Class: SecureHeaders::ContentSecurityPolicy

Inherits:

Header

• Object
• Header
• SecureHeaders::ContentSecurityPolicy

Includes:

Constants

Defined in:

lib/secure_headers/headers/content_security_policy.rb

Defined Under Namespace

Modules: Constants

Constant Summary

Constants included from Constants

Constants::DEFAULT_CSP_HEADER, Constants::DIRECTIVES, Constants::FF_CSP_ENDPOINT, Constants::META, Constants::STANDARD_HEADER_NAME

Instance Attribute Summary

• #browser ⇒ Object readonly

  Returns the value of attribute browser.

• #experimental ⇒ Object readonly

  Returns the value of attribute experimental.

• #report_uri ⇒ Object readonly

  Returns the value of attribute report_uri.

• #request_uri ⇒ Object readonly

  Returns the value of attribute request_uri.

• #ssl_request ⇒ Object (also: #ssl_request?) readonly

  Returns the value of attribute ssl_request.

Instance Method Summary

• #configure(config) ⇒ Object
• #initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy constructor

  options param contains :experimental use experimental block for config :ssl_request used to determine if http_additions should be used :request_uri used to determine if firefox should send the report directly or use the forwarding endpoint :ua the user agent (or just use Firefox/Chrome/MSIE/etc).

• #name ⇒ Object
• #nonce ⇒ Object
• #value ⇒ Object

Constructor Details

#initialize(config = nil, options = {}) ⇒ ContentSecurityPolicy

options param contains :experimental use experimental block for config :ssl_request used to determine if http_additions should be used :request_uri used to determine if firefox should send the report directly or use the forwarding endpoint :ua the user agent (or just use Firefox/Chrome/MSIE/etc)

:report used to determine what :ssl_request, :ua, and :request_uri are set to

# File 'lib/secure_headers/headers/content_security_policy.rb', line 31

def initialize(config=nil, options={})
  @experimental = !!options.delete(:experimental)
  @controller = options.delete(:controller)

  if options[:request]
    parse_request(options[:request])
  else
    @ua = options[:ua]
    # fails open, assumes http. Bad idea? Will always include http additions.
    # could also fail if not supplied.
    @ssl_request = !!options.delete(:ssl)
    # a nil value here means we always assume we are not on the same host,
    # which causes all FF csp reports to go through the forwarder
    @request_uri = options.delete(:request_uri)
  end

  configure(config) if config
end

Instance Attribute Details

#browser ⇒ Object (readonly)

Returns the value of attribute browser.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 17

def browser
  @browser
end

#experimental ⇒ Object (readonly)

Returns the value of attribute experimental.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 17

def experimental
  @experimental
end

#report_uri ⇒ Object (readonly)

Returns the value of attribute report_uri.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 17

def report_uri
  @report_uri
end

#request_uri ⇒ Object (readonly)

Returns the value of attribute request_uri.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 17

def request_uri
  @request_uri
end

#ssl_request ⇒ Object (readonly) Also known as: ssl_request?

Returns the value of attribute ssl_request.

# File 'lib/secure_headers/headers/content_security_policy.rb', line 17

def ssl_request
  @ssl_request
end

Instance Method Details

#configure(config) ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 54

def configure(config)
  @config = config.dup

  experimental_config = @config.delete(:experimental)
  if @experimental && experimental_config
    @config[:http_additions] = experimental_config[:http_additions]
    @config.merge!(experimental_config)
  end

  # these values don't support lambdas because this needs to be rewritten
  @http_additions = @config.delete(:http_additions)
  @app_name = @config.delete(:app_name)

  normalize_csp_options

  META.each do |meta|
    self.send("#{meta}=", @config.delete(meta))
  end

  @enforce = !!@config.delete(:enforce)
  @tag_report_uri = @config.delete(:tag_report_uri)

  normalize_reporting_endpoint
  fill_directives unless disable_fill_missing?
end

#name ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 80

def name
  base = STANDARD_HEADER_NAME
  if !@enforce || experimental
    base += "-Report-Only"
  end
  base
end

#nonce ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 50

def nonce
  @nonce ||= SecureRandom.base64(32).chomp
end

#value ⇒ Object

# File 'lib/secure_headers/headers/content_security_policy.rb', line 88

def value
  return @config if @config.is_a?(String)
  if @config
    build_value
  else
    DEFAULT_CSP_HEADER
  end
end