New Features¶ ↑

• A content_security_policy plugin has been added for setting up an appropriate Content-Security-Policy header. To configure the default policy, load the plugin with a block:

  plugin :content_security_policy do |csp|
    csp.default_src :none
    csp.img_src :self
    csp.style_src :self, 'fonts.googleapis.com'
    csp.script_src :self
    csp.font_src :self, 'fonts.gstatic.com'
    csp.form_action :self
    csp.base_uri :none
    csp.frame_ancestors :none
    csp.block_all_mixed_content
  end
  

  It’s recommended that use use a default_src of :none at the top of the policy, then explicitly change other settings (e.g. img_src) when you want to allow content.

  Anywhere in the routing tree, you can use the content_security_policy method to override the default policy. You can pass this method a block:

  r.get 'foo' do
    content_security_policy do |csp|
      csp.object_src :self
      csp.add_style_src 'bar.com'
    end
    # ...
  end
  

  Or just call a method on it:

  r.get 'foo' do
    content_security_policy.script_src :self, 'example.com', [:nonce, 'foobarbaz']
    # ...
  end
  

  The following methods exist for configuring the content security policy, they set the appropriate directive, with the underscores replaced by a dash.

  • base_uri

  • child_src

  • connect_src

  • default_src

  • font_src

  • form_action

  • frame_ancestors

  • frame_src

  • img_src

  • manifest_src

  • media_src

  • object_src

  • plugin_types

  • report_uri

  • require_sri_for

  • sandbox

  • script_src

  • style_src

  • worker_src

  All of these methods support any number of arguments, and each argument should be one of the following types:

  String	used verbatim
  Symbol	Substitutes underscore with dash and surrounds with single quotes
  Array	only accepts 2 element arrays, joins elements with a dash and surrounds them with single quotes

  Example:

  content_security_policy.script_src :self, :unsafe_eval,
    'example.com', [:nonce, 'foobarbaz']
  # script-src 'self' 'unsafe-eval' example.com 'nonce-foobarbaz';
  

  When calling a method with no arguments, the setting is removed from the policy instead of being left empty, since all of these setting require at least one value. Likewise, if the policy does not have any settings, the header will not be added.

  Calling the method overrides any previous setting. Each of the methods has a add_* method (e.g. add_script_src) for appending to the current setting, and a get_* method (e.g. get_script_src) for retrieving the current value of the setting, or nil if it is not defined.

  content_security_policy.script_src :self, :unsafe_eval
  # script-src 'self' 'unsafe-eval';
  content_security_policy.add_script_src 'example.com', [:nonce, 'foobarbaz']
  # script-src 'self' 'unsafe-eval' example.com 'nonce-foobarbaz';
  
  content_security_policy.get_script_src 'example.com', [:nonce, 'foobarbaz']
  # => [:self, :unsafe_eval, 'example.com', [:nonce, 'foobarbaz']]
  

  The clear method can be used to remove all settings from the policy.

  The following methods to set boolean directives are also defined:

  • block_all_mixed_content

  • upgrade_insecure_requests

  Calling these methods will turn on the related setting. To turn the setting off again, you can call them with a false argument (e.g. block_all_mixed_content(false)). Each method also an *? method (e.g. block_all_mixed_content?) for returning whether the setting is currently enabled.

  Likewise there is also a report_only method for turning on report only mode (the default is enforcement mode), or turning off report only mode if a false argument is given. Also, there is a report_only? method for returning whether report only mode is enabled. In report only mode, the Content-Security-Policy-Report-Only header is used.

Other Improvements¶ ↑

• The response_request plugin now integrates with the error_handler and class_level_routing plugins. Those plugins now reinitialize the current response object instead of creating a new response object.