Class: Rack::Protection::ContentSecurityPolicy

Inherits:
Base
  • Object
show all
Defined in:
lib/rack/protection/content_security_policy.rb

Overview

Prevented attack

XSS and others

Supported browsers

Firefox 23+, Safari 7+, Chrome 25+, Opera 15+

Description

Content Security Policy, a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.

More info

W3C CSP Level 1 : www.w3.org/TR/CSP1/ (deprecated) W3C CSP Level 2 : www.w3.org/TR/CSP2/ (current) W3C CSP Level 3 : www.w3.org/TR/CSP3/ (draft) developer.mozilla.org/en-US/docs/Web/Security/CSP caniuse.com/#search=ContentSecurityPolicy content-security-policy.com/ securityheaders.io scotthelme.co.uk/csp-cheat-sheet/ www.html5rocks.com/en/tutorials/security/content-security-policy/

Sets the ‘Content-Security-Policy’ header.

Options: ContentSecurityPolicy configuration is a complex topic with

several levels of support that has evolved over time.
See the W3C documentation and the links in the more info
section for CSP usage examples and best practices. The
CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
presented in the options hash with a boolean 'true' in order
to be used in a policy.

Constant Summary collapse

DIRECTIVES =
%i[base_uri child_src connect_src default_src
font_src form_action frame_ancestors frame_src
img_src manifest_src media_src object_src
plugin_types referrer reflected_xss report_to
report_uri require_sri_for sandbox script_src
style_src worker_src webrtc_src navigate_to
prefetch_src].freeze
NO_ARG_DIRECTIVES =
%i[block_all_mixed_content disown_opener
upgrade_insecure_requests].freeze

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary collapse

Methods inherited from Base

#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#call(env) ⇒ Object



72
73
74
75
76
77
# File 'lib/rack/protection/content_security_policy.rb', line 72

def call(env)
  status, headers, body = @app.call(env)
  header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
  headers[header] ||= csp_policy if html? headers
  [status, headers, body]
end

#csp_policyObject



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/rack/protection/content_security_policy.rb', line 53

def csp_policy
  directives = []

  DIRECTIVES.each do |d|
    if options.key?(d)
      directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
    end
  end

  # Set these key values to boolean 'true' to include in policy
  NO_ARG_DIRECTIVES.each do |d|
    if options.key?(d) && options[d].is_a?(TrueClass)
      directives << d.to_s.tr('_', '-')
    end
  end

  directives.compact.sort.join('; ')
end