Class: ActionDispatch::ContentSecurityPolicy

Inherits:
Object
  • Object
show all
Defined in:
lib/action_dispatch/http/content_security_policy.rb

Overview

# Action Dispatch Content Security Policy

Configures the HTTP [Content-Security-Policy](developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) response header to help protect against XSS and injection attacks.

Example global policy:

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.font_src    :self, :https, :data
  policy.img_src     :self, :https, :data
  policy.object_src  :none
  policy.script_src  :self, :https
  policy.style_src   :self, :https

  # Specify URI for violation reports
  policy.report_uri "/csp-violation-report-endpoint"
end

Defined Under Namespace

Modules: Request Classes: InvalidDirectiveError, Middleware

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize {|_self| ... } ⇒ ContentSecurityPolicy

Returns a new instance of ContentSecurityPolicy.

Yields:

  • (_self)

Yield Parameters:



179
180
181
182
# File 'lib/action_dispatch/http/content_security_policy.rb', line 179

def initialize
  @directives = {}
  yield self if block_given?
end

Instance Attribute Details

#directivesObject (readonly)

Returns the value of attribute directives.



177
178
179
# File 'lib/action_dispatch/http/content_security_policy.rb', line 177

def directives
  @directives
end

Instance Method Details

#block_all_mixed_content(enabled = true) ⇒ Object

Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:

policy.block_all_mixed_content

Pass ‘false` to allow it again:

policy.block_all_mixed_content false


207
208
209
210
211
212
213
# File 'lib/action_dispatch/http/content_security_policy.rb', line 207

def block_all_mixed_content(enabled = true)
  if enabled
    @directives["block-all-mixed-content"] = true
  else
    @directives.delete("block-all-mixed-content")
  end
end

#build(context = nil, nonce = nil, nonce_directives = nil) ⇒ Object



296
297
298
299
# File 'lib/action_dispatch/http/content_security_policy.rb', line 296

def build(context = nil, nonce = nil, nonce_directives = nil)
  nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
  build_directives(context, nonce, nonce_directives).compact.join("; ")
end

#initialize_copy(other) ⇒ Object



184
185
186
# File 'lib/action_dispatch/http/content_security_policy.rb', line 184

def initialize_copy(other)
  @directives = other.directives.deep_dup
end

#plugin_types(*types) ⇒ Object

Restricts the set of plugins that can be embedded:

policy.plugin_types "application/x-shockwave-flash"

Leave empty to allow all plugins:

policy.plugin_types


223
224
225
226
227
228
229
# File 'lib/action_dispatch/http/content_security_policy.rb', line 223

def plugin_types(*types)
  if types.first
    @directives["plugin-types"] = types
  else
    @directives.delete("plugin-types")
  end
end

#report_uri(uri) ⇒ Object

Enable the [report-uri](developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive. Violation reports will be sent to the specified URI:

policy.report_uri "/csp-violation-report-endpoint"


237
238
239
# File 'lib/action_dispatch/http/content_security_policy.rb', line 237

def report_uri(uri)
  @directives["report-uri"] = [uri]
end

#require_sri_for(*types) ⇒ Object

Specify asset types for which [Subresource Integrity](developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:

policy.require_sri_for :script, :style

Leave empty to not require Subresource Integrity:

policy.require_sri_for


249
250
251
252
253
254
255
# File 'lib/action_dispatch/http/content_security_policy.rb', line 249

def require_sri_for(*types)
  if types.first
    @directives["require-sri-for"] = types
  else
    @directives.delete("require-sri-for")
  end
end

#sandbox(*values) ⇒ Object

Specify whether a [sandbox](developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) should be enabled for the requested resource:

policy.sandbox

Values can be passed as arguments:

policy.sandbox "allow-scripts", "allow-modals"

Pass ‘false` to disable the sandbox:

policy.sandbox false


270
271
272
273
274
275
276
277
278
# File 'lib/action_dispatch/http/content_security_policy.rb', line 270

def sandbox(*values)
  if values.empty?
    @directives["sandbox"] = true
  elsif values.first
    @directives["sandbox"] = values
  else
    @directives.delete("sandbox")
  end
end

#upgrade_insecure_requests(enabled = true) ⇒ Object

Specify whether user agents should treat any assets over HTTP as HTTPS:

policy.upgrade_insecure_requests

Pass ‘false` to disable it:

policy.upgrade_insecure_requests false


288
289
290
291
292
293
294
# File 'lib/action_dispatch/http/content_security_policy.rb', line 288

def upgrade_insecure_requests(enabled = true)
  if enabled
    @directives["upgrade-insecure-requests"] = true
  else
    @directives.delete("upgrade-insecure-requests")
  end
end