⇒ Object

Checks to see if the hashed code is expected and adds the hash source value to the current CSP.

By default, in development/test/etc. an exception will be raised.



92
93
94
95
96
97
98
99
100
 
# File 'lib/secure_headers/view_helper.rb', line 92

def hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block)
  hashed_tag(
    :script,
    :script_src,
    Configuration.instance_variable_get(:@script_hashes),
    raise_error_on_unrecognized_hash,
    block
  )
end

#hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block) ⇒ Object 



102
103
104
105
106
107
108
109
110
 
# File 'lib/secure_headers/view_helper.rb', line 102

def hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block)
  hashed_tag(
    :style,
    :style_src,
    Configuration.instance_variable_get(:@style_hashes),
    raise_error_on_unrecognized_hash,
    block
  )
end

#nonced_javascript_include_tag(*args, &block) ⇒ Object

Public: create a script src tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.

Returns an html-safe script tag with the nonce attribute.



39
40
41
42
43
 
# File 'lib/secure_headers/view_helper.rb', line 39

def nonced_javascript_include_tag(*args, &block)
  opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))

  javascript_include_tag(*args, **opts, &block)
end

#nonced_javascript_pack_tag(*args, &block) ⇒ Object

Public: create a script Webpacker pack tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.

Returns an html-safe script tag with the nonce attribute.



49
50
51
52
53
 
# File 'lib/secure_headers/view_helper.rb', line 49

def nonced_javascript_pack_tag(*args, &block)
  opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))

  javascript_pack_tag(*args, **opts, &block)
end

#nonced_javascript_tag(content_or_options = {}, &block) ⇒ Object

Public: create a script tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.

Returns an html-safe script tag with the nonce attribute.



31
32
33
 
# File 'lib/secure_headers/view_helper.rb', line 31

def nonced_javascript_tag(content_or_options = {}, &block)
  nonced_tag(:script, content_or_options, block)
end

#nonced_style_tag(content_or_options = {}, &block) ⇒ Object

Public: create a style tag using the content security policy nonce. Instructs secure_headers to append a nonce to style-src directive.

Returns an html-safe style tag with the nonce attribute.



13
14
15
 
# File 'lib/secure_headers/view_helper.rb', line 13

def nonced_style_tag(content_or_options = {}, &block)
  nonced_tag(:style, content_or_options, block)
end

#nonced_stylesheet_link_tag(*args, &block) ⇒ Object

Public: create a stylesheet link tag using the content security policy nonce. Instructs secure_headers to append a nonce to style-src directive.

Returns an html-safe link tag with the nonce attribute.



21
22
23
24
25
 
# File 'lib/secure_headers/view_helper.rb', line 21

def nonced_stylesheet_link_tag(*args, &block)
  opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))

  stylesheet_link_tag(*args, **opts, &block)
end

#nonced_stylesheet_pack_tag(*args, &block) ⇒ Object

Public: create a stylesheet Webpacker link tag using the content security policy nonce. Instructs secure_headers to append a nonce to style-src directive.

Returns an html-safe link tag with the nonce attribute.



59
60
61
62
63
 
# File 'lib/secure_headers/view_helper.rb', line 59

def nonced_stylesheet_pack_tag(*args, &block)
  opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))

  stylesheet_pack_tag(*args, **opts, &block)
end