Class: Rack::Protection::ContentSecurityPolicy
- Defined in:
- lib/rack/protection/content_security_policy.rb
Overview
- Prevented attack
-
XSS and others
- Supported browsers
-
Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
- Description
-
Content Security Policy, a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.
- More info
-
W3C CSP Level 1 : www.w3.org/TR/CSP1/ (deprecated) W3C CSP Level 2 : www.w3.org/TR/CSP2/ (current) W3C CSP Level 3 : www.w3.org/TR/CSP3/ (draft) developer.mozilla.org/en-US/docs/Web/Security/CSP caniuse.com/#search=ContentSecurityPolicy content-security-policy.com/ securityheaders.io scotthelme.co.uk/csp-cheat-sheet/ www.html5rocks.com/en/tutorials/security/content-security-policy/
Sets the ‘content-security-policy’ header.
Options: ContentSecurityPolicy configuration is a complex topic with
several levels of support that has evolved over time.
See the W3C documentation and the links in the more info
section for CSP usage examples and best practices. The
CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
presented in the options hash with a boolean 'true' in order
to be used in a policy.
Constant Summary collapse
- DIRECTIVES =
%i[base_uri child_src connect_src default_src font_src form_action frame_ancestors frame_src img_src manifest_src media_src object_src plugin_types referrer reflected_xss report_to report_uri require_sri_for sandbox script_src style_src worker_src webrtc_src navigate_to prefetch_src].freeze
- NO_ARG_DIRECTIVES =
%i[block_all_mixed_content disown_opener upgrade_insecure_requests].freeze
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#accepts?, #debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#call(env) ⇒ Object
72 73 74 75 76 77 |
# File 'lib/rack/protection/content_security_policy.rb', line 72 def call(env) status, headers, body = @app.call(env) header = [:report_only] ? 'content-security-policy-report-only' : 'content-security-policy' headers[header] ||= csp_policy if html? headers [status, headers, body] end |
#csp_policy ⇒ Object
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
# File 'lib/rack/protection/content_security_policy.rb', line 53 def csp_policy directives = [] DIRECTIVES.each do |d| if .key?(d) directives << "#{d.to_s.sub(/_/, '-')} #{[d]}" end end # Set these key values to boolean 'true' to include in policy NO_ARG_DIRECTIVES.each do |d| if .key?(d) && [d].is_a?(TrueClass) directives << d.to_s.tr('_', '-') end end directives.compact.sort.join('; ') end |