aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/http/content_security_policy.rb
Commit message (Collapse)AuthorAgeFilesLines
* Use request object for context if there's no controllerAndrew White2018-10-221-1/+2
| | | | | | | | There is no controller instance when using a redirect route or a mounted rack application so pass the request object as the context when resolving dynamic CSP sources in this scenario. Fixes #34200.
* Apply mapping to symbols returned from dynamic CSP sourcesAndrew White2018-10-221-1/+2
| | | | | | | | | | | | | | | Previously if a dynamic source returned a symbol such as :self it would be converted to a string implicity, e.g: policy.default_src -> { :self } would generate the header: Content-Security-Policy: default-src self and now it generates: Content-Security-Policy: default-src 'self'
* Add `Style/RedundantFreeze` to remove redudant `.freeze`Yasuo Honda2018-09-291-7/+7
| | | | | | | | | | | | | | | | | | | | | Since Rails 6.0 will support Ruby 2.4.1 or higher `# frozen_string_literal: true` magic comment is enough to make string object frozen. This magic comment is enabled by `Style/FrozenStringLiteralComment` cop. * Exclude these files not to auto correct false positive `Regexp#freeze` - 'actionpack/lib/action_dispatch/journey/router/utils.rb' - 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb' It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333 Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed. * Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required - 'actionpack/test/controller/test_case_test.rb' - 'activemodel/test/cases/type/string_test.rb' - 'activesupport/lib/active_support/core_ext/string/strip.rb' - 'activesupport/test/core_ext/string_ext_test.rb' - 'railties/test/generators/actions_test.rb'
* Add CSP nonce to `style-src` directiveyuuji.yaginuma2018-05-191-1/+1
| | | | | | | | | | | | | For nonce, only `script-src` and` style-src` are meaningful in the definition of Content Security Policy Level 2. https://www.w3.org/TR/CSP2/#script-src-nonce-usage https://www.w3.org/TR/CSP2/#style-src-nonce-usage Therefore, I think that customization function not needs and it is enough to enable both directives inside the framework. Fixes #32920
* Add support for prefetch-src directiveyuuji.yaginuma2018-05-031-0/+1
| | | | | | | Specification: https://w3c.github.io/webappsec-csp/#directive-prefetch-src This directive can already be used as an experimental feature in Chrome. Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=801561
* Remove unused literal introduced in #32602Andrew White2018-04-181-1/+0
|
* Pass nonce to CSP policy from outsideAndrew White2018-04-181-31/+24
|
* Output only one nonce in CSP header per requestAndrey Novikov2018-04-171-17/+30
|
* Add WebSocket URI support to CSP DSL mappingsStephen Solis2018-04-121-1/+3
|
* Add support for automatic nonce generation for Rails UJSAndrew White2018-02-191-0/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
* Remove trailing semi-colon from CSPAndrew White2018-02-191-1/+1
| | | | | | | | | Although the spec[1] is defined in such a way that a trailing semi-colon is valid it also doesn't allow a semi-colon by itself to indicate an empty policy. Therefore it's easier (and valid) just to omit it rather than to detect whether the policy is empty or not. [1]: https://www.w3.org/TR/CSP2/#policy-syntax
* Revert "Merge pull request #32045 from eagletmt/skip-csp-header"Andrew White2018-02-191-10/+2
| | | | | | | | | This reverts commit 86f7c269073a3a9e6ddec9b957deaa2716f2627d, reversing changes made to 5ece2e4a4459065b5efd976aebd209bbf0cab89b. If a policy is set then we should generate it even if it's empty. However what is happening is that we're accidentally generating an empty policy when the initializer is commented out by default.
* Skip generating empty CSP header when no policy is configuredKohei Suzuki2018-02-181-2/+10
| | | | | | | | `Rails.application.config.content_security_policy` is configured with no policies by default. In this case, Content-Security-Policy header should not be generated instead of generating the header with no directives. Firefox also warns "Content Security Policy: Couldn't process unknown directive ''".
* Add missing requireyuuji.yaginuma2017-12-051-0/+2
| | | | | | | Follow up of 3c442b6df91e291ebbf17f37444414bf5f10fbe6 Without this require, it will fail when run CSP test alone. Ref: https://travis-ci.org/rails/rails/jobs/311715758#L2976
* Fix CSP copy boolean directives (#31326)Simon Dawson2017-12-051-5/+1
| | | Use Object#deep_dup to safely duplicate policy values
* Add DSL for configuring Content-Security-Policy headerAndrew White2017-11-271-0/+233
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy