ezcsp 0.0.1 → 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +50 -0
- data/lib/ezcsp.rb +0 -36
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e85c15f0666a4ccbdd890925384c38e92e642e30
|
4
|
+
data.tar.gz: 1d9057b469c1a375a81e1bf10f0378c79dece42a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ff4d1d6a894c50875bf30d2ce60ee6aa31049642b9ee32a24c24c37a9c80e98a0552590e6fd9aabc5dc543c42fd7af54e310e9c60bbdef137c54c526acc157a2
|
7
|
+
data.tar.gz: 64430bd7554d662d9629501bf667a656caabaa9c2f570736c089dc01f598dd217674ba2261eab0dc7597a614d69d6ffc50bb7dd49f5bd4e1e89893188fab841f
|
data/README.md
ADDED
@@ -0,0 +1,50 @@
|
|
1
|
+
EzCSP provides a simple object-oriented way to generate `Content-Security-Policy`
|
2
|
+
HTTP headers. For documentation on CSP, see Mozilla's [Content-Security-Policy page](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
|
3
|
+
|
4
|
+
Basic usage:
|
5
|
+
|
6
|
+
require 'ezcsp'
|
7
|
+
csp = EzCSP.new()
|
8
|
+
|
9
|
+
Then, depending on how you output HTTP headers, you could output the CSP header
|
10
|
+
something like this:
|
11
|
+
|
12
|
+
headers['Content-Security-Policy'] = csp.to_s
|
13
|
+
|
14
|
+
`csp.to_s`, by default, returns this string:
|
15
|
+
|
16
|
+
default-src 'self'; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
|
17
|
+
|
18
|
+
By default, the header value is very restrictive. It basically states that no
|
19
|
+
resources — scripts, styles, images, etc. — from outside the current web site
|
20
|
+
can be used. Expand that set of allowed resources by adding to the accessors
|
21
|
+
listed in the class documentation, usually by using the `cdn` method. So, for
|
22
|
+
example, to allow the browser to get scripts and styles from `code.jquery.com`,
|
23
|
+
you would do this:
|
24
|
+
|
25
|
+
csp.cdn 'code.jquery.com', 'script_src', 'style_src'
|
26
|
+
|
27
|
+
which would produce this header value:
|
28
|
+
|
29
|
+
default-src 'self'; script-src 'self' code.jquery.com; style-src 'self' code.jquery.com; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
|
30
|
+
|
31
|
+
EzCSP isn't a substitute for understanding content security policies. Make
|
32
|
+
sure you [read up on CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) before using this class.
|
33
|
+
|
34
|
+
## Install
|
35
|
+
|
36
|
+
```
|
37
|
+
gem install ezcsp
|
38
|
+
```
|
39
|
+
|
40
|
+
## Author
|
41
|
+
|
42
|
+
Mike O'Sullivan
|
43
|
+
mike@idocs.com
|
44
|
+
|
45
|
+
## History
|
46
|
+
|
47
|
+
| version | date | notes |
|
48
|
+
|----------|-------------|------|
|
49
|
+
| 0.0.2 | Nov 9, 2018 | Improved structure of gem. No changes to code. |
|
50
|
+
| 0.0.1 | Nov 5, 2018 | Initial upload. |
|
data/lib/ezcsp.rb
CHANGED
@@ -5,42 +5,6 @@ require 'json'
|
|
5
5
|
#
|
6
6
|
|
7
7
|
##
|
8
|
-
# EzCSP provides a simple object-oriented way to generate
|
9
|
-
# <tt>Content-Security-Policy</tt> HTTP headers. For documentation on CSP,
|
10
|
-
# see {Mozilla's Content-Security-Policy page}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy].
|
11
|
-
#
|
12
|
-
# Basic usage:
|
13
|
-
#
|
14
|
-
# require 'ezcsp'
|
15
|
-
# csp = EzCSP.new()
|
16
|
-
#
|
17
|
-
# Then, depending on how you output HTTP headers, you could output the CSP header
|
18
|
-
# something like this:
|
19
|
-
#
|
20
|
-
# headers['Content-Security-Policy'] = csp.to_s
|
21
|
-
#
|
22
|
-
# <tt>csp.to_s</tt>, by default, returns this string:
|
23
|
-
#
|
24
|
-
# default-src 'self'; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
|
25
|
-
#
|
26
|
-
# By default, the header value is very restrictive. It basically states that no
|
27
|
-
# resources — scripts, styles, images, etc. — from outside the current web site
|
28
|
-
# can be used. Expand that set of allowed resources by adding to the accessors
|
29
|
-
# listed below, usually by using the #cdn method. So, for example, to
|
30
|
-
# allow the browser to get scripts and styles from <tt>code.jquery.com</tt>,
|
31
|
-
# you would do this:
|
32
|
-
#
|
33
|
-
# csp.cdn 'code.jquery.com', 'script_src', 'style_src'
|
34
|
-
#
|
35
|
-
# which would produce this header value:
|
36
|
-
#
|
37
|
-
# default-src 'self'; script-src 'self' code.jquery.com; style-src 'self' code.jquery.com; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
|
38
|
-
#
|
39
|
-
# EzCSP isn't a substitute for understanding content security policies. Make
|
40
|
-
# sure you
|
41
|
-
# {read up on CSP}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
|
42
|
-
# before using this class.
|
43
|
-
#
|
44
8
|
# In the array attributes listed below, if the value <tt>none</tt> is in the
|
45
9
|
# array, then all other values are ignored.
|
46
10
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ezcsp
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mike O'Sullivan
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-11-
|
11
|
+
date: 2018-11-10 00:00:00.000000000 Z
|
12
12
|
dependencies: []
|
13
13
|
description: Simplifies creating a content security policy for use as an HTTP header
|
14
14
|
email: miko@idocs.com
|
@@ -16,6 +16,7 @@ executables: []
|
|
16
16
|
extensions: []
|
17
17
|
extra_rdoc_files: []
|
18
18
|
files:
|
19
|
+
- README.md
|
19
20
|
- lib/ezcsp.rb
|
20
21
|
homepage: https://rubygems.org/gems/ezcsp
|
21
22
|
licenses:
|