class ActionDispatch::ContentSecurityPolicy

end
policy.report_uri “/csp-violation-report-endpoint”
# Specify URI for violation reports
policy.style_src :self, :https
policy.script_src :self, :https
policy.object_src :none
policy.img_src :self, :https, :data
policy.font_src :self, :https, :data
policy.default_src :self, :https
Rails.application.config.content_security_policy do |policy|
Example global policy:
injection attacks.
response header to help protect against XSS and
Configures the HTTP [Content-Security-Policy](developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
# Action Dispatch Content Security Policy
:nodoc:

def apply_mapping(source)

def apply_mapping(source)
  MAPPINGS.fetch(source) do
    raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
  end
end

def apply_mappings(sources)

def apply_mappings(sources)
  sources.map do |source|
    case source
    when Symbol
      apply_mapping(source)
    when String, Proc
      source
    else
      raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
    end
  end
end

def block_all_mixed_content(enabled = true)

policy.block_all_mixed_content false

Pass `false` to allow it again:

policy.block_all_mixed_content

when the page uses HTTPS:
Specify whether to prevent the user agent from loading any assets over HTTP

def block_all_mixed_content(enabled = true)
  if enabled
    @directives["block-all-mixed-content"] = true
  else
    @directives.delete("block-all-mixed-content")
  end
end

def build(context = nil, nonce = nil, nonce_directives = nil)

def build(context = nil, nonce = nil, nonce_directives = nil)
  nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
  build_directives(context, nonce, nonce_directives).compact.join("; ")
end

def build_directive(directive, sources, context)

def build_directive(directive, sources, context)
  resolved_sources = sources.map { |source| resolve_source(source, context) }
  validate(directive, resolved_sources)
end

def build_directives(context, nonce, nonce_directives)

def build_directives(context, nonce, nonce_directives)
  @directives.map do |directive, sources|
    if sources.is_a?(Array)
      if nonce && nonce_directive?(directive, nonce_directives)
        "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
      else
        "#{directive} #{build_directive(directive, sources, context).join(' ')}"
      end
    elsif sources
      directive
    else
      nil
    end
  end
end

def initialize

def initialize
  @directives = {}
  yield self if block_given?
end

def initialize_copy(other)

def initialize_copy(other)
  @directives = other.directives.deep_dup
end

def nonce_directive?(directive, nonce_directives)

def nonce_directive?(directive, nonce_directives)
  nonce_directives.include?(directive)
end

def plugin_types(*types)

policy.plugin_types

Leave empty to allow all plugins:

policy.plugin_types "application/x-shockwave-flash"

Restricts the set of plugins that can be embedded:

def plugin_types(*types)
  if types.first
    @directives["plugin-types"] = types
  else
    @directives.delete("plugin-types")
  end
end

def report_uri(uri)

policy.report_uri "/csp-violation-report-endpoint"

specified URI:
directive. Violation reports will be sent to the
Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)

def report_uri(uri)
  @directives["report-uri"] = [uri]
end

def require_sri_for(*types)

policy.require_sri_for

Leave empty to not require Subresource Integrity:

policy.require_sri_for :script, :style

Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:

def require_sri_for(*types)
  if types.first
    @directives["require-sri-for"] = types
  else
    @directives.delete("require-sri-for")
  end
end

def resolve_source(source, context)

def resolve_source(source, context)
  case source
  when String
    source
  when Symbol
    source.to_s
  when Proc
    if context.nil?
      raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
    else
      resolved = context.instance_exec(&source)
      apply_mappings(Array.wrap(resolved))
    end
  else
    raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
  end
end

def sandbox(*values)

policy.sandbox false

Pass `false` to disable the sandbox:

policy.sandbox "allow-scripts", "allow-modals"

Values can be passed as arguments:

policy.sandbox

should be enabled for the requested resource:
Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)

def sandbox(*values)
  if values.empty?
    @directives["sandbox"] = true
  elsif values.first
    @directives["sandbox"] = values
  else
    @directives.delete("sandbox")
  end
end

def upgrade_insecure_requests(enabled = true)

policy.upgrade_insecure_requests false

Pass `false` to disable it:

policy.upgrade_insecure_requests

Specify whether user agents should treat any assets over HTTP as HTTPS:

def upgrade_insecure_requests(enabled = true)
  if enabled
    @directives["upgrade-insecure-requests"] = true
  else
    @directives.delete("upgrade-insecure-requests")
  end
end

def validate(directive, sources)

def validate(directive, sources)
  sources.flatten.each do |source|
    if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
      raise InvalidDirectiveError, <<~MSG.squish
        Invalid Content Security Policy #{directive}: "#{source}".
        Directive values must not contain whitespace or semicolons.
        Please use multiple arguments or other directive methods instead.
      MSG
    end
  end
end

Modules

Classes