Class: ActionDispatch::ContentSecurityPolicy
- Inherits:
-
Object
- Object
- ActionDispatch::ContentSecurityPolicy
- Defined in:
- lib/action_dispatch/http/content_security_policy.rb
Overview
# Action Dispatch Content Security Policy
Configures the HTTP [Content-Security-Policy] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) response header to help protect against XSS and injection attacks.
Example global policy:
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
# Specify URI for violation reports
policy.report_uri "/csp-violation-report-endpoint"
end
Defined Under Namespace
Modules: Request Classes: Middleware
Instance Attribute Summary collapse
-
#directives ⇒ Object
readonly
Returns the value of attribute directives.
Instance Method Summary collapse
-
#block_all_mixed_content(enabled = true) ⇒ Object
Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:.
- #build(context = nil, nonce = nil, nonce_directives = nil) ⇒ Object
-
#initialize {|_self| ... } ⇒ ContentSecurityPolicy
constructor
A new instance of ContentSecurityPolicy.
- #initialize_copy(other) ⇒ Object
-
#plugin_types(*types) ⇒ Object
Restricts the set of plugins that can be embedded:.
-
#report_uri(uri) ⇒ Object
Enable the [report-uri] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive.
-
#require_sri_for(*types) ⇒ Object
Specify asset types for which [Subresource Integrity] (developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:.
-
#sandbox(*values) ⇒ Object
Specify whether a [sandbox] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) should be enabled for the requested resource:.
-
#upgrade_insecure_requests(enabled = true) ⇒ Object
Specify whether user agents should treat any assets over HTTP as HTTPS:.
Constructor Details
#initialize {|_self| ... } ⇒ ContentSecurityPolicy
Returns a new instance of ContentSecurityPolicy.
177 178 179 180 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 177 def initialize @directives = {} yield self if block_given? end |
Instance Attribute Details
#directives ⇒ Object (readonly)
Returns the value of attribute directives.
175 176 177 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 175 def directives @directives end |
Instance Method Details
#block_all_mixed_content(enabled = true) ⇒ Object
Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:
policy.block_all_mixed_content
Pass ‘false` to allow it again:
policy.block_all_mixed_content false
205 206 207 208 209 210 211 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 205 def block_all_mixed_content(enabled = true) if enabled @directives["block-all-mixed-content"] = true else @directives.delete("block-all-mixed-content") end end |
#build(context = nil, nonce = nil, nonce_directives = nil) ⇒ Object
297 298 299 300 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 297 def build(context = nil, nonce = nil, nonce_directives = nil) nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil? build_directives(context, nonce, nonce_directives).compact.join("; ") end |
#initialize_copy(other) ⇒ Object
182 183 184 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 182 def initialize_copy(other) @directives = other.directives.deep_dup end |
#plugin_types(*types) ⇒ Object
Restricts the set of plugins that can be embedded:
policy.plugin_types "application/x-shockwave-flash"
Leave empty to allow all plugins:
policy.plugin_types
221 222 223 224 225 226 227 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 221 def plugin_types(*types) if types.first @directives["plugin-types"] = types else @directives.delete("plugin-types") end end |
#report_uri(uri) ⇒ Object
Enable the [report-uri] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive. Violation reports will be sent to the specified URI:
policy.report_uri "/csp-violation-report-endpoint"
236 237 238 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 236 def report_uri(uri) @directives["report-uri"] = [uri] end |
#require_sri_for(*types) ⇒ Object
Specify asset types for which [Subresource Integrity] (developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
policy.require_sri_for :script, :style
Leave empty to not require Subresource Integrity:
policy.require_sri_for
249 250 251 252 253 254 255 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 249 def require_sri_for(*types) if types.first @directives["require-sri-for"] = types else @directives.delete("require-sri-for") end end |
#sandbox(*values) ⇒ Object
Specify whether a [sandbox] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) should be enabled for the requested resource:
policy.sandbox
Values can be passed as arguments:
policy.sandbox "allow-scripts", "allow-modals"
Pass ‘false` to disable the sandbox:
policy.sandbox false
271 272 273 274 275 276 277 278 279 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 271 def sandbox(*values) if values.empty? @directives["sandbox"] = true elsif values.first @directives["sandbox"] = values else @directives.delete("sandbox") end end |
#upgrade_insecure_requests(enabled = true) ⇒ Object
Specify whether user agents should treat any assets over HTTP as HTTPS:
policy.upgrade_insecure_requests
Pass ‘false` to disable it:
policy.upgrade_insecure_requests false
289 290 291 292 293 294 295 |
# File 'lib/action_dispatch/http/content_security_policy.rb', line 289 def upgrade_insecure_requests(enabled = true) if enabled @directives["upgrade-insecure-requests"] = true else @directives.delete("upgrade-insecure-requests") end end |