Module: SecureHeaders::PolicyManagement

Included in:
ContentSecurityPolicy
Defined in:
lib/secure_headers/headers/policy_management.rb

Defined Under Namespace

Modules: ClassMethods

Constant Summary collapse

DEFAULT_CONFIG =
{
  default_src: %w(https:),
  img_src: %w(https: data: 'self'),
  object_src: %w('none'),
  script_src: %w(https:),
  style_src: %w('self' 'unsafe-inline' https:),
  form_action: %w('self')
}.freeze
DATA_PROTOCOL =
"data:".freeze
BLOB_PROTOCOL =
"blob:".freeze
SELF =
"'self'".freeze
NONE =
"'none'".freeze
STAR =
"*".freeze
UNSAFE_INLINE =
"'unsafe-inline'".freeze
UNSAFE_EVAL =
"'unsafe-eval'".freeze
STRICT_DYNAMIC =
"'strict-dynamic'".freeze
DEPRECATED_SOURCE_VALUES =

leftover deprecated values that will be in common use upon upgrading.

[SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze
DEFAULT_SRC =
:default_src
CONNECT_SRC =
:connect_src
FONT_SRC =
:font_src
FRAME_SRC =
:frame_src
IMG_SRC =
:img_src
MEDIA_SRC =
:media_src
OBJECT_SRC =
:object_src
SANDBOX =
:sandbox
SCRIPT_SRC =
:script_src
STYLE_SRC =
:style_src
REPORT_URI =
:report_uri
DIRECTIVES_1_0 =
[
  DEFAULT_SRC,
  CONNECT_SRC,
  FONT_SRC,
  FRAME_SRC,
  IMG_SRC,
  MEDIA_SRC,
  OBJECT_SRC,
  SANDBOX,
  SCRIPT_SRC,
  STYLE_SRC,
  REPORT_URI
].freeze
BASE_URI =
:base_uri
CHILD_SRC =
:child_src
FORM_ACTION =
:form_action
FRAME_ANCESTORS =
:frame_ancestors
PLUGIN_TYPES =
:plugin_types
DIRECTIVES_2_0 =
[
  DIRECTIVES_1_0,
  BASE_URI,
  CHILD_SRC,
  FORM_ACTION,
  FRAME_ANCESTORS,
  PLUGIN_TYPES
].flatten.freeze
MANIFEST_SRC =

All the directives currently under consideration for CSP level 3. w3c.github.io/webappsec/specs/CSP2/

:manifest_src
:navigate_to
PREFETCH_SRC =
:prefetch_src
REQUIRE_SRI_FOR =
:require_sri_for
UPGRADE_INSECURE_REQUESTS =
:upgrade_insecure_requests
WORKER_SRC =
:worker_src
SCRIPT_SRC_ELEM =
:script_src_elem
SCRIPT_SRC_ATTR =
:script_src_attr
STYLE_SRC_ELEM =
:style_src_elem
STYLE_SRC_ATTR =
:style_src_attr
DIRECTIVES_3_0 =
[
  DIRECTIVES_2_0,
  MANIFEST_SRC,
  NAVIGATE_TO,
  PREFETCH_SRC,
  REQUIRE_SRI_FOR,
  WORKER_SRC,
  UPGRADE_INSECURE_REQUESTS,
  SCRIPT_SRC_ELEM,
  SCRIPT_SRC_ATTR,
  STYLE_SRC_ELEM,
  STYLE_SRC_ATTR
].flatten.freeze
TRUSTED_TYPES =

Experimental directives - these vary greatly in support See MDN for details. developer.mozilla.org/en-US/docs/Web/HTTP/Headers/content-security-policy/trusted-types

:trusted_types
REQUIRE_TRUSTED_TYPES_FOR =
:require_trusted_types_for
DIRECTIVES_EXPERIMENTAL =
[
  TRUSTED_TYPES,
  REQUIRE_TRUSTED_TYPES_FOR,
].flatten.freeze
ALL_DIRECTIVES =
(DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_EXPERIMENTAL).uniq.sort
BODY_DIRECTIVES =

Think of default-src and report-uri as the beginning and end respectively, everything else is in between.

ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
DIRECTIVE_VALUE_TYPES =
{
  BASE_URI                  => :source_list,
  CHILD_SRC                 => :source_list,
  CONNECT_SRC               => :source_list,
  DEFAULT_SRC               => :source_list,
  FONT_SRC                  => :source_list,
  FORM_ACTION               => :source_list,
  FRAME_ANCESTORS           => :source_list,
  FRAME_SRC                 => :source_list,
  IMG_SRC                   => :source_list,
  MANIFEST_SRC              => :source_list,
  MEDIA_SRC                 => :source_list,
  NAVIGATE_TO               => :source_list,
  OBJECT_SRC                => :source_list,
  PLUGIN_TYPES              => :media_type_list,
  REQUIRE_SRI_FOR           => :require_sri_for_list,
  REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
  REPORT_URI                => :source_list,
  PREFETCH_SRC              => :source_list,
  SANDBOX                   => :sandbox_list,
  SCRIPT_SRC                => :source_list,
  SCRIPT_SRC_ELEM           => :source_list,
  SCRIPT_SRC_ATTR           => :source_list,
  STYLE_SRC                 => :source_list,
  STYLE_SRC_ELEM            => :source_list,
  STYLE_SRC_ATTR            => :source_list,
  TRUSTED_TYPES             => :source_list,
  WORKER_SRC                => :source_list,
  UPGRADE_INSECURE_REQUESTS => :boolean,
}.freeze
NON_SOURCE_LIST_SOURCES =

These are directives that don’t have use a source list, and hence do not inherit the default-src value.

DIRECTIVE_VALUE_TYPES.select do |_, type|
  type != :source_list
end.keys.freeze
NON_FETCH_SOURCES =

These are directives that take a source list, but that do not inherit the default-src value.

[
  BASE_URI,
  FORM_ACTION,
  FRAME_ANCESTORS,
  NAVIGATE_TO,
  REPORT_URI,
]
FETCH_SOURCES =
ALL_DIRECTIVES - NON_FETCH_SOURCES - NON_SOURCE_LIST_SOURCES
STAR_REGEXP =
Regexp.new(Regexp.escape(STAR))
HTTP_SCHEME_REGEX =
%r{\Ahttps?://}
WILDCARD_SOURCES =
[
  UNSAFE_EVAL,
  UNSAFE_INLINE,
  STAR,
  DATA_PROTOCOL,
  BLOB_PROTOCOL
].freeze
META_CONFIGS =
[
  :report_only,
  :preserve_schemes,
  :disable_nonce_backwards_compatibility
].freeze
NONCES =
[
  :script_nonce,
  :style_nonce
].freeze
REQUIRE_SRI_FOR_VALUES =
Set.new(%w(script style))
REQUIRE_TRUSTED_TYPES_FOR_VALUES =
Set.new(%w('script'))

Class Method Summary collapse

Class Method Details

.included(base) ⇒ Object



7
8
9
# File 'lib/secure_headers/headers/policy_management.rb', line 7

def self.included(base)
  base.extend(ClassMethods)
end