class Rack::Protection::ContentSecurityPolicy


to be used in a policy.
presented in the options hash with a boolean ‘true’ in order
CSP3 directives in the ‘NO_ARG_DIRECTIVES’ constant need to be
section for CSP usage examples and best practices. The
See the W3C documentation and the links in the more info
several levels of support that has evolved over time.
Options: ContentSecurityPolicy configuration is a complex topic with
Sets the ‘Content-Security-Policy’ header.
/
/
/
W3C CSP Level 3 : www.w3.org/TR/CSP3/ (draft)
W3C CSP Level 2 : www.w3.org/TR/CSP2/ (current)
More info
W3C CSP Level 1 : www.w3.org/TR/CSP1/ (deprecated)
application expects to load resources.
inform the client about the sources from which the
the authors (or server administrators) of a web application
Content Security Policy is a declarative policy that lets
vulnerabilities, such as cross-site scripting (XSS).
can use to mitigate a broad class of content injection
Description
Content Security Policy, a mechanism web applications
Supported browsers
Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
Prevented attack

XSS and others
#

def call(env)

def call(env)
  status, headers, body = @app.call(env)
  header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
  headers[header] ||= csp_policy if html? headers
  [status, headers, body]
end

def csp_policy

def csp_policy
  directives = []
  DIRECTIVES.each do |d|
    if options.key?(d)
      directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
    end
  end
  # Set these key values to boolean 'true' to include in policy
  NO_ARG_DIRECTIVES.each do |d|
    if options.key?(d) && options[d].is_a?(TrueClass)
      directives << d.to_s.sub(/_/, '-')
    end
  end
  directives.compact.sort.join('; ')
end