class SecureHeaders::ContentSecurityPolicy

Public Class Methods

new(config = nil) click to toggle source
# File lib/secure_headers/headers/content_security_policy.rb, line 9
def initialize(config = nil)
  @config =
    if config.is_a?(Hash)
      if config[:report_only]
        ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
      else
        ContentSecurityPolicyConfig.new(config || DEFAULT_CONFIG)
      end
    elsif config.nil?
      ContentSecurityPolicyConfig.new(DEFAULT_CONFIG)
    else
      config
    end

  @preserve_schemes = @config.preserve_schemes
  @script_nonce = @config.script_nonce
  @style_nonce = @config.style_nonce
end

Public Instance Methods

name() click to toggle source

Returns the name to use for the header. Either “Content-Security-Policy” or “Content-Security-Policy-Report-Only”

# File lib/secure_headers/headers/content_security_policy.rb, line 31
def name
  @config.class.const_get(:HEADER_NAME)
end
value() click to toggle source

Return the value of the CSP header

# File lib/secure_headers/headers/content_security_policy.rb, line 37
def value
  @value ||=
    if @config
      build_value
    else
      DEFAULT_VALUE
    end
end

Private Instance Methods

append_nonce(source_list, nonce) click to toggle source

Private: adds a nonce or 'unsafe-inline' depending on browser support. If a nonce is populated, inline content is assumed.

While CSP is backward compatible in that a policy with a nonce will ignore unsafe-inline, this is more concise.

# File lib/secure_headers/headers/content_security_policy.rb, line 172
def append_nonce(source_list, nonce)
  if nonce
    source_list.push("'nonce-#{nonce}'")
    source_list.push(UNSAFE_INLINE) unless @config[:disable_nonce_backwards_compatibility]
  end

  source_list
end
build_media_type_list_directive(directive) click to toggle source
# File lib/secure_headers/headers/content_security_policy.rb, line 93
def build_media_type_list_directive(directive)
  return unless media_type_list = @config.directive_value(directive)
  if media_type_list && media_type_list.any?
    [
      symbol_to_hyphen_case(directive),
      media_type_list.uniq
    ].join(" ")
  end
end
build_sandbox_list_directive(directive) click to toggle source
# File lib/secure_headers/headers/content_security_policy.rb, line 70
def build_sandbox_list_directive(directive)
  return unless sandbox_list = @config.directive_value(directive)
  max_strict_policy = case sandbox_list
  when Array
    sandbox_list.empty?
  when true
    true
  else
    false
  end

  # A maximally strict sandbox policy is just the `sandbox` directive,
  # whith no configuraiton values.
  if max_strict_policy
    symbol_to_hyphen_case(directive)
  elsif sandbox_list && sandbox_list.any?
    [
      symbol_to_hyphen_case(directive),
      sandbox_list.uniq
    ].join(" ")
  end
end
build_source_list_directive(directive) click to toggle source

Private: builds a string that represents one directive in a minified form.

directive_name - a symbol representing the various ALL_DIRECTIVES

Returns a string representing a directive.

# File lib/secure_headers/headers/content_security_policy.rb, line 108
def build_source_list_directive(directive)
  source_list = @config.directive_value(directive)
  if source_list != OPT_OUT && source_list && source_list.any?
    minified_source_list = minify_source_list(directive, source_list).join(" ")

    if minified_source_list =~ /(\n|;)/
      Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
    end

    escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
    [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
  end
end
build_value() click to toggle source

Private: converts the config object into a string representing a policy. Places default-src at the first directive and report-uri as the last. All others are presented in alphabetical order.

Returns a content security policy header value.

# File lib/secure_headers/headers/content_security_policy.rb, line 53
def build_value
  directives.map do |directive_name|
    case DIRECTIVE_VALUE_TYPES[directive_name]
    when :source_list,
         :require_sri_for_list, # require_sri is a simple set of strings that don't need to deal with symbol casing
         :require_trusted_types_for_list
      build_source_list_directive(directive_name)
    when :boolean
      symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)
    when :sandbox_list
      build_sandbox_list_directive(directive_name)
    when :media_type_list
      build_media_type_list_directive(directive_name)
    end
  end.compact.join("; ")
end
directives() click to toggle source

Private: return the list of directives, starting with default-src and ending with report-uri.

# File lib/secure_headers/headers/content_security_policy.rb, line 183
def directives
  [
    DEFAULT_SRC,
    BODY_DIRECTIVES,
    REPORT_URI,
  ].flatten
end
keep_wildcard_sources(source_list) click to toggle source

Discard trailing entries (excluding unsafe-*) since * accomplishes the same.

# File lib/secure_headers/headers/content_security_policy.rb, line 141
def keep_wildcard_sources(source_list)
  source_list.select { |value| WILDCARD_SOURCES.include?(value) }
end
minify_source_list(directive, source_list) click to toggle source

If a directive contains *, all other values are omitted. If a directive contains 'none' but has other values, 'none' is ommitted. Schemes are stripped (see www.w3.org/TR/CSP2/#match-source-expression)

# File lib/secure_headers/headers/content_security_policy.rb, line 125
def minify_source_list(directive, source_list)
  source_list = source_list.compact
  if source_list.include?(STAR)
    keep_wildcard_sources(source_list)
  else
    source_list = populate_nonces(directive, source_list)
    source_list = reject_all_values_if_none(source_list)

    unless directive == REPORT_URI || @preserve_schemes
      source_list = strip_source_schemes(source_list)
    end
    source_list.uniq
  end
end
populate_nonces(directive, source_list) click to toggle source

Private: append a nonce to the script/style directories if script_nonce or style_nonce are provided.

# File lib/secure_headers/headers/content_security_policy.rb, line 156
def populate_nonces(directive, source_list)
  case directive
  when SCRIPT_SRC
    append_nonce(source_list, @script_nonce)
  when STYLE_SRC
    append_nonce(source_list, @style_nonce)
  else
    source_list
  end
end
reject_all_values_if_none(source_list) click to toggle source

Discard any 'none' values if more directives are supplied since none may override values.

# File lib/secure_headers/headers/content_security_policy.rb, line 146
def reject_all_values_if_none(source_list)
  if source_list.length > 1
    source_list.reject { |value| value == NONE }
  else
    source_list
  end
end
strip_source_schemes(source_list) click to toggle source

Private: Remove scheme from source expressions.

# File lib/secure_headers/headers/content_security_policy.rb, line 192
def strip_source_schemes(source_list)
  source_list.map { |source_expression| source_expression.sub(HTTP_SCHEME_REGEX, "") }
end
symbol_to_hyphen_case(sym) click to toggle source
# File lib/secure_headers/headers/content_security_policy.rb, line 196
def symbol_to_hyphen_case(sym)
  sym.to_s.tr("_", "-")
end