README.md in secure_headers-0.4.1 vs README.md in secure_headers-0.4.2
- old
+ new
@@ -39,11 +39,11 @@
### Disabling
Use the standard `skip_before_filter :filter_name, options` mechanism. e.g. `skip_before_filter :set_csp_header, :only => :tinymce_page`
-The following methods are going to be called, unles they are provided in a `skip_before_filter` block.
+The following methods are going to be called, unless they are provided in a `skip_before_filter` block.
* `:set_csp_header`
* `:set_hsts_header`
* `:set_x_frame_options_header`
* `:set_x_xss_protection_header`
@@ -51,14 +51,14 @@
### Automagic
This gem makes a few assumptions about how you will use some features. For example:
-* It adds 'chrome-extension:' to your CSP directives by default. This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
-* It fills any blank directives with the value in :default_src Getting a default\-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
+* It adds 'chrome-extension:' to your CSP directives by default. This helps drastically reduce the amount of reports, but you can also disable this feature by supplying `:disable_chrome_extension => true`.
+* It fills any blank directives with the value in `:default_src` Getting a default\-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying `:disable_fill_missing => true`.
* It copies the connect\-src value to xhr\-src for AJAX requests when using Firefox.
-* Firefox does not support cross\-origin CSP reports. If we are using Firefox, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`). This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :forward_endpoint without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
+* Firefox does not support cross\-origin CSP reports. If we are using Firefox, AND the value for `:report_uri` does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`). This is also the case if `:report_uri` only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in `:forward_endpoint` without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
## Configuration
**Place the following in an initializer (recommended):**
@@ -157,9 +157,19 @@
:img_src => 'https://mycdn.example.com',
:http_additions {
:img_src => 'http://mycdn.example.com'
}
}
+
+ # script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
+ # you to whitelist inline script blocks. For more information, see
+ # https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
+ :script_nonce => { 'abc123' }
+
+ # you can also use lambdas to use dynamically generated nonces
+ :script_nonce => lambda { @script_nonce] = 'something' }
+ # which can be used to whitelist a script block:
+ # script_tag :nonce = @script_nonce { inline_script_call() }
}
```
### Only applied to IE