kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity
sinatra/rack-protection/lib/rack/protection/content_security_policy.rb
Vasiliy 8ae87a87f3
Setup Rubocop (#1537) 
* Initialize rubocop

* Style/StringLiterals: prefer single quotes

* Style/AndOr: use `&&` and `||`, instead of `and` and `or`

* Style/HashSyntax: use new hash syntax

* Layout/EmptyLineAfterGuardClause: add empty lines after guard clause

* Style/SingleLineMethods: temporary disable

It breaks layout of the code, it is better to fix it manually

* Style/Proc: prefer `proc` vs `Proc.new`

* Disable Lint/AmbiguousBlockAssociation

It affects proc definitions for sinatra DSL

* Disable Style/CaseEquality

* Lint/UnusedBlockArgument: put underscore in front of it

* Style/Alias: prefer alias vs alias_method in a class body

* Layout/EmptyLineBetweenDefs: add empty lines between defs

* Style/ParallelAssignment: don't use parallel assigment

* Style/RegexpLiteral: prefer %r for regular expressions

* Naming/UncommunicativeMethodParamName: fix abbrevs

* Style/PerlBackrefs: disable cop

* Layout/SpaceAfterComma: add missing spaces

* Style/Documentation: disable cop

* Style/FrozenStringLiteralComment: add frozen_string_literal

* Layout/AlignHash: align hash

* Layout/ExtraSpacing: allow for alignment

* Layout/SpaceAroundOperators: add missing spaces

* Style/Not: prefer `!` instead of `not`

* Style/GuardClause: add guard conditions

* Style/MutableConstant: freeze contants

* Lint/IneffectiveAccessModifier: disable cop

* Lint/RescueException: disable cop

* Style/SpecialGlobalVars: disable cop

* Layout/DotPosition: fix position of dot for multiline method chains

* Layout/SpaceInsideArrayLiteralBrackets: don't use spaces inside arrays

* Layout/SpaceInsideBlockBraces: add space for blocks

* Layout/SpaceInsideHashLiteralBraces: add spaces for hashes

* Style/FormatString: use format string syntax

* Style/StderrPuts: `warn` is preferable to `$stderr.puts`

* Bundler/DuplicatedGem: disable cop

* Layout/AlignArray: fix warning

* Lint/AssignmentInCondition: remove assignments from conditions

* Layout/IndentHeredoc: disable cop

* Layout/SpaceInsideParens: remove extra spaces

* Lint/UnusedMethodArgument: put underscore in front of unused arg

* Naming/RescuedExceptionsVariableName: use `e` for exceptions

* Style/CommentedKeyword: put comments before the method

* Style/FormatStringToken: disable cop

* Style/MultilineIfModifier: move condition before the method

* Style/SignalException: prefer `raise` to `fail`

* Style/SymbolArray: prefer %i for array of symbols

* Gemspec/OrderedDependencies: Use alphabetical order for dependencies

* Lint/UselessAccessModifier: disable cop

* Naming/HeredocDelimiterNaming: change delimiter's name

* Style/ClassCheck: prefer `is_a?` to `kind_of?`

* Style/ClassVars: disable cop

* Style/Encoding: remove coding comment

* Style/RedundantParentheses: remove extra parentheses

* Style/StringLiteralsInInterpolation: prefer singl quotes

* Layout/AlignArguments: fix alignment

* Layout/ClosingHeredocIndentation: align heredoc

* Layout/EmptyLineAfterMagicComment: add empty line

* Set RubyVersion for rubocop

* Lint/UselessAssignment: disable cop

* Style/EmptyLiteral: disable cop

Causes test failures

* Minor code-style fixes with --safe-auto-correct option

* Disable the rest of the cops that cause warnings

It would be easier to re-enable them in separate PRs

* Add rubocop check to the default Rake task

* Update to rubocop 1.32.0

* Rubocop updates for rack-protection and sinatra-contrib

* Disable Style/SlicingWithRange cop

* Make suggested updates

Co-authored-by: Jordan Owens <jkowens@gmail.com>
2022-07-31 08:56:44 -04:00

80 lines
3.3 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
require 'rack/protection'
module Rack
module Protection
##
# Prevented attack:: XSS and others
# Supported browsers:: Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
#
# Description:: Content Security Policy, a mechanism web applications
# can use to mitigate a broad class of content injection
# vulnerabilities, such as cross-site scripting (XSS).
# Content Security Policy is a declarative policy that lets
# the authors (or server administrators) of a web application
# inform the client about the sources from which the
# application expects to load resources.
#
# More info:: W3C CSP Level 1 : https://www.w3.org/TR/CSP1/ (deprecated)
# W3C CSP Level 2 : https://www.w3.org/TR/CSP2/ (current)
# W3C CSP Level 3 : https://www.w3.org/TR/CSP3/ (draft)
# https://developer.mozilla.org/en-US/docs/Web/Security/CSP
# http://caniuse.com/#search=ContentSecurityPolicy
# http://content-security-policy.com/
# https://securityheaders.io
# https://scotthelme.co.uk/csp-cheat-sheet/
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
#
# Sets the 'Content-Security-Policy[-Report-Only]' header.
#
# Options: ContentSecurityPolicy configuration is a complex topic with
# several levels of support that has evolved over time.
# See the W3C documentation and the links in the more info
# section for CSP usage examples and best practices. The
# CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
# presented in the options hash with a boolean 'true' in order
# to be used in a policy.
#
class ContentSecurityPolicy < Base
default_options default_src: "'self'", report_only: false
DIRECTIVES = %i[base_uri child_src connect_src default_src
font_src form_action frame_ancestors frame_src
img_src manifest_src media_src object_src
plugin_types referrer reflected_xss report_to
report_uri require_sri_for sandbox script_src
style_src worker_src webrtc_src navigate_to
prefetch_src].freeze
NO_ARG_DIRECTIVES = %i[block_all_mixed_content disown_opener
upgrade_insecure_requests].freeze
def csp_policy
directives = []
DIRECTIVES.each do |d|
if options.key?(d)
directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
end
end
# Set these key values to boolean 'true' to include in policy
NO_ARG_DIRECTIVES.each do |d|
if options.key?(d) && options[d].is_a?(TrueClass)
directives << d.to_s.tr('_', '-')
end
end
directives.compact.sort.join('; ')
end
def call(env)
status, headers, body = @app.call(env)
header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
headers[header] ||= csp_policy if html? headers
[status, headers, body]
end
end
end
end
View git blame Copy permalink