Skip to content

Latest commit

 

History

History
105 lines (81 loc) · 3.67 KB

per_action_configuration.md

File metadata and controls

105 lines (81 loc) · 3.67 KB
Raw

Per-action configuration

You can override the settings for a given action by producing a temporary override. Be aware that because of the dynamic nature of the value, the header values will be computed per request.

# Given a config of:
::SecureHeaders::Configuration.default do |config|
   config.csp = {
     default_src: %w('self'),
     script_src: %w('self')
   }
 end

class MyController < ApplicationController
  def index
    # Append value to the source list, override 'none' values
    # Produces: default-src 'self'; script-src 'self' s3.amazonaws.com; object-src 'self' www.youtube.com
    append_content_security_policy_directives(script_src: %w(s3.amazonaws.com), object_src: %w('self' www.youtube.com))

    # Overrides the previously set source list, override 'none' values
    # Produces: default-src 'self'; script-src s3.amazonaws.com; object-src 'self'
    override_content_security_policy_directives(script_src: %w(s3.amazonaws.com), object_src: %w('self'))

    # Global settings default to "sameorigin"
    override_x_frame_options("DENY")
  end

The following methods are available as controller instance methods. They are also available as class methods, but require you to pass in the request object.

  • append_content_security_policy_directives(hash): appends each value to the corresponding CSP app-wide configuration.
  • override_content_security_policy_directives(hash): merges the hash into the app-wide configuration, overwriting any previous config
  • override_x_frame_options(value): sets the X-Frame-Options header to value

Appending / overriding Content Security Policy

When manipulating content security policy, there are a few things to consider. The default header value is default-src https: which corresponds to a default configuration of { default_src: %w(https:)}.

Append to the policy with a directive other than default_src

The value of default_src is joined with the addition if the it is a fetch directive. Note the https: is carried over from the default-src config. If you do not want this, use override_content_security_policy_directives instead. To illustrate:

::SecureHeaders::Configuration.default do |config|
   config.csp = {
     default_src: %w('self')
   }
 end
Code Result
append_content_security_policy_directives(script_src: %w(mycdn.com)) default-src 'self'; script-src 'self' mycdn.com
override_content_security_policy_directives(script_src: %w(mycdn.com)) default-src 'self'; script-src mycdn.com

Nonce

You can use a view helper to automatically add nonces to script tags:

<%= nonced_javascript_tag do %>
console.log("nonced!");
<% end %>

<%= nonced_style_tag do %>
body {
  background-color: black;
}
<% end %>

becomes:

<script nonce="/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=">
console.log("nonced!")
</script>
<style nonce="/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=">
body {
  background-color: black;
}
</style>

Content-Security-Policy: ...
  script-src 'nonce-/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=' ...;
  style-src 'nonce-/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=' ...;

script/style-nonce can be used to whitelist inline content. To do this, call the content_security_policy_script_nonce or content_security_policy_style_nonce then set the nonce attributes on the various tags.

<script nonce="<%= content_security_policy_script_nonce %>">
  console.log("whitelisted, will execute")
</script>

<script nonce="lol">
  console.log("won't execute, not whitelisted")
</script>

<script>
  console.log("won't execute, not whitelisted")
</script>