Class Rack::Protection::ContentSecurityPolicy
In: lib/rack/protection/content_security_policy.rb
Parent: Base
Prevented attack:XSS and others
Supported browsers:Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
Description:Content Security Policy, a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.
More info:W3C CSP Level 1 : www.w3.org/TR/CSP1/ (deprecated) W3C CSP Level 2 : www.w3.org/TR/CSP2/ (current) W3C CSP Level 3 : www.w3.org/TR/CSP3/ (draft) developer.mozilla.org/en-US/docs/Web/Security/CSP caniuse.com/#search=ContentSecurityPolicy content-security-policy.com/ securityheaders.io scotthelme.co.uk/csp-cheat-sheet/ www.html5rocks.com/en/tutorials/security/content-security-policy/

Sets the ‘Content-Security-Policy[-Report-Only]’ header.

Options: ContentSecurityPolicy configuration is a complex topic with

         several levels of support that has evolved over time.
         See the W3C documentation and the links in the more info
         section for CSP usage examples and best practices. The
         CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
         presented in the options hash with a boolean 'true' in order
         to be used in a policy.

Methods

call   csp_policy  

Constants

DIRECTIVES = %i(base_uri child_src connect_src default_src
NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener

Public Instance methods

[Validate]