Class: SecureHeaders::ContentSecurityPolicy
- Includes:
- Constants
- Defined in:
- lib/secure_headers/headers/content_security_policy.rb
Defined Under Namespace
Modules: Constants
Constant Summary
Constants included from Constants
Constants::DEFAULT_CSP_HEADER, Constants::DIRECTIVES, Constants::FF_CSP_ENDPOINT, Constants::META, Constants::STANDARD_HEADER_NAME
Instance Attribute Summary collapse
-
#browser ⇒ Object
readonly
Returns the value of attribute browser.
-
#experimental ⇒ Object
readonly
Returns the value of attribute experimental.
-
#report_uri ⇒ Object
readonly
Returns the value of attribute report_uri.
-
#request_uri ⇒ Object
readonly
Returns the value of attribute request_uri.
-
#ssl_request ⇒ Object
(also: #ssl_request?)
readonly
Returns the value of attribute ssl_request.
Instance Method Summary collapse
- #configure(config) ⇒ Object
-
#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy
constructor
options
param contains :experimental use experimental block for config :ssl_request used to determine if http_additions should be used :request_uri used to determine if firefox should send the report directly or use the forwarding endpoint :ua the user agent (or just use Firefox/Chrome/MSIE/etc). - #name ⇒ Object
- #value ⇒ Object
Constructor Details
#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy
options
param contains :experimental use experimental block for config :ssl_request used to determine if http_additions should be used :request_uri used to determine if firefox should send the report directly or use the forwarding endpoint :ua the user agent (or just use Firefox/Chrome/MSIE/etc)
:report used to determine what :ssl_request, :ua, and :request_uri are set to
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 30 def initialize(config=nil, ={}) @experimental = !!.delete(:experimental) @controller = .delete(:controller) if [:request] parse_request([:request]) else @ua = [:ua] # fails open, assumes http. Bad idea? Will always include http additions. # could also fail if not supplied. @ssl_request = !!.delete(:ssl) # a nil value here means we always assume we are not on the same host, # which causes all FF csp reports to go through the forwarder @request_uri = .delete(:request_uri) end configure(config) if config end |
Instance Attribute Details
#browser ⇒ Object (readonly)
Returns the value of attribute browser.
16 17 18 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 16 def browser @browser end |
#experimental ⇒ Object (readonly)
Returns the value of attribute experimental.
16 17 18 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 16 def experimental @experimental end |
#report_uri ⇒ Object (readonly)
Returns the value of attribute report_uri.
16 17 18 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 16 def report_uri @report_uri end |
#request_uri ⇒ Object (readonly)
Returns the value of attribute request_uri.
16 17 18 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 16 def request_uri @request_uri end |
#ssl_request ⇒ Object (readonly) Also known as: ssl_request?
Returns the value of attribute ssl_request.
16 17 18 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 16 def ssl_request @ssl_request end |
Instance Method Details
#configure(config) ⇒ Object
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 48 def configure(config) @config = config.dup experimental_config = @config.delete(:experimental) if @experimental && experimental_config @config[:http_additions] = experimental_config[:http_additions] @config.merge!(experimental_config) end META.each do || self.send("#{}=", @config.delete()) end @report_uri = @config.delete(:report_uri) @script_nonce = @config.delete(:script_nonce) normalize_reporting_endpoint fill_directives unless disable_fill_missing? end |
#name ⇒ Object
69 70 71 72 73 74 75 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 69 def name base = STANDARD_HEADER_NAME if !enforce || experimental base += "-Report-Only" end base end |
#value ⇒ Object
77 78 79 80 81 82 83 84 |
# File 'lib/secure_headers/headers/content_security_policy.rb', line 77 def value return @config if @config.is_a?(String) if @config build_value else DEFAULT_CSP_HEADER end end |