class EzCSP
In the array attributes listed below, if the value none is in the array, then all other values are ignored.
Attributes
Array. all_src is a shortcut for indicating that a host is to be included in all other *_src arrays. By default, all_src consists of ['self'].
Array. Holds the list of base-uri hosts. By default, base_uri consists of ['none'].
Boolean, defaults to true. Sets the value for block-all-mixed-content.
Array. Holds the list of default-src hosts. By default, default_src is an empty array.
By default nil. If an array, this attribute holds the list of hosts in font-src.
Array. Holds the list of form-action hosts. By default, form_action consists of ['self'].
Array. Holds the list of frame-ancestors hosts. By default, frame_ancestors consists of ['self'].
Array. Holds the list of frame-src hosts. By default, all_src consists of ['self'].
By default nil. If an array, this attribute holds the list of hosts in img-src.
Array. Holds the list of object-src hosts. By default, object_src consists of ['none'].
This attribute is used to set two different things. It sets the report-uri value, which is being phased out. It is also used in report_to_header_value to generate a report-to HTTP header. See details in report_to_header_value.
Sets the name of the report-to group in the report-to HTTP header. Defaults to csp-endpoint. See details in report_to_header_value.
Sets the maximum age of the group in the report-to HTTP header. Defaults to 10886400.
By default nil. If an array, this attribute holds the list of hosts in script-src.
By default nil. If an array, this attribute holds the list of hosts in style-src.
Boolean, defaults to nil. Sets the value for upgrade-insecure-requests. If this value is set then block_all_mixed_content is ignored.
Public Class Methods
new() takes no parameters.
# File lib/ezcsp.rb, line 107 def initialize # $tm.hrm # all and default @all_src = ['self'] @default_src = [] # inherit from default @img_src = nil @script_src = nil @style_src = nil @font_src = nil @object_src = ['none'] # do not inherit from default @frame_src = ['self'] @frame_ancestors = ['self'] @form_action = ['self'] @base_uri = ['none'] # booleans @block_all_mixed_content = true @upgrade_insecure_requests = nil @default_to_explicit = true # report_to @report_to = nil @report_to_group = 'csp-endpoint' @report_to_max_age = 10886400 end
Public Instance Methods
This method allows you to add a host to multiple source arrays at once. The first param is the host you would like to set. Follow that with a list of arrays to add it to. The list should consist of the names of the arrays, e.g. img_src.
So, for example, this code:
csp.cdn 'code.jquery.com', 'script_src', 'style_src'
adds code.jquery.com to the script_src and style_src arrays, creating those arrays if necessary.
# File lib/ezcsp.rb, line 271 def cdn(uri, *srcs) # $tm.hrm # img if srcs.include?('img_src') @img_src ||= [] @img_src.push uri end # script if srcs.include?('script_src') @script_src ||= [] @script_src.push uri end # style if srcs.include?('style_src') @style_src ||= [] @style_src.push uri end # frame if srcs.include?('frame_src') @frame_src ||= [] @frame_src.push uri end # font if srcs.include?('font_src') @font_src ||= [] @font_src.push uri end end
This method returns the value of a report-to HTTP header. It is only useful if you set the report_to property. For example, if you set report_to like this:
csp.report_to = 'https://www.example.com/csp'
Then report_to_header_value returns a value like this:
{"group":"csp-endpoint","max-age":10886400,"endpoints":[{"url":"https://www.example.com/csp"}]}
So, depending on how you set your HTTP headers, you might set the Report-To header like this:
headers['Report-To'] = csp.report_to_header_value
# File lib/ezcsp.rb, line 230 def report_to_header_value # $tm.hrm # initialize value struct struct = {} # group name struct['group'] = @report_to_group # max age struct['max-age'] = @report_to_max_age # endpoints struct['endpoints'] = [{'url'=>@report_to}] # return # return 'Report-To: ' + JSON.generate(struct) return JSON.generate(struct) end
Returns the value of the cont Content-Security-Policy HTTP header. Note that this method only returns the value, i.e., the stuff after the colon in the HTTP header.
# File lib/ezcsp.rb, line 153 def to_s # $tm.hrm # initialize return value rv = [] # add some sources src_to_str rv, 'default-src', @default_src, true src_to_str rv, 'img-src', @img_src, true src_to_str rv, 'script-src', @script_src, true src_to_str rv, 'style-src', @style_src, true src_to_str rv, 'frame-src', @frame_src, true src_to_str rv, 'font-src', @font_src, true src_to_str rv, 'object-src', @object_src, true src_to_str rv, 'form-action', @form_action, false src_to_str rv, 'frame-ancestors', @frame_ancestors, false src_to_str rv, 'base-uri', @base_uri, false # block all mixed content if @upgrade_insecure_requests.nil? if @block_all_mixed_content rv.push 'block-all-mixed-content' end else if @upgrade_insecure_requests rv.push 'upgrade-insecure-requests' end end # report-uri if @report_to rv.push 'report-uri ' + @report_to rv.push 'report-to ' + @report_to_group end # initiilaze return string rv_str = rv.join('; ') # collapse rv_str rv_str.sub!(/\A\s+/imu, '') rv_str.sub!(/\s+\z/imu, '') rv_str.gsub!(/\s+/imu, ' ') # add trailing semicolon if rv_str.length > 0 rv_str += ';' end # return return rv_str end
Private Instance Methods
# File lib/ezcsp.rb, line 318 def src_to_str(rv, key, src, use_all) # $tm.hrm # $tm.debug key # $tm.debug src # early exit: if nil, nothing to do src.nil? and return # new src srcs = [] # special case: src includes "none" if src.include?('none') src = ['none'] else # add @all_src if necessary if use_all and @all_src srcs += @all_src end end # add src srcs += src # map some values so that they have single quotes srcs.map! do |itm| if @@quote_values.include?(itm) itm = "'#{itm}'" end # Collapse spaces, which actually shouldn't be there to begin with. # Doing so helps avoid HTTP header injection. itm = itm.gsub(/\s+/mu, ' ') itm end # add to return values rv.push key + ' ' + srcs.uniq.join(' ') end