123456789_123456789_123456789_123456789_123456789_

Class: ActionDispatch::ContentSecurityPolicy

Relationships & Source Files
Namespace Children
Modules:
Request
Classes:
Middleware
Exceptions:
InvalidDirectiveError
Inherits: Object
Defined in: actionpack/lib/action_dispatch/http/content_security_policy.rb

Overview

Configures the HTTP Content-Security-Policy response header to help protect against XSS and injection attacks.

Example global policy:

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.font_src    :self, :https, :data
  policy.img_src     :self, :https, :data
  policy.object_src  :none
  policy.script_src  :self, :https
  policy.style_src   :self, :https

  # Specify URI for violation reports
  policy.report_uri "/csp-violation-report-endpoint"
end

Constant Summary

  • DEFAULT_NONCE_DIRECTIVES = private
    # File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 173 
    %w[script-src style-src].freeze
  • DIRECTIVES = private
    # File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 148 
    {
  base_uri:                   "base-uri",
  child_src:                  "child-src",
  connect_src:                "connect-src",
  default_src:                "default-src",
  font_src:                   "font-src",
  form_action:                "form-action",
  frame_ancestors:            "frame-ancestors",
  frame_src:                  "frame-src",
  img_src:                    "img-src",
  manifest_src:               "manifest-src",
  media_src:                  "media-src",
  object_src:                 "object-src",
  prefetch_src:               "prefetch-src",
  require_trusted_types_for:  "require-trusted-types-for",
  script_src:                 "script-src",
  script_src_attr:            "script-src-attr",
  script_src_elem:            "script-src-elem",
  style_src:                  "style-src",
  style_src_attr:             "style-src-attr",
  style_src_elem:             "style-src-elem",
  trusted_types:              "trusted-types",
  worker_src:                 "worker-src"
}.freeze
  • MAPPINGS = private
    # File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 128 
    {
  self:             "'self'",
  unsafe_eval:      "'unsafe-eval'",
  unsafe_hashes:    "'unsafe-hashes'",
  unsafe_inline:    "'unsafe-inline'",
  none:             "'none'",
  http:             "http:",
  https:            "https:",
  data:             "data:",
  mediastream:      "mediastream:",
  allow_duplicates: "'allow-duplicates'",
  blob:             "blob:",
  filesystem:       "filesystem:",
  report_sample:    "'report-sample'",
  script:           "'script'",
  strict_dynamic:   "'strict-dynamic'",
  ws:               "ws:",
  wss:              "wss:"
}.freeze

Class Method Summary

Instance Attribute Summary

Instance Method Summary

Constructor Details

.new {|_self| ... } ⇒ ContentSecurityPolicy

Yields:

  • (_self)

[ GitHub ] 

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 179



def initialize
  @directives = {}
  yield self if block_given?
end


  







Instance Attribute Details



  

    #directives   (readonly)
  

  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 177



attr_reader :directives


  







Instance Method Details



  

    #block_all_mixed_content(enabled = true)  
  



  

    

Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:



policy.block_all_mixed_content



Pass false to allow it again:



policy.block_all_mixed_content false


  



  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 207



def block_all_mixed_content(enabled = true)
  if enabled
    @directives["block-all-mixed-content"] = true
  else
    @directives.delete("block-all-mixed-content")
  end
end


  








  

    #build(context = nil, nonce = nil, nonce_directives = nil)  
  

  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 296



def build(context = nil, nonce = nil, nonce_directives = nil)
  nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
  build_directives(context, nonce, nonce_directives).compact.join("; ")
end


  








  

    #initialize_copy(other)  
  

  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 184



def initialize_copy(other)
  @directives = other.directives.deep_dup
end


  








  

    #plugin_types(*types)  
  



  

    

Restricts the set of plugins that can be embedded:



policy.plugin_types "application/x-shockwave-flash"



Leave empty to allow all plugins:



policy.plugin_types


  



  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 223



def plugin_types(*types)
  if types.first
    @directives["plugin-types"] = types
  else
    @directives.delete("plugin-types")
  end
end


  








  

    #report_uri(uri)  
  



  

    

Enable the report-uri directive. Violation reports will be sent to the specified URI:



policy.report_uri "/csp-violation-report-endpoint"


  



  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 237



def report_uri(uri)
  @directives["report-uri"] = [uri]
end


  








  

    #require_sri_for(*types)  
  



  

    

Specify asset types for which [Subresource Integrity](developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:



policy.require_sri_for :script, :style



Leave empty to not require Subresource Integrity:



policy.require_sri_for


  



  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 249



def require_sri_for(*types)
  if types.first
    @directives["require-sri-for"] = types
  else
    @directives.delete("require-sri-for")
  end
end


  








  

    #sandbox(*values)  
  



  

    

Specify whether a sandbox should be enabled for the requested resource:



policy.sandbox



Values can be passed as arguments:



policy.sandbox "allow-scripts", "allow-modals"



Pass false to disable the sandbox:



policy.sandbox false


  



  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 270



def sandbox(*values)
  if values.empty?
    @directives["sandbox"] = true
  elsif values.first
    @directives["sandbox"] = values
  else
    @directives.delete("sandbox")
  end
end


  








  

    #upgrade_insecure_requests(enabled = true)  
  



  

    

Specify whether user agents should treat any assets over HTTP as HTTPS:



policy.upgrade_insecure_requests



Pass false to disable it:



policy.upgrade_insecure_requests false


  



  [ GitHub ]


  

  


# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 288



def upgrade_insecure_requests(enabled = true)
  if enabled
    @directives["upgrade-insecure-requests"] = true
  else
    @directives.delete("upgrade-insecure-requests")
  end
end