123456789_123456789_123456789_123456789_123456789_

Class: ActionDispatch::ContentSecurityPolicy

Relationships & Source Files
Namespace Children
Modules:
Classes:
Inherits: Object
Defined in: actionpack/lib/action_dispatch/http/content_security_policy.rb

Overview

Configures the HTTP Content-Security-Policy response header to help protect against XSS and injection attacks.

Example global policy:

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.font_src    :self, :https, :data
  policy.img_src     :self, :https, :data
  policy.object_src  :none
  policy.script_src  :self, :https
  policy.style_src   :self, :https

  # Specify URI for violation reports
  policy.report_uri "/csp-violation-report-endpoint"
end

Constant Summary

  • DEFAULT_NONCE_DIRECTIVES = private
    # File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 171
    %w[script-src style-src].freeze
  • DIRECTIVES = private
    # File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 146
    {
      base_uri:                   "base-uri",
      child_src:                  "child-src",
      connect_src:                "connect-src",
      default_src:                "default-src",
      font_src:                   "font-src",
      form_action:                "form-action",
      frame_ancestors:            "frame-ancestors",
      frame_src:                  "frame-src",
      img_src:                    "img-src",
      manifest_src:               "manifest-src",
      media_src:                  "media-src",
      object_src:                 "object-src",
      prefetch_src:               "prefetch-src",
      require_trusted_types_for:  "require-trusted-types-for",
      script_src:                 "script-src",
      script_src_attr:            "script-src-attr",
      script_src_elem:            "script-src-elem",
      style_src:                  "style-src",
      style_src_attr:             "style-src-attr",
      style_src_elem:             "style-src-elem",
      trusted_types:              "trusted-types",
      worker_src:                 "worker-src"
    }.freeze
  • MAPPINGS = private
    # File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 125
    {
      self:             "'self'",
      unsafe_eval:      "'unsafe-eval'",
      wasm_unsafe_eval: "'wasm-unsafe-eval'",
      unsafe_hashes:    "'unsafe-hashes'",
      unsafe_inline:    "'unsafe-inline'",
      none:             "'none'",
      http:             "http:",
      https:            "https:",
      data:             "data:",
      mediastream:      "mediastream:",
      allow_duplicates: "'allow-duplicates'",
      blob:             "blob:",
      filesystem:       "filesystem:",
      report_sample:    "'report-sample'",
      script:           "'script'",
      strict_dynamic:   "'strict-dynamic'",
      ws:               "ws:",
      wss:              "wss:"
    }.freeze

Class Method Summary

Instance Attribute Summary

Instance Method Summary

Constructor Details

.new {|_self| ... } ⇒ ContentSecurityPolicy

Yields:

  • (_self)

Yield Parameters:

  • _self (ContentSecurityPolicy)

    the object that the method was called on

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 177

def initialize
  @directives = {}
  yield self if block_given?
end

Instance Attribute Details

#directives (readonly)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 175

attr_reader :directives

Instance Method Details

#apply_mapping(source) (private)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 313

def apply_mapping(source)
  MAPPINGS.fetch(source) do
    raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
  end
end

#apply_mappings(sources) (private)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 300

def apply_mappings(sources)
  sources.map do |source|
    case source
    when Symbol
      apply_mapping(source)
    when String, Proc
      source
    else
      raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
    end
  end
end

#block_all_mixed_content(enabled = true)

Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:

policy.block_all_mixed_content

Pass false to allow it again:

policy.block_all_mixed_content false
[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 205

def block_all_mixed_content(enabled = true)
  if enabled
    @directives["block-all-mixed-content"] = true
  else
    @directives.delete("block-all-mixed-content")
  end
end

#build(context = nil, nonce = nil, nonce_directives = nil)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 294

def build(context = nil, nonce = nil, nonce_directives = nil)
  nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
  build_directives(context, nonce, nonce_directives).compact.join("; ")
end

#build_directive(sources, context) (private)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 335

def build_directive(sources, context)
  sources.map { |source| resolve_source(source, context) }
end

#build_directives(context, nonce, nonce_directives) (private)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 319

def build_directives(context, nonce, nonce_directives)
  @directives.map do |directive, sources|
    if sources.is_a?(Array)
      if nonce && nonce_directive?(directive, nonce_directives)
        "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
      else
        "#{directive} #{build_directive(sources, context).join(' ')}"
      end
    elsif sources
      directive
    else
      nil
    end
  end
end

#initialize_copy(other)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 182

def initialize_copy(other)
  @directives = other.directives.deep_dup
end

#nonce_directive?(directive, nonce_directives) ⇒ Boolean (private)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 357

def nonce_directive?(directive, nonce_directives)
  nonce_directives.include?(directive)
end

#plugin_types(*types)

Restricts the set of plugins that can be embedded:

policy.plugin_types "application/x-shockwave-flash"

Leave empty to allow all plugins:

policy.plugin_types
[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 221

def plugin_types(*types)
  if types.first
    @directives["plugin-types"] = types
  else
    @directives.delete("plugin-types")
  end
end

#report_uri(uri)

Enable the report-uri directive. Violation reports will be sent to the specified URI:

policy.report_uri "/csp-violation-report-endpoint"
[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 235

def report_uri(uri)
  @directives["report-uri"] = [uri]
end

#require_sri_for(*types)

Specify asset types for which [Subresource Integrity](developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:

policy.require_sri_for :script, :style

Leave empty to not require Subresource Integrity:

policy.require_sri_for
[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 247

def require_sri_for(*types)
  if types.first
    @directives["require-sri-for"] = types
  else
    @directives.delete("require-sri-for")
  end
end

#resolve_source(source, context) (private)

[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 339

def resolve_source(source, context)
  case source
  when String
    source
  when Symbol
    source.to_s
  when Proc
    if context.nil?
      raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
    else
      resolved = context.instance_exec(&source)
      apply_mappings(Array.wrap(resolved))
    end
  else
    raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
  end
end

#sandbox(*values)

Specify whether a sandbox should be enabled for the requested resource:

policy.sandbox

Values can be passed as arguments:

policy.sandbox "allow-scripts", "allow-modals"

Pass false to disable the sandbox:

policy.sandbox false
[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 268

def sandbox(*values)
  if values.empty?
    @directives["sandbox"] = true
  elsif values.first
    @directives["sandbox"] = values
  else
    @directives.delete("sandbox")
  end
end

#upgrade_insecure_requests(enabled = true)

Specify whether user agents should treat any assets over HTTP as HTTPS:

policy.upgrade_insecure_requests

Pass false to disable it:

policy.upgrade_insecure_requests false
[ GitHub ]

  
# File 'actionpack/lib/action_dispatch/http/content_security_policy.rb', line 286

def upgrade_insecure_requests(enabled = true)
  if enabled
    @directives["upgrade-insecure-requests"] = true
  else
    @directives.delete("upgrade-insecure-requests")
  end
end