Class: SecureHeaders::ContentSecurityPolicy::FirefoxBrowserStrategy

Inherits:
BrowserStrategy
  • Object
show all
Defined in:
lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb

Instance Method Summary collapse

Methods inherited from BrowserStrategy

#add_missing_extension_values, build, #initialize, #name

Constructor Details

This class inherits a constructor from SecureHeaders::ContentSecurityPolicy::BrowserStrategy

Instance Method Details

#base_nameObject 



4
5
6
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 4

def base_name
  SecureHeaders::ContentSecurityPolicy::FIREFOX_CSP_HEADER_NAME
end

#build_firefox_specific_preamble(default_src_value) ⇒ Object 



30
31
32
33
34
35
36
37
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 30

def build_firefox_specific_preamble(default_src_value)
  header_value = ''
  header_value += "allow #{default_src_value.join(" ")}; " if default_src_value.any?

  options_directive = build_options_directive
  header_value += "options #{options_directive.join(" ")}; " if options_directive.any?
  header_value
end

#build_impl_specific_directives(default) ⇒ Object 



26
27
28
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 26

def build_impl_specific_directives(default)
  build_firefox_specific_preamble(default) || ''
end

#build_options_directiveObject

moves inline/eval values from script-src to options discards those values in the style-src directive



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 41

def build_options_directive
  options_directive = []
  config.each do |directive, val|
    next if val.is_a?(String)
    new_val = []
    val.each do |token|
      if ['inline-script', 'eval-script'].include?(token)
        # Firefox does not support blocking inline styles ATM
        # https://bugzilla.mozilla.org/show_bug.cgi?id=763879
        unless directive?(directive, "style_src") || options_directive.include?(token)
          options_directive << token
        end
      else
        new_val << token
      end
    end
    config[directive] = new_val
  end

  options_directive
end

#csp_headerObject 



8
9
10
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 8

def csp_header
  SecureHeaders::ContentSecurityPolicy::FIREFOX_CSP_HEADER
end

#directive?(val, name) ⇒ Boolean

Returns:

  • (Boolean) 


63
64
65
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 63

def directive? val, name
  val.to_s.casecmp(name) == 0
end

#directivesObject 



12
13
14
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 12

def directives
  SecureHeaders::ContentSecurityPolicy::FIREFOX_DIRECTIVES
end

#filter_unsupported_directives(config) ⇒ Object 



16
17
18
19
20
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 16

def filter_unsupported_directives(config)
  config = config.dup
  config[:xhr_src] = config.delete(:connect_src) if config[:connect_src]
  config
end

#normalize_reporting_endpoint?Boolean

Returns:

  • (Boolean) 


67
68
69
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 67

def normalize_reporting_endpoint?
  true
end

#translate_inline_or_eval(val) ⇒ Object 



22
23
24
 
# File 'lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb', line 22

def translate_inline_or_eval val
  val == 'inline' ? 'inline-script' : 'eval-script'
end