class ActionDispatch::ContentSecurityPolicy
:nodoc:
def apply_mapping(source)
def apply_mapping(source) MAPPINGS.fetch(source) do raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}" end end
def apply_mappings(sources)
def apply_mappings(sources) sources.map do |source| case source when Symbol apply_mapping(source) when String, Proc source else raise ArgumentError, "Invalid content security policy source: #{source.inspect}" end end end
def block_all_mixed_content(enabled = true)
def block_all_mixed_content(enabled = true) if enabled @directives["block-all-mixed-content"] = true else @directives.delete("block-all-mixed-content") end end
def build(context = nil, nonce = nil)
def build(context = nil, nonce = nil) build_directives(context, nonce).compact.join("; ") end
def build_directive(sources, context)
def build_directive(sources, context) sources.map { |source| resolve_source(source, context) } end
def build_directives(context, nonce)
def build_directives(context, nonce) @directives.map do |directive, sources| if sources.is_a?(Array) if nonce && nonce_directive?(directive) "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'" else "#{directive} #{build_directive(sources, context).join(' ')}" end elsif sources directive else nil end end end
def initialize
def initialize @directives = {} yield self if block_given? end
def initialize_copy(other)
def initialize_copy(other) @directives = other.directives.deep_dup end
def nonce_directive?(directive)
def nonce_directive?(directive) NONCE_DIRECTIVES.include?(directive) end
def plugin_types(*types)
def plugin_types(*types) if types.first @directives["plugin-types"] = types else @directives.delete("plugin-types") end end
def report_uri(uri)
def report_uri(uri) @directives["report-uri"] = [uri] end
def require_sri_for(*types)
def require_sri_for(*types) if types.first @directives["require-sri-for"] = types else @directives.delete("require-sri-for") end end
def resolve_source(source, context)
def resolve_source(source, context) case source when String source when Symbol source.to_s when Proc if context.nil? raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}" else resolved = context.instance_exec(&source) resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved end else raise RuntimeError, "Unexpected content security policy source: #{source.inspect}" end end
def sandbox(*values)
def sandbox(*values) if values.empty? @directives["sandbox"] = true elsif values.first @directives["sandbox"] = values else @directives.delete("sandbox") end end
def upgrade_insecure_requests(enabled = true)
def upgrade_insecure_requests(enabled = true) if enabled @directives["upgrade-insecure-requests"] = true else @directives.delete("upgrade-insecure-requests") end end