module SecureHeaders module ViewHelpers include SecureHeaders::HashHelper SECURE_HEADERS_RAKE_TASK = "rake secure_headers:generate_hashes" class UnexpectedHashedScriptException < StandardError; end # Public: create a style tag using the content security policy nonce. # Instructs secure_headers to append a nonce to style/script-src directives. # # Returns an html-safe style tag with the nonce attribute. def nonced_style_tag(content_or_options = {}, &block) nonced_tag(:style, content_or_options, block) end # Public: create a script tag using the content security policy nonce. # Instructs secure_headers to append a nonce to style/script-src directives. # # Returns an html-safe script tag with the nonce attribute. def nonced_javascript_tag(content_or_options = {}, &block) nonced_tag(:script, content_or_options, block) end # Public: use the content security policy nonce for this request directly. # Instructs secure_headers to append a nonce to style/script-src directives. # # Returns a non-html-safe nonce value. def content_security_policy_nonce(type) case type when :script SecureHeaders.content_security_policy_script_nonce(@_request) when :style SecureHeaders.content_security_policy_style_nonce(@_request) end end ## # Checks to see if the hashed code is expected and adds the hash source # value to the current CSP. # # By default, in development/test/etc. an exception will be raised. def hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block) hashed_tag( :script, :script_src, Configuration.instance_variable_get(:@script_hashes), raise_error_on_unrecognized_hash, block ) end def hashed_style_tag(raise_error_on_unrecognized_hash = nil, &block) hashed_tag( :style, :style_src, Configuration.instance_variable_get(:@style_hashes), raise_error_on_unrecognized_hash, block ) end private def hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block) if raise_error_on_unrecognized_hash.nil? raise_error_on_unrecognized_hash = ENV["RAILS_ENV"] != "production" end content = capture(&block) file_path = File.join('app', 'views', self.instance_variable_get(:@virtual_path) + '.html.erb') if raise_error_on_unrecognized_hash hash_value = hash_source(content) message = unexpected_hash_error_message(file_path, content, hash_value) if hashes.nil? || hashes[file_path].nil? || !hashes[file_path].include?(hash_value) raise UnexpectedHashedScriptException.new(message) end end SecureHeaders.append_content_security_policy_directives(request, directive => hashes[file_path]) content_tag type, content end def unexpected_hash_error_message(file_path, content, hash_value) <<-EOF \n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} *** #{content} *** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/script_hashes.yml:*** #{file_path}: - #{hash_value}\n\n NOTE: dynamic javascript is not supported using script hash integration on purpose. It defeats the point of using it in the first place. EOF end def nonced_tag(type, content_or_options, block) options = {} content = if block options = content_or_options capture(&block) else content_or_options.html_safe # :'( end content_tag type, content, options.merge(nonce: content_security_policy_nonce(type)) end end end ActiveSupport.on_load :action_view do include SecureHeaders::ViewHelpers end if defined?(ActiveSupport)