module SecureHeaders::PolicyManagement

Constants

ALL_DIRECTIVES
BASE_URI
BLOB_PROTOCOL
BLOCK_ALL_MIXED_CONTENT

All the directives currently under consideration for CSP level 3. w3c.github.io/webappsec/specs/CSP2/

BODY_DIRECTIVES

Think of default-src and report-uri as the beginning and end respectively, everything else is in between.

CHILD_SRC
CONNECT_SRC
DATA_PROTOCOL
DEFAULT_CONFIG
DEFAULT_SRC
DEPRECATED_SOURCE_VALUES

leftover deprecated values that will be in common use upon upgrading.

DIRECTIVES_1_0
DIRECTIVES_2_0
DIRECTIVES_3_0
DIRECTIVES_EXPERIMENTAL
DIRECTIVE_VALUE_TYPES
FETCH_SOURCES
FONT_SRC
FORM_ACTION
FRAME_ANCESTORS
FRAME_SRC
HTTP_SCHEME_REGEX
IMG_SRC
MANIFEST_SRC
MEDIA_SRC
META_CONFIGS
NONCES
NONE
NON_FETCH_SOURCES

These are directives that take a source list, but that do not inherit the default-src value.

NON_SOURCE_LIST_SOURCES

These are directives that don't have use a source list, and hence do not inherit the default-src value.

OBJECT_SRC
PLUGIN_TYPES
PREFETCH_SRC
REPORT_URI
REQUIRE_SRI_FOR
REQUIRE_SRI_FOR_VALUES
REQUIRE_TRUSTED_TYPES_FOR

developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for

REQUIRE_TRUSTED_TYPES_FOR_VALUES
SANDBOX
SCRIPT_SRC
SCRIPT_SRC_ATTR
SCRIPT_SRC_ELEM
SELF
STAR
STAR_REGEXP
STRICT_DYNAMIC
STYLE_SRC
STYLE_SRC_ATTR
STYLE_SRC_ELEM
TRUSTED_TYPES

Experimental directives - these vary greatly in support See MDN for details. developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types

UNSAFE_EVAL
UNSAFE_INLINE
UPGRADE_INSECURE_REQUESTS
WILDCARD_SOURCES
WORKER_SRC

Public Class Methods

included(base) click to toggle source
# File lib/secure_headers/headers/policy_management.rb, line 7
def self.included(base)
  base.extend(ClassMethods)
end