123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::ContentSecurityPolicy

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/content_security_policy.rb

Overview

Prevented attack

XSS and others

Supported browsers

Firefox 23+, Safari 7+, Chrome 25+, Opera 15+

Sets the 'content-security-policy' or the 'content-security-policy-report-only' header, based on options provided.

Description

Content Security Policy, is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.

More info

Options

ContentSecurityPolicy configuration is a complex topic with several levels of support that has evolved over time. See the W3C documentation and the links in the more info section for CSP usage examples and best practices.

[:report_only] - if true, the content-security-policy-report-only header is set, instead of content-security-policy. Note that in this case, you should also set the :report_uri option and the :report_to option. If you do set :report_to, you must also set the reporting-endpoints header yourself.

[:default_src] - sets the default-src directive, which acts as a fallback for any directive you don't specify. Default is 'self'.

[Any Supported CSP Directive, underscorized] - All supported CSP directives can be configured individually. See DIRECTIVES and NO_ARG_DIRECTIVES for a list of what is supported.

Note that this list is not necessarly complete as the spec and
browser behavior is constantly evolving (for example,
<tt>script-src-elem</tt> is not supported).

Pass in an underscorized symbol. For example, to set the <tt>script-src</tt> 
directive, use <tt>:script_src</tt>.  The value should be whatever value you 
want set in the header.

Note that for directives that do not take an argument, you must set their 
value to <tt>true</tt> to ensure they are set. See NO_ARG_DIRECTIVES.
Note that <tt>'self'</tt> and <tt>'none'</tt> require 
single quotes and this middleware will not add them. For example, to 
disallow <tt>iframe</tt>s, you would need to use <tt>frame_src: 
"'none'"</tt>.

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options

Used by subclasses to declare default values for options they require.

.default_reaction

Used by subclasses to declare default reaction when a request is rejected.

.new

Instance Attribute Summary

Base - Inherited

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.

#deny

Deny the request.

#drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer,
#report

When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false).

#safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#call(env)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/content_security_policy.rb', line 98

def call(env)
  status, headers, body = @app.call(env)
  header = options[:report_only] ? 'content-security-policy-report-only' : 'content-security-policy'
  headers[header] ||= csp_policy if html? headers
  [status, headers, body]
end

#csp_policy

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/content_security_policy.rb', line 79

def csp_policy
  directives = []

  DIRECTIVES.each do |d|
    if options.key?(d)
      directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
    end
  end

  # Set these key values to boolean 'true' to include in policy
  NO_ARG_DIRECTIVES.each do |d|
    if options.key?(d) && options[d].is_a?(TrueClass)
      directives << d.to_s.tr('_', '-')
    end
  end

  directives.compact.sort.join('; ')
end