ezcsp 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a64098cd248945d8710812f3321c933b2369eeea
+  data.tar.gz: 057154fe542773f16ef047ecce002dc0882a08b0
+SHA512:
+  metadata.gz: b8d006493d6446008a8beb09c8cd5c425365fb1583d07f8ecd152695524dbfc2859a7d6398ebd1f55107c056729a15f23ccf5701bc5faf30d377c01cedc3c739
+  data.tar.gz: e453772110f23a06a30f94c91465433ac36e8e8b2a1f79c1fd0dc877f830e6f439b8b9c426be7bcef38a66a03a2526f98be08b8c1f713e022d7bc5230c5e2624

data/lib/ezcsp.rb

@@ -0,0 +1,400 @@
+require 'json'
+
+#===============================================================================
+# EzCSP
+#
+
+##
+# EzCSP provides a simple object-oriented way to generate
+# <tt>Content-Security-Policy</tt> HTTP headers. For documentation on CSP,
+# see {Mozilla's Content-Security-Policy page}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy].
+# 
+# Basic usage:
+# 
+#     require 'ezcsp'
+#     csp = EzCSP.new()
+# 
+# Then, depending on how you output HTTP headers, you could output the CSP header
+# something like this:
+# 
+#     headers['Content-Security-Policy'] = csp.to_s
+# 
+# <tt>csp.to_s</tt>, by default, returns this string:
+# 
+#     default-src 'self'; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
+# 
+# By default, the header value is very restrictive. It basically states that no
+# resources — scripts, styles, images, etc. — from outside the current web site
+# can be used. Expand that set of allowed resources by adding to the accessors
+# listed below, usually by using the #cdn method. So, for example, to
+# allow the browser to get scripts and styles from <tt>code.jquery.com</tt>,
+# you would do this:
+# 
+#     csp.cdn 'code.jquery.com', 'script_src', 'style_src'
+# 
+# which would produce this header value:
+# 
+#     default-src 'self'; script-src 'self' code.jquery.com; style-src 'self' code.jquery.com; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
+# 
+# EzCSP isn't a substitute for understanding content security policies. Make
+# sure you
+# {read up on CSP}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
+# before using this class.
+# 
+# In the array attributes listed below, if the value <tt>none</tt> is in the
+# array, then all other values are ignored.
+
+class EzCSP
+	# Array. Holds the list of
+	# {default-src}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src]
+	# hosts.
+	# By default, <tt>default_src</tt> is an empty array.
+	attr_accessor :default_src
+	
+	# By default nil. If an array, this attribute holds the list of hosts in
+	# {img-src}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src].
+	attr_accessor :img_src
+	
+	# By default nil. If an array, this attribute holds the list of hosts in
+	# {script-src}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src].
+	attr_accessor :script_src
+	
+	# By default nil. If an array, this attribute holds the list of hosts in
+	# {style-src}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src].
+	attr_accessor :style_src
+	
+	# Array. Holds the list of
+	# {frame-src}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src]
+	# hosts.
+	# By default, <tt>all_src</tt> consists of <tt>['self']</tt>.
+	attr_accessor :frame_src
+	
+	# By default nil. If an array, this attribute holds the list of hosts in
+	# {font-src}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src].
+	attr_accessor :font_src
+	
+	# Array. Holds the list of
+	# {object-src}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src]
+	# hosts.
+	# By default, <tt>object_src</tt> consists of <tt>['none']</tt>.
+	attr_accessor :object_src
+	
+	# Array. <tt>all_src</tt> is a shortcut for indicating that a host is to be
+	# included in all other *_src arrays.
+	# By default, <tt>all_src</tt> consists of <tt>['self']</tt>.
+	attr_accessor :all_src
+	
+	# Array. Holds the list of
+	# {form-action}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action]
+	# hosts.
+	# By default, <tt>form_action</tt> consists of <tt>['self']</tt>.
+	attr_accessor :form_action
+	
+	# Array. Holds the list of
+	# {frame-ancestors}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors]
+	# hosts.
+	# By default, <tt>frame_ancestors</tt> consists of <tt>['self']</tt>.
+	attr_accessor :frame_ancestors
+	
+	# Array. Holds the list of
+	# {base-uri}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri]
+	# hosts.
+	# By default, <tt>base_uri</tt> consists of <tt>['none']</tt>.
+	attr_accessor :base_uri
+	
+	# Boolean, defaults to true. Sets the value for
+	# {block-all-mixed-content}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content].
+	attr_accessor :block_all_mixed_content
+	
+	# Boolean, defaults to nil. Sets the value for
+	# {upgrade-insecure-requests}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests].
+	# If this value is set then #block_all_mixed_content is ignored.
+	attr_accessor :upgrade_insecure_requests
+	
+	# This attribute is used to set two different things. It sets the
+	# {report-uri}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri]
+	# value, which is being phased out. It is also used in
+	# #report_to_header_value to generate a
+	# {report-to}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to]
+	# HTTP header. See details in #report_to_header_value.
+	attr_accessor :report_to
+	
+	# Sets the name of the report-to group in the
+	# {report-to}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to]
+	# HTTP header.
+	# Defaults to <tt>csp-endpoint</tt>.
+	# See details in #report_to_header_value.
+	attr_accessor :report_to_group
+	
+	# Sets the maximum age of the group in the
+	# {report-to}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to]
+	# HTTP header.
+	# Defaults to <tt>10886400</tt>.
+	attr_accessor :report_to_max_age
+	
+	
+	#---------------------------------------------------------------------------
+	# initialize
+	#
+	
+	##
+	# <tt>new()</tt> takes no parameters.
+	
+	def initialize
+		# $tm.hrm
+		
+		# all and default
+		@all_src = ['self']
+		@default_src = []
+		
+		# inherit from default
+		@img_src = nil
+		@script_src = nil
+		@style_src = nil
+		@font_src = nil
+		@object_src = ['none']
+		
+		# do not inherit from default
+		@frame_src = ['self']
+		@frame_ancestors = ['self']
+		@form_action = ['self']
+		@base_uri = ['none']
+		
+		# booleans
+		@block_all_mixed_content = true
+		@upgrade_insecure_requests = nil
+		@default_to_explicit = true
+		
+		# report_to
+		@report_to = nil
+		@report_to_group = 'csp-endpoint'
+		@report_to_max_age = 10886400
+	end
+	#
+	# initialize
+	#---------------------------------------------------------------------------
+	
+	
+	#---------------------------------------------------------------------------
+	# to_s
+	#
+	
+	##
+	# Returns the value of the cont
+	# {Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
+	# HTTP header.
+	# Note that this method only returns the value, i.e., the stuff after the
+	# colon in the HTTP header.
+	
+	def to_s
+		# $tm.hrm
+		
+		# initialize return value
+		rv = []
+		
+		# add some sources
+		src_to_str rv, 'default-src', @default_src, true
+		src_to_str rv, 'img-src', @img_src, true
+		src_to_str rv, 'script-src', @script_src, true
+		src_to_str rv, 'style-src', @style_src, true
+		src_to_str rv, 'frame-src', @frame_src, true
+		src_to_str rv, 'font-src', @font_src, true
+		src_to_str rv, 'object-src', @object_src, true
+		src_to_str rv, 'form-action', @form_action, false
+		src_to_str rv, 'frame-ancestors', @frame_ancestors, false
+		src_to_str rv, 'base-uri', @base_uri, false
+		
+		# block all mixed content
+		if @upgrade_insecure_requests.nil?
+			if @block_all_mixed_content
+				rv.push 'block-all-mixed-content'
+			end
+		else
+			if @upgrade_insecure_requests
+				rv.push 'upgrade-insecure-requests'
+			end
+		end
+		
+		# report-uri
+		if @report_to
+			rv.push 'report-uri ' + @report_to
+			rv.push 'report-to ' + @report_to_group
+		end
+		
+		# initiilaze return string
+		rv_str = rv.join('; ')
+		
+		# collapse rv_str
+		rv_str.sub!(/\A\s+/imu, '')
+		rv_str.sub!(/\s+\z/imu, '')
+		rv_str.gsub!(/\s+/imu, ' ')
+		
+		# add trailing semicolon
+		if rv_str.length > 0
+			rv_str += ';'
+		end
+		
+		# return
+		return rv_str
+	end
+	#
+	# to_s
+	#---------------------------------------------------------------------------
+	
+	
+	#---------------------------------------------------------------------------
+	# report_to_header_value
+	#
+	
+	##
+	# This method returns the value of a
+	# {report-to}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to]
+	# HTTP header. It is only useful if you set the #report_to property. For
+	# example, if you set #report_to like this:
+	# 
+	#     csp.report_to = 'https://www.example.com/csp'
+	# 
+	# Then <tt>report_to_header_value</tt> returns a value like this:
+	# 
+	#     {"group":"csp-endpoint","max-age":10886400,"endpoints":[{"url":"https://www.example.com/csp"}]}
+	#
+	# So, depending on how you set your HTTP headers, you might set the Report-To
+	# header like this:
+	# 
+	#     headers['Report-To'] = csp.report_to_header_value
+	
+	def report_to_header_value
+		# $tm.hrm
+		
+		# initialize value struct
+		struct = {}
+		
+		# group name
+		struct['group'] = @report_to_group
+		
+		# max age
+		struct['max-age'] = @report_to_max_age
+		
+		# endpoints
+		struct['endpoints'] = [{'url'=>@report_to}]
+		
+		# return
+		# return 'Report-To: ' + JSON.generate(struct)
+		return JSON.generate(struct)
+	end
+	#
+	# report_to_header_value
+	#---------------------------------------------------------------------------
+	
+	
+	#---------------------------------------------------------------------------
+	# cdn
+	#
+	
+	##
+	# This method allows you to add a host to multiple source arrays at once.
+	# The first param is the host you would like to set. Follow that with a
+	# list of arrays to add it to. The list should consist of the names of the
+	# arrays, e.g. <tt>img_src</tt>.
+	# 
+	# So, for example, this code:
+	# 
+	#     csp.cdn 'code.jquery.com', 'script_src', 'style_src'
+	# 
+	# adds <tt>code.jquery.com</tt> to the #script_src and #style_src arrays,
+	# creating those arrays if necessary.
+	
+	def cdn(uri, *srcs)
+		# $tm.hrm
+		
+		# img
+		if srcs.include?('img_src')
+			@img_src ||= []
+			@img_src.push uri
+		end
+		
+		# script
+		if srcs.include?('script_src')
+			@script_src ||= []
+			@script_src.push uri
+		end
+		
+		# style
+		if srcs.include?('style_src')
+			@style_src ||= []
+			@style_src.push uri
+		end
+		
+		# frame
+		if srcs.include?('frame_src')
+			@frame_src ||= []
+			@frame_src.push uri
+		end
+		
+		# font
+		if srcs.include?('font_src')
+			@font_src ||= []
+			@font_src.push uri
+		end
+	end
+	#
+	# cdn
+	#---------------------------------------------------------------------------
+	
+	
+	# private
+	private
+	
+	
+	#---------------------------------------------------------------------------
+	# src_to_str
+	#
+	@@quote_values = %w{self none unsafe-inline unsafe-eval}
+	
+	def src_to_str(rv, key, src, use_all)
+		# $tm.hrm
+		# $tm.debug key
+		# $tm.debug src
+		
+		# early exit: if nil, nothing to do
+		src.nil? and return
+		
+		# new src
+		srcs = []
+		
+		# special case: src includes "none"
+		if src.include?('none')
+			src = ['none']
+		else
+			# add @all_src if necessary
+			if use_all and @all_src
+				srcs += @all_src
+			end
+		end
+		
+		# add src
+		srcs += src
+		
+		# map some values so that they have single quotes
+		srcs.map! do |itm|
+			if @@quote_values.include?(itm)
+				itm = "'#{itm}'"
+			end
+			
+			# Collapse spaces, which actually shouldn't be there to begin with.
+			# Doing so helps avoid HTTP header injection.
+			itm = itm.gsub(/\s+/mu, ' ')
+			
+			itm
+		end
+		
+		# add to return values
+		rv.push key + ' ' + srcs.uniq.join(' ')
+	end
+	#
+	# src_to_str
+	#---------------------------------------------------------------------------
+end
+#
+# EzCSP
+#===============================================================================

metadata

@@ -0,0 +1,44 @@
+--- !ruby/object:Gem::Specification
+name: ezcsp
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Mike O'Sullivan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-11-05 00:00:00.000000000 Z
+dependencies: []
+description: Simplifies creating a content security policy for use as an HTTP header
+email: miko@idocs.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/ezcsp.rb
+homepage: https://rubygems.org/gems/ezcsp
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2.1
+signing_key: 
+specification_version: 4
+summary: Content security policy HTTP header builder
+test_files: []