Action Dispatch Content Security Policy

Configures the HTTP [Content-Security-Policy] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) response header to help protect against XSS and injection attacks.

Example global policy:

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.font_src    :self, :https, :data
  policy.img_src     :self, :https, :data
  policy.object_src  :none
  policy.script_src  :self, :https
  policy.style_src   :self, :https

  # Specify URI for violation reports
  policy.report_uri "/csp-violation-report-endpoint"
end

Namespace

Module

Class

Methods

Attributes

[R] directives

Class Public methods

new()

📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 177
    def initialize
      @directives = {}
      yield self if block_given?
    end
🔎 See on GitHub

Instance Public methods

block_all_mixed_content(enabled = true)

Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:

policy.block_all_mixed_content

Pass false to allow it again:

policy.block_all_mixed_content false
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 205
    def block_all_mixed_content(enabled = true)
      if enabled
        @directives["block-all-mixed-content"] = true
      else
        @directives.delete("block-all-mixed-content")
      end
    end
🔎 See on GitHub

build(context = nil, nonce = nil, nonce_directives = nil)

📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 297
    def build(context = nil, nonce = nil, nonce_directives = nil)
      nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
      build_directives(context, nonce, nonce_directives).compact.join("; ")
    end
🔎 See on GitHub

initialize_copy(other)

📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 182
    def initialize_copy(other)
      @directives = other.directives.deep_dup
    end
🔎 See on GitHub

plugin_types(*types)

Restricts the set of plugins that can be embedded:

policy.plugin_types "application/x-shockwave-flash"

Leave empty to allow all plugins:

policy.plugin_types
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 221
    def plugin_types(*types)
      if types.first
        @directives["plugin-types"] = types
      else
        @directives.delete("plugin-types")
      end
    end
🔎 See on GitHub

report_uri(uri)

Enable the [report-uri] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) directive. Violation reports will be sent to the specified URI:

policy.report_uri "/csp-violation-report-endpoint"
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 236
    def report_uri(uri)
      @directives["report-uri"] = [uri]
    end
🔎 See on GitHub

require_sri_for(*types)

Specify asset types for which [Subresource Integrity] (developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:

policy.require_sri_for :script, :style

Leave empty to not require Subresource Integrity:

policy.require_sri_for
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 249
    def require_sri_for(*types)
      if types.first
        @directives["require-sri-for"] = types
      else
        @directives.delete("require-sri-for")
      end
    end
🔎 See on GitHub

sandbox(*values)

Specify whether a [sandbox] (developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) should be enabled for the requested resource:

policy.sandbox

Values can be passed as arguments:

policy.sandbox "allow-scripts", "allow-modals"

Pass false to disable the sandbox:

policy.sandbox false
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 271
    def sandbox(*values)
      if values.empty?
        @directives["sandbox"] = true
      elsif values.first
        @directives["sandbox"] = values
      else
        @directives.delete("sandbox")
      end
    end
🔎 See on GitHub

upgrade_insecure_requests(enabled = true)

Specify whether user agents should treat any assets over HTTP as HTTPS:

policy.upgrade_insecure_requests

Pass false to disable it:

policy.upgrade_insecure_requests false
📝 Source code
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 289
    def upgrade_insecure_requests(enabled = true)
      if enabled
        @directives["upgrade-insecure-requests"] = true
      else
        @directives.delete("upgrade-insecure-requests")
      end
    end
🔎 See on GitHub