Action Dispatch Content Security Policy
Configures the HTTP [Content-Security-Policy] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) response header to help protect against XSS and injection attacks.
Example global policy:
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
# Specify URI for violation reports
policy.report_uri "/csp-violation-report-endpoint"
end
Namespace
Module
Class
Methods
- block_all_mixed_content
- build
- initialize_copy
- new
- plugin_types
- report_uri
- require_sri_for
- sandbox
- upgrade_insecure_requests
Attributes
[R] | directives |
Class Public methods
new()
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 177
def initialize
@directives = {}
yield self if block_given?
end
🔎 See on GitHub
Instance Public methods
block_all_mixed_content(enabled = true)
Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:
policy.block_all_mixed_content
Pass false
to allow it again:
policy.block_all_mixed_content false
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 205
def block_all_mixed_content(enabled = true)
if enabled
@directives["block-all-mixed-content"] = true
else
@directives.delete("block-all-mixed-content")
end
end
🔎 See on GitHub
build(context = nil, nonce = nil, nonce_directives = nil)
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 297
def build(context = nil, nonce = nil, nonce_directives = nil)
nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
build_directives(context, nonce, nonce_directives).compact.join("; ")
end
🔎 See on GitHub
initialize_copy(other)
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 182
def initialize_copy(other)
@directives = other.directives.deep_dup
end
🔎 See on GitHub
plugin_types(*types)
Restricts the set of plugins that can be embedded:
policy.plugin_types "application/x-shockwave-flash"
Leave empty to allow all plugins:
policy.plugin_types
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 221
def plugin_types(*types)
if types.first
@directives["plugin-types"] = types
else
@directives.delete("plugin-types")
end
end
🔎 See on GitHub
report_uri(uri)
Enable the [report-uri] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive. Violation reports will be sent to the specified URI:
policy.report_uri "/csp-violation-report-endpoint"
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 236
def report_uri(uri)
@directives["report-uri"] = [uri]
end
🔎 See on GitHub
require_sri_for(*types)
Specify asset types for which [Subresource Integrity] (developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
policy.require_sri_for :script, :style
Leave empty to not require Subresource Integrity:
policy.require_sri_for
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 249
def require_sri_for(*types)
if types.first
@directives["require-sri-for"] = types
else
@directives.delete("require-sri-for")
end
end
🔎 See on GitHub
sandbox(*values)
Specify whether a [sandbox] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) should be enabled for the requested resource:
policy.sandbox
Values can be passed as arguments:
policy.sandbox "allow-scripts", "allow-modals"
Pass false
to disable the sandbox:
policy.sandbox false
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 271
def sandbox(*values)
if values.empty?
@directives["sandbox"] = true
elsif values.first
@directives["sandbox"] = values
else
@directives.delete("sandbox")
end
end
🔎 See on GitHub
upgrade_insecure_requests(enabled = true)
Specify whether user agents should treat any assets over HTTP as HTTPS:
policy.upgrade_insecure_requests
Pass false
to disable it:
policy.upgrade_insecure_requests false
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 289
def upgrade_insecure_requests(enabled = true)
if enabled
@directives["upgrade-insecure-requests"] = true
else
@directives.delete("upgrade-insecure-requests")
end
end
🔎 See on GitHub