Module: SecureHeaders::PolicyManagement
- Included in:
- ContentSecurityPolicy
- Defined in:
- lib/secure_headers/headers/policy_management.rb
Defined Under Namespace
Modules: ClassMethods
Constant Summary collapse
- DEFAULT_CONFIG =
{ default_src: %w(https:), img_src: %w(https: data: 'self'), object_src: %w('none'), script_src: %w(https:), style_src: %w('self' 'unsafe-inline' https:), form_action: %w('self') }.freeze
- DATA_PROTOCOL =
"data:".freeze
- BLOB_PROTOCOL =
"blob:".freeze
- SELF =
"'self'".freeze
- NONE =
"'none'".freeze
- STAR =
"*".freeze
- UNSAFE_INLINE =
"'unsafe-inline'".freeze
- UNSAFE_EVAL =
"'unsafe-eval'".freeze
- STRICT_DYNAMIC =
"'strict-dynamic'".freeze
- DEPRECATED_SOURCE_VALUES =
leftover deprecated values that will be in common use upon upgrading.
[SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze
- DEFAULT_SRC =
:default_src
- CONNECT_SRC =
:connect_src
- FONT_SRC =
:font_src
- FRAME_SRC =
:frame_src
- IMG_SRC =
:img_src
- MEDIA_SRC =
:media_src
- OBJECT_SRC =
:object_src
- SANDBOX =
:sandbox
- SCRIPT_SRC =
:script_src
- STYLE_SRC =
:style_src
- REPORT_URI =
:report_uri
- DIRECTIVES_1_0 =
[ DEFAULT_SRC, CONNECT_SRC, FONT_SRC, FRAME_SRC, IMG_SRC, MEDIA_SRC, OBJECT_SRC, SANDBOX, SCRIPT_SRC, STYLE_SRC, REPORT_URI ].freeze
- BASE_URI =
:base_uri
- CHILD_SRC =
:child_src
- FORM_ACTION =
:form_action
- FRAME_ANCESTORS =
:frame_ancestors
- PLUGIN_TYPES =
:plugin_types
- DIRECTIVES_2_0 =
[ DIRECTIVES_1_0, BASE_URI, CHILD_SRC, FORM_ACTION, FRAME_ANCESTORS, PLUGIN_TYPES ].flatten.freeze
- MANIFEST_SRC =
All the directives currently under consideration for CSP level 3. w3c.github.io/webappsec/specs/CSP2/
:manifest_src
- NAVIGATE_TO =
:navigate_to
- PREFETCH_SRC =
:prefetch_src
- REQUIRE_SRI_FOR =
:require_sri_for
- UPGRADE_INSECURE_REQUESTS =
:upgrade_insecure_requests
- WORKER_SRC =
:worker_src
- SCRIPT_SRC_ELEM =
:script_src_elem
- SCRIPT_SRC_ATTR =
:script_src_attr
- STYLE_SRC_ELEM =
:style_src_elem
- STYLE_SRC_ATTR =
:style_src_attr
- DIRECTIVES_3_0 =
[ DIRECTIVES_2_0, MANIFEST_SRC, NAVIGATE_TO, PREFETCH_SRC, REQUIRE_SRI_FOR, WORKER_SRC, UPGRADE_INSECURE_REQUESTS, SCRIPT_SRC_ELEM, SCRIPT_SRC_ATTR, STYLE_SRC_ELEM, STYLE_SRC_ATTR ].flatten.freeze
- TRUSTED_TYPES =
Experimental directives - these vary greatly in support See MDN for details. developer.mozilla.org/en-US/docs/Web/HTTP/Headers/content-security-policy/trusted-types
:trusted_types
- REQUIRE_TRUSTED_TYPES_FOR =
:require_trusted_types_for
- DIRECTIVES_EXPERIMENTAL =
[ TRUSTED_TYPES, REQUIRE_TRUSTED_TYPES_FOR, ].flatten.freeze
- ALL_DIRECTIVES =
(DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_EXPERIMENTAL).uniq.sort
- BODY_DIRECTIVES =
Think of default-src and report-uri as the beginning and end respectively, everything else is in between.
ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
- DIRECTIVE_VALUE_TYPES =
{ BASE_URI => :source_list, CHILD_SRC => :source_list, CONNECT_SRC => :source_list, DEFAULT_SRC => :source_list, FONT_SRC => :source_list, FORM_ACTION => :source_list, FRAME_ANCESTORS => :source_list, FRAME_SRC => :source_list, IMG_SRC => :source_list, MANIFEST_SRC => :source_list, MEDIA_SRC => :source_list, NAVIGATE_TO => :source_list, OBJECT_SRC => :source_list, PLUGIN_TYPES => :media_type_list, REQUIRE_SRI_FOR => :require_sri_for_list, REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list, REPORT_URI => :source_list, PREFETCH_SRC => :source_list, SANDBOX => :sandbox_list, SCRIPT_SRC => :source_list, SCRIPT_SRC_ELEM => :source_list, SCRIPT_SRC_ATTR => :source_list, STYLE_SRC => :source_list, STYLE_SRC_ELEM => :source_list, STYLE_SRC_ATTR => :source_list, TRUSTED_TYPES => :source_list, WORKER_SRC => :source_list, UPGRADE_INSECURE_REQUESTS => :boolean, }.freeze
- NON_SOURCE_LIST_SOURCES =
These are directives that don’t have use a source list, and hence do not inherit the default-src value.
DIRECTIVE_VALUE_TYPES.select do |_, type| type != :source_list end.keys.freeze
- NON_FETCH_SOURCES =
These are directives that take a source list, but that do not inherit the default-src value.
[ BASE_URI, FORM_ACTION, FRAME_ANCESTORS, NAVIGATE_TO, REPORT_URI, ]
- FETCH_SOURCES =
ALL_DIRECTIVES - NON_FETCH_SOURCES - NON_SOURCE_LIST_SOURCES
- STAR_REGEXP =
Regexp.new(Regexp.escape(STAR))
- HTTP_SCHEME_REGEX =
%r{\Ahttps?://}
- WILDCARD_SOURCES =
[ UNSAFE_EVAL, UNSAFE_INLINE, STAR, DATA_PROTOCOL, BLOB_PROTOCOL ].freeze
- META_CONFIGS =
[ :report_only, :preserve_schemes, :disable_nonce_backwards_compatibility ].freeze
- NONCES =
[ :script_nonce, :style_nonce ].freeze
- REQUIRE_SRI_FOR_VALUES =
Set.new(%w(script style))
- REQUIRE_TRUSTED_TYPES_FOR_VALUES =
Set.new(%w('script'))
Class Method Summary collapse
Class Method Details
.included(base) ⇒ Object
7 8 9 |
# File 'lib/secure_headers/headers/policy_management.rb', line 7 def self.included(base) base.extend(ClassMethods) end |