module SecureHeaders::ViewHelpers
Constants
- SECURE_HEADERS_RAKE_TASK
Public Instance Methods
Public: use the content security policy nonce for this request directly. Instructs secure_headers to append a nonce to style/script-src directives.
Returns a non-html-safe nonce value.
# File lib/secure_headers/view_helper.rb, line 69 def _content_security_policy_nonce(type) case type when :script SecureHeaders.content_security_policy_script_nonce(@_request) when :style SecureHeaders.content_security_policy_style_nonce(@_request) end end
# File lib/secure_headers/view_helper.rb, line 79 def content_security_policy_script_nonce _content_security_policy_nonce(:script) end
# File lib/secure_headers/view_helper.rb, line 83 def content_security_policy_style_nonce _content_security_policy_nonce(:style) end
Checks to see if the hashed code is expected and adds the hash source value to the current CSP
.
By default, in development/test/etc. an exception will be raised.
# File lib/secure_headers/view_helper.rb, line 92 def hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block) hashed_tag( :script, :script_src, Configuration.instance_variable_get(:@script_hashes), raise_error_on_unrecognized_hash, block ) end
# File lib/secure_headers/view_helper.rb, line 102 def hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block) hashed_tag( :style, :style_src, Configuration.instance_variable_get(:@style_hashes), raise_error_on_unrecognized_hash, block ) end
Public: create a script src tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.
Returns an html-safe script tag with the nonce attribute.
# File lib/secure_headers/view_helper.rb, line 39 def nonced_javascript_include_tag(*args, &block) opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script)) javascript_include_tag(*args, **opts, &block) end
Public: create a script Webpacker pack tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.
Returns an html-safe script tag with the nonce attribute.
# File lib/secure_headers/view_helper.rb, line 49 def nonced_javascript_pack_tag(*args, &block) opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script)) javascript_pack_tag(*args, **opts, &block) end
Public: create a script tag using the content security policy nonce. Instructs secure_headers to append a nonce to script-src directive.
Returns an html-safe script tag with the nonce attribute.
# File lib/secure_headers/view_helper.rb, line 31 def nonced_javascript_tag(content_or_options = {}, &block) nonced_tag(:script, content_or_options, block) end
Public: create a style tag using the content security policy nonce. Instructs secure_headers to append a nonce to style-src directive.
Returns an html-safe style tag with the nonce attribute.
# File lib/secure_headers/view_helper.rb, line 13 def nonced_style_tag(content_or_options = {}, &block) nonced_tag(:style, content_or_options, block) end
Public: create a stylesheet link tag using the content security policy nonce. Instructs secure_headers to append a nonce to style-src directive.
Returns an html-safe link tag with the nonce attribute.
# File lib/secure_headers/view_helper.rb, line 21 def nonced_stylesheet_link_tag(*args, &block) opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style)) stylesheet_link_tag(*args, **opts, &block) end
Public: create a stylesheet Webpacker link tag using the content security policy nonce. Instructs secure_headers to append a nonce to style-src directive.
Returns an html-safe link tag with the nonce attribute.
# File lib/secure_headers/view_helper.rb, line 59 def nonced_stylesheet_pack_tag(*args, &block) opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style)) stylesheet_pack_tag(*args, **opts, &block) end
Private Instance Methods
# File lib/secure_headers/view_helper.rb, line 160 def extract_options(args) if args.last.is_a? Hash args.pop else {} end end
# File lib/secure_headers/view_helper.rb, line 114 def hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block) if raise_error_on_unrecognized_hash.nil? raise_error_on_unrecognized_hash = ENV["RAILS_ENV"] != "production" end content = capture(&block) file_path = File.join("app", "views", self.instance_variable_get(:@virtual_path) + ".html.erb") if raise_error_on_unrecognized_hash hash_value = hash_source(content) message = unexpected_hash_error_message(file_path, content, hash_value) if hashes.nil? || hashes[file_path].nil? || !hashes[file_path].include?(hash_value) raise UnexpectedHashedScriptException.new(message) end end SecureHeaders.append_content_security_policy_directives(request, directive => hashes[file_path]) content_tag type, content end
# File lib/secure_headers/view_helper.rb, line 148 def nonced_tag(type, content_or_options, block) options = {} content = if block options = content_or_options capture(&block) else content_or_options.html_safe # :'( end content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type)) end
# File lib/secure_headers/view_helper.rb, line 136 def unexpected_hash_error_message(file_path, content, hash_value) <<-EOF \n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} *** #{content} *** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/secure_headers_generated_hashes.yml:*** #{file_path}: - \"#{hash_value}\"\n\n NOTE: dynamic javascript is not supported using script hash integration on purpose. It defeats the point of using it in the first place. EOF end