Class: EzCSP

Inherits:
Object
  • Object
show all
Defined in:
lib/ezcsp.rb

Overview

In the array attributes listed below, if the value none is in the array, then all other values are ignored.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeEzCSP

new() takes no parameters.



107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
 
# File 'lib/ezcsp.rb', line 107

def initialize
	# $tm.hrm
	
	# all and default
	@all_src = ['self']
	@default_src = []
	
	# inherit from default
	@img_src = nil
	@script_src = nil
	@style_src = nil
	@font_src = nil
	@object_src = ['none']
	
	# do not inherit from default
	@frame_src = ['self']
	@frame_ancestors = ['self']
	@form_action = ['self']
	@base_uri = ['none']
	
	# booleans
	@block_all_mixed_content = true
	@upgrade_insecure_requests = nil
	@default_to_explicit = true
	
	# report_to
	@report_to = nil
	@report_to_group = 'csp-endpoint'
	@report_to_max_age = 10886400
end

Instance Attribute Details

#all_srcObject

Array. all_src is a shortcut for indicating that a host is to be included in all other *_src arrays. By default, all_src consists of ['self'].



49
50
51
 
# File 'lib/ezcsp.rb', line 49

def all_src
  @all_src
end

#base_uriObject

Array. Holds the list of base-uri hosts. By default, base_uri consists of ['none'].



67
68
69
 
# File 'lib/ezcsp.rb', line 67

def base_uri
  @base_uri
end

#block_all_mixed_contentObject

Boolean, defaults to true. Sets the value for block-all-mixed-content.



71
72
73
 
# File 'lib/ezcsp.rb', line 71

def block_all_mixed_content
  @block_all_mixed_content
end

#default_srcObject

Array. Holds the list of default-src hosts. By default, default_src is an empty array.



16
17
18
 
# File 'lib/ezcsp.rb', line 16

def default_src
  @default_src
end

#font_srcObject

By default nil. If an array, this attribute holds the list of hosts in font-src.



38
39
40
 
# File 'lib/ezcsp.rb', line 38

def font_src
  @font_src
end

#form_actionObject

Array. Holds the list of form-action hosts. By default, form_action consists of ['self'].



55
56
57
 
# File 'lib/ezcsp.rb', line 55

def form_action
  @form_action
end

#frame_ancestorsObject

Array. Holds the list of frame-ancestors hosts. By default, frame_ancestors consists of ['self'].



61
62
63
 
# File 'lib/ezcsp.rb', line 61

def frame_ancestors
  @frame_ancestors
end

#frame_srcObject

Array. Holds the list of frame-src hosts. By default, all_src consists of ['self'].



34
35
36
 
# File 'lib/ezcsp.rb', line 34

def frame_src
  @frame_src
end

#img_srcObject

By default nil. If an array, this attribute holds the list of hosts in img-src.



20
21
22
 
# File 'lib/ezcsp.rb', line 20

def img_src
  @img_src
end

#object_srcObject

Array. Holds the list of object-src hosts. By default, object_src consists of ['none'].



44
45
46
 
# File 'lib/ezcsp.rb', line 44

def object_src
  @object_src
end

#report_toObject

This attribute is used to set two different things. It sets the report-uri value, which is being phased out. It is also used in #report_to_header_value to generate a report-to HTTP header. See details in #report_to_header_value.



84
85
86
 
# File 'lib/ezcsp.rb', line 84

def report_to
  @report_to
end

#report_to_groupObject

Sets the name of the report-to group in the report-to HTTP header. Defaults to csp-endpoint. See details in #report_to_header_value.



91
92
93
 
# File 'lib/ezcsp.rb', line 91

def report_to_group
  @report_to_group
end

#report_to_max_ageObject

Sets the maximum age of the group in the report-to HTTP header. Defaults to 10886400.



97
98
99
 
# File 'lib/ezcsp.rb', line 97

def report_to_max_age
  @report_to_max_age
end

#script_srcObject

By default nil. If an array, this attribute holds the list of hosts in script-src.



24
25
26
 
# File 'lib/ezcsp.rb', line 24

def script_src
  @script_src
end

#style_srcObject

By default nil. If an array, this attribute holds the list of hosts in style-src.



28
29
30
 
# File 'lib/ezcsp.rb', line 28

def style_src
  @style_src
end

#upgrade_insecure_requestsObject

Boolean, defaults to nil. Sets the value for upgrade-insecure-requests. If this value is set then #block_all_mixed_content is ignored.



76
77
78
 
# File 'lib/ezcsp.rb', line 76

def upgrade_insecure_requests
  @upgrade_insecure_requests
end

Instance Method Details

#cdn(uri, *srcs) ⇒ Object

This method allows you to add a host to multiple source arrays at once. The first param is the host you would like to set. Follow that with a list of arrays to add it to. The list should consist of the names of the arrays, e.g. img_src.

So, for example, this code:

csp.cdn 'code.jquery.com', 'script_src', 'style_src'

adds code.jquery.com to the #script_src and #style_src arrays, creating those arrays if necessary.



271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
 
# File 'lib/ezcsp.rb', line 271

def cdn(uri, *srcs)
	# $tm.hrm
	
	# img
	if srcs.include?('img_src')
		@img_src ||= []
		@img_src.push uri
	end
	
	# script
	if srcs.include?('script_src')
		@script_src ||= []
		@script_src.push uri
	end
	
	# style
	if srcs.include?('style_src')
		@style_src ||= []
		@style_src.push uri
	end
	
	# frame
	if srcs.include?('frame_src')
		@frame_src ||= []
		@frame_src.push uri
	end
	
	# font
	if srcs.include?('font_src')
		@font_src ||= []
		@font_src.push uri
	end
end

#report_to_header_valueObject

This method returns the value of a report-to HTTP header. It is only useful if you set the #report_to property. For example, if you set #report_to like this:

csp.report_to = 'https://www.example.com/csp'

Then report_to_header_value returns a value like this:

{"group":"csp-endpoint","max-age":10886400,"endpoints":[{"url":"https://www.example.com/csp"}]}

So, depending on how you set your HTTP headers, you might set the Report-To header like this:

headers['Report-To'] = csp.report_to_header_value



230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
 
# File 'lib/ezcsp.rb', line 230

def report_to_header_value
	# $tm.hrm
	
	# initialize value struct
	struct = {}
	
	# group name
	struct['group'] = @report_to_group
	
	# max age
	struct['max-age'] = @report_to_max_age
	
	# endpoints
	struct['endpoints'] = [{'url'=>@report_to}]
	
	# return
	# return 'Report-To: ' + JSON.generate(struct)
	return JSON.generate(struct)
end

#to_sObject

Returns the value of the cont Content-Security-Policy HTTP header. Note that this method only returns the value, i.e., the stuff after the colon in the HTTP header.



153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
 
# File 'lib/ezcsp.rb', line 153

def to_s
	# $tm.hrm
	
	# initialize return value
	rv = []
	
	# add some sources
	src_to_str rv, 'default-src', @default_src, true
	src_to_str rv, 'img-src', @img_src, true
	src_to_str rv, 'script-src', @script_src, true
	src_to_str rv, 'style-src', @style_src, true
	src_to_str rv, 'frame-src', @frame_src, true
	src_to_str rv, 'font-src', @font_src, true
	src_to_str rv, 'object-src', @object_src, true
	src_to_str rv, 'form-action', @form_action, false
	src_to_str rv, 'frame-ancestors', @frame_ancestors, false
	src_to_str rv, 'base-uri', @base_uri, false
	
	# block all mixed content
	if @upgrade_insecure_requests.nil?
		if @block_all_mixed_content
			rv.push 'block-all-mixed-content'
		end
	else
		if @upgrade_insecure_requests
			rv.push 'upgrade-insecure-requests'
		end
	end
	
	# report-uri
	if @report_to
		rv.push 'report-uri ' + @report_to
		rv.push 'report-to ' + @report_to_group
	end
	
	# initiilaze return string
	rv_str = rv.join('; ')
	
	# collapse rv_str
	rv_str.sub!(/\A\s+/imu, '')
	rv_str.sub!(/\s+\z/imu, '')
	rv_str.gsub!(/\s+/imu, ' ')
	
	# add trailing semicolon
	if rv_str.length > 0
		rv_str += ';'
	end
	
	# return
	return rv_str
end