Sha256: defd440b2ee4d594543b70dd8aee16d70fb26deed8e27867d79fd38f0cdff3a4
Contents?: true
Size: 1.29 KB
Versions: 1
Compression:
Stored size: 1.29 KB
Contents
class Brut::FrontEnd::RouteHooks::CSPNoInlineStylesOrScripts < Brut::FrontEnd::RouteHook
def after(response:)
response.headers["Content-Security-Policy"] = header_value
continue
end
def header_value
[
"default-src 'self'",
"script-src-elem 'self'",
"script-src-attr 'none'",
"style-src-elem 'self'",
"style-src-attr 'none'",
].join("; ")
end
class ReportOnly < Brut::FrontEnd::RouteHooks::CSPNoInlineStylesOrScripts
def after(response:,request:)
csp_reporting_path = uri(Brut::FrontEnd::Handlers::CspReportingHandler.routing,request:)
reporting_directives = "report-to csp_reporting;report-uri #{csp_reporting_path}"
response.headers["Content-Security-Policy-Report-Only"] = header_value + ";" + reporting_directives
response.headers["Reporting-Endpoints"] = "csp_reporting='#{csp_reporting_path}'"
continue
end
end
private
def uri(path,request:)
# Adapted from Sinatra's innards
host = "http#{'s' if request.secure?}://"
if request.forwarded? || (request.port != (request.secure? ? 443 : 80))
host << request.host_with_port
else
host << request.host
end
uri_parts = [
host,
request.script_name.to_s,
path,
]
File.join(uri_parts)
end
end
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| brut-0.0.1 | lib/brut/front_end/route_hooks/csp_no_inline_styles_or_scripts.rb |