module SecureHeaders::ViewHelpers

Constants

SECURE_HEADERS_RAKE_TASK

Public Instance Methods

content_security_policy_nonce(type) click to toggle source

Public: use the content security policy nonce for this request directly. Instructs secure_headers to append a nonce to style/script-src directives.

Returns a non-html-safe nonce value.

# File lib/secure_headers/view_helper.rb, line 28
def content_security_policy_nonce(type)
  case type
  when :script
    SecureHeaders.content_security_policy_script_nonce(@_request)
  when :style
    SecureHeaders.content_security_policy_style_nonce(@_request)
  end
end
hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block) click to toggle source

Checks to see if the hashed code is expected and adds the hash source value to the current CSP.

By default, in development/test/etc. an exception will be raised.

# File lib/secure_headers/view_helper.rb, line 42
def hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block)
  hashed_tag(
    :script,
    :script_src,
    Configuration.instance_variable_get(:@script_hashes),
    raise_error_on_unrecognized_hash,
    block
  )
end
hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block) click to toggle source
# File lib/secure_headers/view_helper.rb, line 52
def hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block)
  hashed_tag(
    :style,
    :style_src,
    Configuration.instance_variable_get(:@style_hashes),
    raise_error_on_unrecognized_hash,
    block
  )
end
nonced_javascript_tag(content_or_options = {}, &block) click to toggle source

Public: create a script tag using the content security policy nonce. Instructs secure_headers to append a nonce to style/script-src directives.

Returns an html-safe script tag with the nonce attribute.

# File lib/secure_headers/view_helper.rb, line 20
def nonced_javascript_tag(content_or_options = {}, &block)
  nonced_tag(:script, content_or_options, block)
end
nonced_style_tag(content_or_options = {}, &block) click to toggle source

Public: create a style tag using the content security policy nonce. Instructs secure_headers to append a nonce to style/script-src directives.

Returns an html-safe style tag with the nonce attribute.

# File lib/secure_headers/view_helper.rb, line 12
def nonced_style_tag(content_or_options = {}, &block)
  nonced_tag(:style, content_or_options, block)
end

Private Instance Methods

hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block) click to toggle source
# File lib/secure_headers/view_helper.rb, line 64
def hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block)
  if raise_error_on_unrecognized_hash.nil?
    raise_error_on_unrecognized_hash = ENV["RAILS_ENV"] != "production"
  end

  content = capture(&block)
  file_path = File.join('app', 'views', self.instance_variable_get(:@virtual_path) + '.html.erb')

  if raise_error_on_unrecognized_hash
    hash_value = hash_source(content)
    message = unexpected_hash_error_message(file_path, content, hash_value)

    if hashes.nil? || hashes[file_path].nil? || !hashes[file_path].include?(hash_value)
      raise UnexpectedHashedScriptException.new(message)
    end
  end

  SecureHeaders.append_content_security_policy_directives(request, directive => hashes[file_path])

  content_tag type, content
end
nonced_tag(type, content_or_options, block) click to toggle source
# File lib/secure_headers/view_helper.rb, line 98
def nonced_tag(type, content_or_options, block)
  options = {}
  content = if block
    options = content_or_options
    capture(&block)
  else
    content_or_options.html_safe # :'(
  end
  content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
end
unexpected_hash_error_message(file_path, content, hash_value) click to toggle source
# File lib/secure_headers/view_helper.rb, line 86
    def unexpected_hash_error_message(file_path, content, hash_value)
      <<-EOF
\n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
#{content}
*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/script_hashes.yml:***
#{file_path}:
- #{hash_value}\n\n
      NOTE: dynamic javascript is not supported using script hash integration
      on purpose. It defeats the point of using it in the first place.
      EOF
    end