sinatra/rack-protection/lib/rack/protection/content_security_policy.rb

# -*- coding: utf-8 -*-
require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   XSS and others
    # Supported browsers:: Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
    #
    # Description:: Content Security Policy, a mechanism web applications
    #               can use to mitigate a broad class of content injection
    #               vulnerabilities, such as cross-site scripting (XSS).
    #               Content Security Policy is a declarative policy that lets
    #               the authors (or server administrators) of a web application
    #               inform the client about the sources from which the
    #               application expects to load resources.
    #
    # More info::   W3C CSP Level 1 : https://www.w3.org/TR/CSP1/ (deprecated)
    #               W3C CSP Level 2 : https://www.w3.org/TR/CSP2/ (current)
    #               W3C CSP Level 3 : https://www.w3.org/TR/CSP3/ (draft)
    #               https://developer.mozilla.org/en-US/docs/Web/Security/CSP
    #               http://caniuse.com/#search=ContentSecurityPolicy
    #               http://content-security-policy.com/
    #               https://securityheaders.io
    #               https://scotthelme.co.uk/csp-cheat-sheet/
    #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    #
    # Sets the 'Content-Security-Policy[-Report-Only]' header.
    #
    # Options: ContentSecurityPolicy configuration is a complex topic with
    #          several levels of support that has evolved over time.
    #          See the W3C documentation and the links in the more info
    #          section for CSP usage examples and best practices. The
    #          CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
    #          presented in the options hash with a boolean 'true' in order
    #          to be used in a policy.
    #
    class ContentSecurityPolicy < Base
      default_options default_src: "'self'", report_only: false

      DIRECTIVES = %i(base_uri child_src connect_src default_src
                      font_src form_action frame_ancestors frame_src
                      img_src manifest_src media_src object_src
                      plugin_types referrer reflected_xss report_to
                      report_uri require_sri_for sandbox script_src
                      style_src worker_src webrtc_src navigate_to
                      prefetch_src).freeze

      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
                             upgrade_insecure_requests).freeze

      def csp_policy
        directives = []

        DIRECTIVES.each do |d|
          if options.key?(d)
            directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
          end
        end

        # Set these key values to boolean 'true' to include in policy
        NO_ARG_DIRECTIVES.each do |d|
          if options.key?(d) && options[d].is_a?(TrueClass)
            directives << d.to_s.tr('_', '-')
          end
        end

        directives.compact.sort.join('; ')
      end

      def call(env)
        status, headers, body = @app.call(env)
        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
        headers[header] ||= csp_policy if html? headers
        [status, headers, body]
      end
    end
  end
end
added content security policies 2014-02-21 06:50:44 -05:00			`# -- coding: utf-8 --`
			`require 'rack/protection'`

			`module Rack`
			`module Protection`
			`##`
			`# Prevented attack:: XSS and others`
			`# Supported browsers:: Firefox 23+, Safari 7+, Chrome 25+, Opera 15+`
			`#`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00			`# Description:: Content Security Policy, a mechanism web applications`
			`# can use to mitigate a broad class of content injection`
			`# vulnerabilities, such as cross-site scripting (XSS).`
			`# Content Security Policy is a declarative policy that lets`
			`# the authors (or server administrators) of a web application`
			`# inform the client about the sources from which the`
			`# application expects to load resources.`
added content security policies 2014-02-21 06:50:44 -05:00			`#`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00			`# More info:: W3C CSP Level 1 : https://www.w3.org/TR/CSP1/ (deprecated)`
			`# W3C CSP Level 2 : https://www.w3.org/TR/CSP2/ (current)`
			`# W3C CSP Level 3 : https://www.w3.org/TR/CSP3/ (draft)`
			`# https://developer.mozilla.org/en-US/docs/Web/Security/CSP`
			`# http://caniuse.com/#search=ContentSecurityPolicy`
			`# http://content-security-policy.com/`
			`# https://securityheaders.io`
			`# https://scotthelme.co.uk/csp-cheat-sheet/`
			`# http://www.html5rocks.com/en/tutorials/security/content-security-policy/`
added content security policies 2014-02-21 06:50:44 -05:00			`#`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00			`# Sets the 'Content-Security-Policy[-Report-Only]' header.`
added content security policies 2014-02-21 06:50:44 -05:00			`#`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00			`# Options: ContentSecurityPolicy configuration is a complex topic with`
			`# several levels of support that has evolved over time.`
			`# See the W3C documentation and the links in the more info`
			`# section for CSP usage examples and best practices. The`
			`# CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be`
			`# presented in the options hash with a boolean 'true' in order`
			`# to be used in a policy.`
added content security policies 2014-02-21 06:50:44 -05:00			`#`
			`class ContentSecurityPolicy < Base`
Allow CSP to fallback to default-src (#1490) * Allow content source to fallback to default-src Remove defaults for script-src, style-src, connect-src, and img-src so that they can fallback to default-src. The default for default-src has been changed from 'none' to 'self'. This seems to be a safe default especially as browsers implement prefetch-src. If stricter policies are needed they can be specified when loading this middleware. * Add support for webrtc-src, navigate-to, and prefetch-src directives 2020-03-13 17:07:34 -04:00			`default_options default_src: "'self'", report_only: false`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00
Use %i() sigil for ContentSecurityPolicy constants 2016-11-22 03:36:35 -05:00			`DIRECTIVES = %i(base_uri child_src connect_src default_src`
			`font_src form_action frame_ancestors frame_src`
			`img_src manifest_src media_src object_src`
			`plugin_types referrer reflected_xss report_to`
			`report_uri require_sri_for sandbox script_src`
Allow CSP to fallback to default-src (#1490) * Allow content source to fallback to default-src Remove defaults for script-src, style-src, connect-src, and img-src so that they can fallback to default-src. The default for default-src has been changed from 'none' to 'self'. This seems to be a safe default especially as browsers implement prefetch-src. If stricter policies are needed they can be specified when loading this middleware. * Add support for webrtc-src, navigate-to, and prefetch-src directives 2020-03-13 17:07:34 -04:00			`style_src worker_src webrtc_src navigate_to`
			`prefetch_src).freeze`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00
Use %i() sigil for ContentSecurityPolicy constants 2016-11-22 03:36:35 -05:00			`NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener`
			`upgrade_insecure_requests).freeze`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00
			`def csp_policy`
			`directives = []`

			`DIRECTIVES.each do \|d\|`
			`if options.key?(d)`
			`directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"`
			`end`
			`end`
added content security policies 2014-02-21 06:50:44 -05:00
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00			`# Set these key values to boolean 'true' to include in policy`
			`NO_ARG_DIRECTIVES.each do \|d\|`
			`if options.key?(d) && options[d].is_a?(TrueClass)`
Use `tr` instead of `gsub` 2020-02-18 17:19:52 -05:00			`directives << d.to_s.tr('_', '-')`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00			`end`
			`end`
added content security policies 2014-02-21 06:50:44 -05:00
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00			`directives.compact.sort.join('; ')`
added content security policies 2014-02-21 06:50:44 -05:00			`end`

			`def call(env)`
			`status, headers, body = @app.call(env)`
			`header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'`
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy Adds complete set of directives that are currently supported by browsers that support CSP Level 2 and Level 3 (draft). Also supports directives that don't take any arguments. The directives in the content security policy output are now sorted. 2016-11-07 02:43:09 -05:00			`headers[header] \|\|= csp_policy if html? headers`
added content security policies 2014-02-21 06:50:44 -05:00			`[status, headers, body]`
			`end`
			`end`
			`end`
			`end`