ActionDispatch::ContentSecurityPolicy
# Action Dispatch Content Security Policy
Configures the HTTP [Content-Security-Policy](developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) response header to help protect against XSS and injection attacks.
Example global policy:
Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https policy.font_src :self, :https, :data policy.img_src :self, :https, :data policy.object_src :none policy.script_src :self, :https policy.style_src :self, :https # Specify URI for violation reports policy.report_uri "/csp-violation-report-endpoint" end
Constants
DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
DIRECTIVES = {\nbase_uri: "base-uri",\nchild_src: "child-src",\nconnect_src: "connect-src",\ndefault_src: "default-src",\nfont_src: "font-src",\nform_action: "form-action",\nframe_ancestors: "frame-ancestors",\nframe_src: "frame-src",\nimg_src: "img-src",\nmanifest_src: "manifest-src",\nmedia_src: "media-src",\nobject_src: "object-src",\nprefetch_src: "prefetch-src",\nrequire_trusted_types_for: "require-trusted-types-for",\nscript_src: "script-src",\nscript_src_attr: "script-src-attr",\nscript_src_elem: "script-src-elem",\nstyle_src: "style-src",\nstyle_src_attr: "style-src-attr",\nstyle_src_elem: "style-src-elem",\ntrusted_types: "trusted-types",\nworker_src: "worker-src"\n}.freeze
MAPPINGS = {\nself: "'self'",\nunsafe_eval: "'unsafe-eval'",\nwasm_unsafe_eval: "'wasm-unsafe-eval'",\nunsafe_hashes: "'unsafe-hashes'",\nunsafe_inline: "'unsafe-inline'",\nnone: "'none'",\nhttp: "http:",\nhttps: "https:",\ndata: "data:",\nmediastream: "mediastream:",\nallow_duplicates: "'allow-duplicates'",\nblob: "blob:",\nfilesystem: "filesystem:",\nreport_sample: "'report-sample'",\nscript: "'script'",\nstrict_dynamic: "'strict-dynamic'",\nws: "ws:",\nwss: "wss:"\n}.freeze
Attributes
| [R] | directives |
Files
- actionpack/lib/action_dispatch/http/content_security_policy.rb
