class Rack::Protection::ContentSecurityPolicy
to be used in a policy.
presented in the options hash with a boolean ‘true’ in order
CSP3 directives in the ‘NO_ARG_DIRECTIVES’ constant need to be
section for CSP usage examples and best practices. The
See the W3C documentation and the links in the more info
several levels of support that has evolved over time.
Options: ContentSecurityPolicy configuration is a complex topic with
Sets the ‘Content-Security-Policy’ header.
/
/
/
W3C CSP Level 3 : www.w3.org/TR/CSP3/ (draft)
W3C CSP Level 2 : www.w3.org/TR/CSP2/ (current)
More info- W3C CSP Level 1 : www.w3.org/TR/CSP1/ (deprecated)
application expects to load resources.
inform the client about the sources from which the
the authors (or server administrators) of a web application
Content Security Policy is a declarative policy that lets
vulnerabilities, such as cross-site scripting (XSS).
can use to mitigate a broad class of content injection
Description - Content Security Policy, a mechanism web applications
Supported browsers - Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
Prevented attack -
XSS and others
#
- Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
- Content Security Policy, a mechanism web applications
- W3C CSP Level 1 : www.w3.org/TR/CSP1/ (deprecated)
def call(env)
def call(env) status, headers, body = @app.call(env) header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy' headers[header] ||= csp_policy if html? headers [status, headers, body] end
def csp_policy
def csp_policy directives = [] DIRECTIVES.each do |d| if options.key?(d) directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}" end end # Set these key values to boolean 'true' to include in policy NO_ARG_DIRECTIVES.each do |d| if options.key?(d) && options[d].is_a?(TrueClass) directives << d.to_s.tr('_', '-') end end directives.compact.sort.join('; ') end