v7.1.3.2 - Show latest stable - 0 notes - Superclass: Object

Action Dispatch Content Security Policy

Configures the HTTP Content-Security-Policy response header to help protect against XSS and injection attacks.

Example global policy:

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.font_src    :self, :https, :data
  policy.img_src     :self, :https, :data
  policy.object_src  :none
  policy.script_src  :self, :https
  policy.style_src   :self, :https

  # Specify URI for violation reports
  policy.report_uri "/csp-violation-report-endpoint"
end

Constants

DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze

DIRECTIVES = { base_uri: "base-uri", child_src: "child-src", connect_src: "connect-src", default_src: "default-src", font_src: "font-src", form_action: "form-action", frame_ancestors: "frame-ancestors", frame_src: "frame-src", img_src: "img-src", manifest_src: "manifest-src", media_src: "media-src", object_src: "object-src", prefetch_src: "prefetch-src", require_trusted_types_for: "require-trusted-types-for", script_src: "script-src", script_src_attr: "script-src-attr", script_src_elem: "script-src-elem", style_src: "style-src", style_src_attr: "style-src-attr", style_src_elem: "style-src-elem", trusted_types: "trusted-types", worker_src: "worker-src" }.freeze

MAPPINGS = { self: "'self'", unsafe_eval: "'unsafe-eval'", unsafe_hashes: "'unsafe-hashes'", unsafe_inline: "'unsafe-inline'", none: "'none'", http: "http:", https: "https:", data: "data:", mediastream: "mediastream:", allow_duplicates: "'allow-duplicates'", blob: "blob:", filesystem: "filesystem:", report_sample: "'report-sample'", script: "'script'", strict_dynamic: "'strict-dynamic'", ws: "ws:", wss: "wss:" }.freeze

Attributes

[R] directives
Show files where this class is defined (1 file)
Register or log in to add new notes.