EzCSP provides a simple object-oriented way to generate Content-Security-Policy
HTTP headers. For documentation on CSP, see Mozilla's Content-Security-Policy page.
Basic usage:
require 'ezcsp'
csp = EzCSP.new()
Then, depending on how you output HTTP headers, you could output the CSP header something like this:
headers['Content-Security-Policy'] = csp.to_s
csp.to_s, by default, returns this string:
default-src 'self'; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
By default, the header value is very restrictive. It basically states that no
resources — scripts, styles, images, etc. — from outside the current web site
can be used. Expand that set of allowed resources by adding to the accessors
listed in the class documentation, usually by using the cdn method. So, for
example, to allow the browser to get scripts and styles from code.jquery.com,
you would do this:
csp.cdn 'code.jquery.com', 'script_src', 'style_src'
which would produce this header value:
default-src 'self'; script-src 'self' code.jquery.com; style-src 'self' code.jquery.com; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
EzCSP isn't a substitute for understanding content security policies. Make sure you read up on CSP before using this class.
Install
gem install ezcsp
Author
Mike O'Sullivan [email protected]
History
| version | date | notes |
|---|---|---|
| 0.0.2 | Nov 9, 2018 | Improved structure of gem. No changes to code. |
| 0.0.1 | Nov 5, 2018 | Initial upload. |