Class: Rack::Protection::ContentSecurityPolicy
| Relationships & Source Files | |
| Super Chains via Extension / Inclusion / Inheritance | |
|
Class Chain:
self,
Base
|
|
|
Instance Chain:
self,
Base
|
|
| Inherits: |
Rack::Protection::Base
|
| Defined in: | rack-protection/lib/rack/protection/content_security_policy.rb |
Overview
- Prevented attack
XSS and others
- Supported browsers
Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
Sets the 'content-security-policy' or the 'content-security-policy-report-only' header, based on options provided.
- Description
Content Security Policy, is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.
- More info
- W3C CSP Level 1 : https://www.w3.org/TR/CSP1/ (deprecated)
- W3C CSP Level 2 : https://www.w3.org/TR/CSP2/ (current)
- W3C CSP Level 3 : https://www.w3.org/TR/CSP3/ (draft)
- https://developer.mozilla.org/en-US/docs/Web/Security/CSP
- http://caniuse.com/#search=ContentSecurityPolicy
- http://content-security-policy.com/
- https://securityheaders.io
- https://scotthelme.co.uk/csp-cheat-sheet/
- http://www.html5rocks.com/en/tutorials/security/content-security-policy/
Options
ContentSecurityPolicy configuration is a complex topic with
several levels of support that has evolved over time.
See the W3C documentation and the links in the more info
section for CSP usage examples and best practices.
[:report_only] - if true, the content-security-policy-report-only
header is set, instead of content-security-policy. Note that
in this case, you should also set the :report_uri option and the
:report_to option. If you do set :report_to, you must
also set the reporting-endpoints header yourself.
[:default_src] - sets the default-src directive, which acts as a fallback for any directive you don't specify. Default is 'self'.
[Any Supported CSP Directive, underscorized] - All supported CSP directives can be configured individually. See DIRECTIVES and NO_ARG_DIRECTIVES for a list of what is supported.
Note that this list is not necessarly complete as the spec and
browser behavior is constantly evolving (for example,
<tt>script-src-elem</tt> is not supported).
Pass in an underscorized symbol. For example, to set the <tt>script-src</tt>
directive, use <tt>:script_src</tt>. The value should be whatever value you
want set in the header.
Note that for directives that do not take an argument, you must set their
value to <tt>true</tt> to ensure they are set. See NO_ARG_DIRECTIVES.
Note that <tt>'self'</tt> and <tt>'none'</tt> require
single quotes and this middleware will not add them. For example, to
disallow <tt>iframe</tt>s, you would need to use <tt>frame_src:
"'none'"</tt>.
Constant Summary
-
DIRECTIVES =
# File 'rack-protection/lib/rack/protection/content_security_policy.rb', line 68%i[base_uri child_src connect_src default_src font_src form_action frame_ancestors frame_src img_src manifest_src media_src object_src plugin_types referrer reflected_xss report_to report_uri require_sri_for sandbox script_src style_src worker_src webrtc_src navigate_to prefetch_src].freeze
-
NO_ARG_DIRECTIVES =
# File 'rack-protection/lib/rack/protection/content_security_policy.rb', line 76%i[block_all_mixed_content disown_opener upgrade_insecure_requests].freeze
Base - Inherited
Class Method Summary
Base - Inherited
| .default_options | Used by subclasses to declare default values for options they require. |
| .default_reaction | Used by subclasses to declare default reaction when a request is rejected. |
| .new | |
Instance Attribute Summary
Instance Method Summary
Base - Inherited
| #accepts?, #call, #debug, #default_options, | |
| #default_reaction | Alias for Base#deny. |
| #deny | Deny the request. |
| #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, | |
| #report | When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false). |
| #safe?, #secure_compare, #session, #session?, #warn | |
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#call(env)
[ GitHub ]# File 'rack-protection/lib/rack/protection/content_security_policy.rb', line 98
def call(env) status, headers, body = @app.call(env) header = [:report_only] ? 'content-security-policy-report-only' : 'content-security-policy' headers[header] ||= csp_policy if html? headers [status, headers, body] end
#csp_policy
[ GitHub ]# File 'rack-protection/lib/rack/protection/content_security_policy.rb', line 79
def csp_policy directives = [] DIRECTIVES.each do |d| if .key?(d) directives << "#{d.to_s.sub(/_/, '-')} #{[d]}" end end # Set these key values to boolean 'true' to include in policy NO_ARG_DIRECTIVES.each do |d| if .key?(d) && [d].is_a?(TrueClass) directives << d.to_s.tr('_', '-') end end directives.compact.sort.join('; ') end