Class: ContentSecurityPolicy

Inherits:

Object

• Object
• ContentSecurityPolicy

Defined in:

lib/content-security-policy.rb,
lib/content-security-policy/errors.rb,
lib/content-security-policy/version.rb,
lib/content-security-policy/middleware.rb

Defined Under Namespace

Classes: IncorrectDirectivesError, NoDirectivesError

Constant Summary

VERSION =

'0.1.3'

Class Attribute Summary

• .directives ⇒ Object readonly
• .report_only ⇒ Object

Instance Attribute Summary

• #directives ⇒ Object readonly
• #report_only ⇒ Object readonly

Class Method Summary

• .[]=(name, value) ⇒ Object

  Sets directive.

• .configure {|ContentSecurityPolicy| ... } ⇒ Object

  Configures Content Security Policy directives.

Instance Method Summary

• #_call(env) ⇒ Object private
• #call(env) ⇒ Object private
• #initialize(app, options = {}) ⇒ ContentSecurityPolicy constructor

  Initializes Content Security Policy middleware.

Constructor Details

#initialize(app, options = {}) ⇒ ContentSecurityPolicy

Initializes Content Security Policy middleware.

Examples:

use ContentSecurityPolicy, :directives => { 'default-src' => "'self'" }
use ContentSecurityPolicy, :directives => { 'default-src' => "'self'" }, :report_only => true

Parameters:

• options (Hash) (defaults to: {}) —

  Options hash

Options Hash (options):

• :report_only (Boolean) —

  Set to true if use in report-only mode

• :directives (Hash) —

  Directives hash

# File 'lib/content-security-policy/middleware.rb', line 20

def initialize(app, options = {})
  @app = app
  @report_only = options[:report_only] || ContentSecurityPolicy.report_only
  @directives  = options[:directives]  || ContentSecurityPolicy.directives

  @directives or raise NoDirectivesError, 'No directives were passed.'

  # make sure directives with policy-uri don't contain any other directives
  if @directives['policy-uri'] && @directives.keys.length > 1
    raise IncorrectDirectivesError, 'You passed both policy-uri and other directives.'
  end
end

Class Attribute Details

.directives ⇒ Object (readonly)

# File 'lib/content-security-policy.rb', line 12

def directives
  @directives
end

.report_only ⇒ Object

# File 'lib/content-security-policy.rb', line 9

def report_only
  @report_only
end

Instance Attribute Details

#directives ⇒ Object (readonly)

# File 'lib/content-security-policy/middleware.rb', line 7

def directives
  @directives
end

#report_only ⇒ Object (readonly)

# File 'lib/content-security-policy/middleware.rb', line 4

def report_only
  @report_only
end

Class Method Details

.[]=(name, value) ⇒ Object

Sets directive.

Parameters:

• name (String) —

  Directive name

• value (String) —

  Directive value

# File 'lib/content-security-policy.rb', line 40

def []=(name, value)
  @directives[name] = value
end

.configure {|ContentSecurityPolicy| ... } ⇒ Object

Configures Content Security Policy directives.

Note that default-src directive should always be set.

Examples:

ContentSecurityPolicy.configure do |csp|
  csp.report_only = true
  csp['default-src'] = "'self'"
  csp['script-src']  = '*.example.com'
end
use ContentSecurityPolicy

Yields:

• (ContentSecurityPolicy)

# File 'lib/content-security-policy.rb', line 29

def configure(&blk)
  @directives ||= {}
  blk.call(self)
end

Instance Method Details

#_call(env) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/content-security-policy/middleware.rb', line 43

def _call(env)
  status, headers, response = @app.call(env)

  # flatten directives
  directives = @directives.sort.map { |dir| "#{dir[0]} #{dir[1]}" }.join('; ')

  # prepare response headers names
  if @report_only
    resp_headers = %w(
      Content-Security-Policy-Report-Only
      X-Content-Security-Policy-Report-Only
      X-WebKit-CSP-Report-Only
    )
  else
    resp_headers = %w(
      Content-Security-Policy
      X-Content-Security-Policy
      X-WebKit-CSP
    )
  end

  # append response header
  resp_headers.each do |resp_header|
    headers[resp_header] = directives
  end

  [status, headers, response]
end

#call(env) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/content-security-policy/middleware.rb', line 36

def call(env)
  dup._call(env)
end