README.md in secure_headers-1.2.0 vs README.md in secure_headers-1.3.0

- old
+ new

@@ -116,13 +116,10 @@ See [WebKit specification](http://www.w3.org/TR/CSP/) and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification) ```ruby :csp => { - - # All values can be a String of space-delimited values, an Array of Strings, or procs. - :enforce => false, # sets header to report-only, by default # default_src is required! :default_src => nil, # sets the default-src/allow+options directives # Where reports are sent. Use protocol relative URLs if you are posting to the same domain (TLD+1). Use paths if you are posting to the application serving the header @@ -191,25 +188,46 @@ # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript :csp => { :default_src => 'self', :img_src => '*', - :connect_src => 'none' :object_src => ['media1.com', 'media2.com', '*.cdn.com'], - # alternatively :object_src => 'media1.com media2.com *.cdn.com' - :script_src => 'trustedscripts.example.com', - :report_uri => lambda { - if FeatureToggle.available?(:new_csp_endpoint) - '//example.com/new_csp' - else - '//example.com/old_csp' - end - } + # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com' + :script_src => 'trustedscripts.example.com' } -"default-src 'self'; connect-src 'none'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com; report-uri [one of the two values in the example]" +"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;" ``` +### CSP Level 2 features + +script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags. + +*setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers. + +```ruby +:csp => { + :default_src => 'self', + :script_src => 'self nonce' +} +``` + +> content-security-policy: default-src 'self'; script-src 'self' 'nonce-abc123' 'unsafe-inline' + +```erb +<script nonce="<%= @content_security_policy_nonce %>"> + console.log("whitelisted, will execute") +</script> + +<script nonce="lol"> + console.log("won't execute, not whitelisted") +</script> + +<script> + console.log("won't execute, not whitelisted") +</script> +``` + ## Note on Firefox handling of CSP * CSP reports will not POST cross\-origin. This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint` ### Adding the Firefox report forwarding endpoint @@ -275,30 +293,38 @@ ``` then in your `app.rb` file you can: ```ruby +require 'secure_headers/padrino' + module Web class App < Padrino::Application - include SecureHeaders + register SecureHeaders::Padrino - ::SecureHeaders::Configuration.configure do |config| - config.hsts = {:max_age => 99, :include_subdomains => true} - config.x_frame_options = 'DENY' - config.x_content_type_options = "nosniff" - config.x_xss_protection = {:value => '1', :mode => false} - config.csp = { - :default_src => "https://* inline eval", - :report_uri => '//example.com/uri-directive', - :img_src => "https://* data:", - :frame_src => "https://* http://*.twimg.com http://itunes.apple.com" - } - end - get '/' do set_csp_header render 'index' end + end +end +``` + +and in `config/boot.rb`: + +```ruby +def before_load + ::SecureHeaders::Configuration.configure do |config| + config.hsts = {:max_age => 99, :include_subdomains => true} + config.x_frame_options = 'DENY' + config.x_content_type_options = "nosniff" + config.x_xss_protection = {:value => '1', :mode => false} + config.csp = { + :default_src => "https://* inline eval", + :report_uri => '//example.com/uri-directive', + :img_src => "https://* data:", + :frame_src => "https://* http://*.twimg.com http://itunes.apple.com" + } end end ``` ## Similar libraries