module SecureHeaders::ViewHelpers

Constants

SECURE_HEADERS_RAKE_TASK

Public Instance Methods

_content_security_policy_nonce(type) click to toggle source

Public: use the content security policy nonce for this request directly. Instructs secure_headers to append a nonce to style/script-src directives.

Returns a non-html-safe nonce value.

# File lib/secure_headers/view_helper.rb, line 69
def _content_security_policy_nonce(type)
  case type
  when :script
    SecureHeaders.content_security_policy_script_nonce(@_request)
  when :style
    SecureHeaders.content_security_policy_style_nonce(@_request)
  end
end
content_security_policy_nonce(type)
content_security_policy_script_nonce() click to toggle source
# File lib/secure_headers/view_helper.rb, line 79
def content_security_policy_script_nonce
  _content_security_policy_nonce(:script)
end
content_security_policy_style_nonce() click to toggle source
# File lib/secure_headers/view_helper.rb, line 83
def content_security_policy_style_nonce
  _content_security_policy_nonce(:style)
end
hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block) click to toggle source

Checks to see if the hashed code is expected and adds the hash source value to the current CSP.

By default, in development/test/etc. an exception will be raised.

# File lib/secure_headers/view_helper.rb, line 92
def hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block)
  hashed_tag(
    :script,
    :script_src,
    Configuration.instance_variable_get(:@script_hashes),
    raise_error_on_unrecognized_hash,
    block
  )
end
hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block) click to toggle source
# File lib/secure_headers/view_helper.rb, line 102
def hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block)
  hashed_tag(
    :style,
    :style_src,
    Configuration.instance_variable_get(:@style_hashes),
    raise_error_on_unrecognized_hash,
    block
  )
end
nonced_javascript_include_tag(*args, &block) click to toggle source

Public: create a script src tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.

Returns an html-safe script tag with the nonce attribute.

# File lib/secure_headers/view_helper.rb, line 39
def nonced_javascript_include_tag(*args, &block)
  opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))

  javascript_include_tag(*args, **opts, &block)
end
nonced_javascript_pack_tag(*args, &block) click to toggle source

Public: create a script Webpacker pack tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.

Returns an html-safe script tag with the nonce attribute.

# File lib/secure_headers/view_helper.rb, line 49
def nonced_javascript_pack_tag(*args, &block)
  opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))

  javascript_pack_tag(*args, **opts, &block)
end
nonced_javascript_tag(content_or_options = {}, &block) click to toggle source

Public: create a script tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.

Returns an html-safe script tag with the nonce attribute.

# File lib/secure_headers/view_helper.rb, line 31
def nonced_javascript_tag(content_or_options = {}, &block)
  nonced_tag(:script, content_or_options, block)
end
nonced_style_tag(content_or_options = {}, &block) click to toggle source

Public: create a style tag using the content security policy nonce. Instructs secure_headers to append a nonce to style-src directive.

Returns an html-safe style tag with the nonce attribute.

# File lib/secure_headers/view_helper.rb, line 13
def nonced_style_tag(content_or_options = {}, &block)
  nonced_tag(:style, content_or_options, block)
end
nonced_stylesheet_pack_tag(*args, &block) click to toggle source

Public: create a stylesheet Webpacker link tag using the content security policy nonce. Instructs secure_headers to append a nonce to style-src directive.

Returns an html-safe link tag with the nonce attribute.

# File lib/secure_headers/view_helper.rb, line 59
def nonced_stylesheet_pack_tag(*args, &block)
  opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))

  stylesheet_pack_tag(*args, **opts, &block)
end

Private Instance Methods

extract_options(args) click to toggle source
# File lib/secure_headers/view_helper.rb, line 160
def extract_options(args)
  if args.last.is_a? Hash
    args.pop
  else
    {}
  end
end
hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block) click to toggle source
# File lib/secure_headers/view_helper.rb, line 114
def hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block)
  if raise_error_on_unrecognized_hash.nil?
    raise_error_on_unrecognized_hash = ENV["RAILS_ENV"] != "production"
  end

  content = capture(&block)
  file_path = File.join("app", "views", self.instance_variable_get(:@virtual_path) + ".html.erb")

  if raise_error_on_unrecognized_hash
    hash_value = hash_source(content)
    message = unexpected_hash_error_message(file_path, content, hash_value)

    if hashes.nil? || hashes[file_path].nil? || !hashes[file_path].include?(hash_value)
      raise UnexpectedHashedScriptException.new(message)
    end
  end

  SecureHeaders.append_content_security_policy_directives(request, directive => hashes[file_path])

  content_tag type, content
end
nonced_tag(type, content_or_options, block) click to toggle source
# File lib/secure_headers/view_helper.rb, line 148
def nonced_tag(type, content_or_options, block)
  options = {}
  content =
    if block
      options = content_or_options
      capture(&block)
    else
      content_or_options.html_safe # :'(
    end
  content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
end
unexpected_hash_error_message(file_path, content, hash_value) click to toggle source
# File lib/secure_headers/view_helper.rb, line 136
    def unexpected_hash_error_message(file_path, content, hash_value)
      <<-EOF
\n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
#{content}
*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/secure_headers_generated_hashes.yml:***
#{file_path}:
- \"#{hash_value}\"\n\n
      NOTE: dynamic javascript is not supported using script hash integration
      on purpose. It defeats the point of using it in the first place.
      EOF
    end