class Rack::Protection::ContentSecurityPolicy
- Prevented attack
-
XSS and others
- Supported browsers
-
Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
- Description
-
Content Security Policy, a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.
- More info
-
W3C CSP Level 1 : www.w3.org/TR/CSP1/ (deprecated) W3C CSP Level 2 : www.w3.org/TR/CSP2/ (current) W3C CSP Level 3 : www.w3.org/TR/CSP3/ (draft) developer.mozilla.org/en-US/docs/Web/Security/CSP caniuse.com/#search=ContentSecurityPolicy content-security-policy.com/ securityheaders.io scotthelme.co.uk/csp-cheat-sheet/ www.html5rocks.com/en/tutorials/security/content-security-policy/
Sets the 'Content-Security-Policy' header.
Options: ContentSecurityPolicy
configuration is a complex topic with
several levels of support that has evolved over time. See the W3C documentation and the links in the more info section for CSP usage examples and best practices. The CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be presented in the options hash with a boolean 'true' in order to be used in a policy.
Constants
- DIRECTIVES
- NO_ARG_DIRECTIVES
Public Instance Methods
# File lib/rack/protection/content_security_policy.rb, line 71 def call(env) status, headers, body = @app.call(env) header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy' headers[header] ||= csp_policy if html? headers [status, headers, body] end
# File lib/rack/protection/content_security_policy.rb, line 52 def csp_policy directives = [] DIRECTIVES.each do |d| if options.key?(d) directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}" end end # Set these key values to boolean 'true' to include in policy NO_ARG_DIRECTIVES.each do |d| if options.key?(d) && options[d].is_a?(TrueClass) directives << d.to_s.sub(/_/, '-') end end directives.compact.sort.join('; ') end