Full-featured Content Security Policy as Rack middleware
Ruby
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
spec
.travis.yml
Gemfile
LICENSE
README.md
Rakefile
content-security-policy.gemspec

README.md

Content Security Policy

Build Status

Implementation of Content Security Policy as Rack middleware.

More information about Content Security Policy - http://www.w3.org/TR/CSP/.

Installation

Install as usually gem install content-security-policy

Usage

Add Content Security Policy to your Rack configuration config.ru.

require 'content-security-policy'

ContentSecurityPolicy.configure do |csp|
  csp['default-src'] = "'self'"
  csp['script-src']  = '*.example.com'
end

use ContentSecurityPolicy
run MyApplication

You can also pass directives during initialization.

require 'content-security-policy'

use ContentSecurityPolicy, :directives => { 'policy-uri' => 'policy.xml' }
run MyApplication

You can also use report-only mode.

require 'content-security-policy'

ContentSecurityPolicy.configure do |csp|
  csp.report_only = true
  csp['default-src'] = "'self'"
  csp['script-src']  = '*.example.com'
end

use ContentSecurityPolicy
run MyApplication
require 'content-security-policy'

use ContentSecurityPolicy, :directives => { 'policy-uri' => 'policy.xml' }, :report_only => true
run MyApplication

Status

Content Security Policy is now implemented with Content-Security-Policy (official name), X-Content-Security-Policy (Firefox and IE) and X-WebKit-CSP (Chrome and Safari) headers.

Copyright

Copyright (c) 2012 Alexey Rodionov. See LICENSE for details.