Class: ActionDispatch::ContentSecurityPolicy
| Relationships & Source Files | |
| Namespace Children | |
|
Modules:
| |
|
Classes:
| |
|
Exceptions:
| |
| Inherits: | Object |
| Defined in: | actionpack/lib/action_dispatch/http/content_security_policy.rb |
Overview
Configures the HTTP Content-Security-Policy response header to help protect against XSS and injection attacks.
Example global policy:
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
# Specify URI for violation reports
policy.report_uri "/csp-violation-report-endpoint"
endConstant Summary
-
DEFAULT_NONCE_DIRECTIVES =
private
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 176%w[script-src style-src].freeze
-
DIRECTIVES =
private
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 149{ base_uri: "base-uri", child_src: "child-src", connect_src: "connect-src", default_src: "default-src", font_src: "font-src", form_action: "form-action", frame_ancestors: "frame-ancestors", frame_src: "frame-src", img_src: "img-src", manifest_src: "manifest-src", media_src: "media-src", object_src: "object-src", prefetch_src: "prefetch-src", require_trusted_types_for: "require-trusted-types-for", script_src: "script-src", script_src_attr: "script-src-attr", script_src_elem: "script-src-elem", style_src: "style-src", style_src_attr: "style-src-attr", style_src_elem: "style-src-elem", trusted_types: "trusted-types", worker_src: "worker-src" }.freeze -
HASH_SOURCE_ALGORITHM_PREFIXES =
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 174["sha256-", "sha384-", "sha512-"].freeze
-
MAPPINGS =
private
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 128{ self: "'self'", unsafe_eval: "'unsafe-eval'", wasm_unsafe_eval: "'wasm-unsafe-eval'", unsafe_hashes: "'unsafe-hashes'", unsafe_inline: "'unsafe-inline'", none: "'none'", http: "http:", https: "https:", data: "data:", mediastream: "mediastream:", allow_duplicates: "'allow-duplicates'", blob: "blob:", filesystem: "filesystem:", report_sample: "'report-sample'", script: "'script'", strict_dynamic: "'strict-dynamic'", ws: "ws:", wss: "wss:" }.freeze
Class Method Summary
- .new {|_self| ... } ⇒ ContentSecurityPolicy constructor
Instance Attribute Summary
- #directives readonly
Instance Method Summary
-
#block_all_mixed_content(enabled = true)
Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:
- #build(context = nil, nonce = nil, nonce_directives = nil)
- #initialize_copy(other)
-
#plugin_types(*types)
Restricts the set of plugins that can be embedded:
-
#report_uri(uri)
Enable the report-uri directive.
-
#require_sri_for(*types)
Specify asset types for which [Subresource Integrity](developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
-
#sandbox(*values)
Specify whether a sandbox should be enabled for the requested resource:
-
#upgrade_insecure_requests(enabled = true)
Specify whether user agents should treat any assets over HTTP as HTTPS:
- #apply_mapping(source) private
- #apply_mappings(sources) private
- #build_directive(directive, sources, context) private
- #build_directives(context, nonce, nonce_directives) private
- #hash_source?(source) ⇒ Boolean private
- #nonce_directive?(directive, nonce_directives) ⇒ Boolean private
- #resolve_source(source, context) private
- #validate(directive, sources) private
Constructor Details
.new {|_self| ... } ⇒ ContentSecurityPolicy
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 182
def initialize @directives = {} yield self if block_given? end
Instance Attribute Details
#directives (readonly)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 180
attr_reader :directives
Instance Method Details
#apply_mapping(source) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 324
def apply_mapping(source) MAPPINGS.fetch(source) do raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}" end end
#apply_mappings(sources) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 305
def apply_mappings(sources) sources.map do |source| case source when Symbol apply_mapping(source) when String if hash_source?(source) "'#{source}'" else source end when Proc source else raise ArgumentError, "Invalid content security policy source: #{source.inspect}" end end end
#block_all_mixed_content(enabled = true)
Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:
policy.block_all_mixed_contentPass false to allow it again:
policy.block_all_mixed_content false# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 210
def block_all_mixed_content(enabled = true) if enabled @directives["block-all-mixed-content"] = true else @directives.delete("block-all-mixed-content") end end
#build(context = nil, nonce = nil, nonce_directives = nil)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 299
def build(context = nil, nonce = nil, nonce_directives = nil) nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil? build_directives(context, nonce, nonce_directives).compact.join("; ") end
#build_directive(directive, sources, context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 358
def build_directive(directive, sources, context) resolved_sources = sources.map { |source| resolve_source(source, context) } validate(directive, resolved_sources) end
#build_directives(context, nonce, nonce_directives) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 330
def build_directives(context, nonce, nonce_directives) @directives.map do |directive, sources| if sources.is_a?(Array) if nonce && nonce_directive?(directive, nonce_directives) "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'" else "#{directive} #{build_directive(directive, sources, context).join(' ')}" end elsif sources directive else nil end end end
#hash_source?(source) ⇒ Boolean (private)
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 386
def hash_source?(source) source.start_with?(*HASH_SOURCE_ALGORITHM_PREFIXES) end
#initialize_copy(other)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 187
def initialize_copy(other) @directives = other.directives.deep_dup end
#nonce_directive?(directive, nonce_directives) ⇒ Boolean (private)
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 382
def nonce_directive?(directive, nonce_directives) nonce_directives.include?(directive) end
#plugin_types(*types)
Restricts the set of plugins that can be embedded:
policy.plugin_types "application/x-shockwave-flash"Leave empty to allow all plugins:
policy.plugin_types# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 226
def plugin_types(*types) if types.first @directives["plugin-types"] = types else @directives.delete("plugin-types") end end
#report_uri(uri)
Enable the report-uri directive. Violation reports will be sent to the specified URI:
policy.report_uri "/csp-violation-report-endpoint"# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 240
def report_uri(uri) @directives["report-uri"] = [uri] end
#require_sri_for(*types)
Specify asset types for which [Subresource Integrity](developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
policy.require_sri_for :script, :styleLeave empty to not require Subresource Integrity:
policy.require_sri_for# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 252
def require_sri_for(*types) if types.first @directives["require-sri-for"] = types else @directives.delete("require-sri-for") end end
#resolve_source(source, context) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 364
def resolve_source(source, context) case source when String source when Symbol source.to_s when Proc if context.nil? raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}" else resolved = context.instance_exec(&source) apply_mappings(Array.wrap(resolved)) end else raise RuntimeError, "Unexpected content security policy source: #{source.inspect}" end end
#sandbox(*values)
Specify whether a sandbox should be enabled for the requested resource:
policy.sandboxValues can be passed as arguments:
policy.sandbox "allow-scripts", "allow-modals"Pass false to disable the sandbox:
policy.sandbox false# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 273
def sandbox(*values) if values.empty? @directives["sandbox"] = true elsif values.first @directives["sandbox"] = values else @directives.delete("sandbox") end end
#upgrade_insecure_requests(enabled = true)
Specify whether user agents should treat any assets over HTTP as HTTPS:
policy.upgrade_insecure_requestsPass false to disable it:
policy.upgrade_insecure_requests false# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 291
def upgrade_insecure_requests(enabled = true) if enabled @directives["upgrade-insecure-requests"] = true else @directives.delete("upgrade-insecure-requests") end end
#validate(directive, sources) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 346
def validate(directive, sources) sources.flatten.each do |source| if source.include?(";") || source != source.gsub(/[[:space:]]/, "") raise InvalidDirectiveError, <<~MSG.squish Invalid Content Security Policy #{directive}: "#{source}". Directive values must not contain whitespace or semicolons. Please use multiple arguments or other directive methods instead. MSG end end end