Sha256: 5052524b5b3804a09698200bf570e233cd3a79bc52cce14c3f68a026070b6996
Contents?: true
Size: 1.83 KB
Versions: 2
Compression:
Stored size: 1.83 KB
Contents
require 'net/https'
require 'openssl'
class ContentSecurityPolicyController < ActionController::Base
CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
def scribe
warn "[DEPRECATION] ContentSecurityPolicyController is removed in 2.0"
csp = ::SecureHeaders::Configuration.csp || {}
forward_endpoint = csp[:forward_endpoint]
if forward_endpoint
forward_params_to(forward_endpoint)
end
head :ok
rescue StandardError => e
log_warning(forward_endpoint, e)
head :bad_request
end
private
def forward_params_to(forward_endpoint)
uri = URI.parse(forward_endpoint)
http = Net::HTTP.new(uri.host, uri.port)
if uri.scheme == 'https'
use_ssl(http)
end
if request.content_type == "application/csp-report"
request.body.rewind
params.merge!(ActiveSupport::JSON.decode(request.body.read))
end
ua = request.user_agent
xff = forwarded_for
request = Net::HTTP::Post.new(uri.to_s)
request.initialize_http_header({
'User-Agent' => ua,
'X-Forwarded-For' => xff,
'Content-Type' => 'application/json',
})
request.body = params.to_json
# fire and forget
if defined?(Delayed::Job)
http.delay.request(request)
else
http.request(request)
end
end
def forwarded_for
req_xff = request.env["HTTP_X_FORWARDED_FOR"]
if req_xff && req_xff != ""
"#{req_xff}, #{request.remote_ip}"
else
request.remote_ip
end
end
def use_ssl request
request.use_ssl = true
request.ca_file = CA_FILE
request.verify_mode = OpenSSL::SSL::VERIFY_PEER
request.verify_depth = 9
end
def log_warning(forward_endpoint, e)
if defined?(Rails.logger)
Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| secure_headers-1.4.1 | app/controllers/content_security_policy_controller.rb |
| secure_headers-1.4.0 | app/controllers/content_security_policy_controller.rb |