跳到內容 跳到搜尋

Action Dispatch 內容安全性政策

設定 HTTP Content-Security-Policy 回應標頭,以協助防範 XSS 和注入攻擊。

範例全域政策

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.font_src    :self, :https, :data
  policy.img_src     :self, :https, :data
  policy.object_src  :none
  policy.script_src  :self, :https
  policy.style_src   :self, :https

  # Specify URI for violation reports
  policy.report_uri "/csp-violation-report-endpoint"
end
命名空間
方法
B
I
N
P
R
S
U

屬性

[R] directives

類別公開方法

new()

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 174
def initialize
  @directives = {}
  yield self if block_given?
end

執行個體公開方法

block_all_mixed_content(enabled = true)

指定是否在頁面使用 HTTPS 時,禁止使用者代理透過 HTTP 載入任何資產

policy.block_all_mixed_content

傳遞 false 以再次允許

policy.block_all_mixed_content false

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 202
def block_all_mixed_content(enabled = true)
  if enabled
    @directives["block-all-mixed-content"] = true
  else
    @directives.delete("block-all-mixed-content")
  end
end

build(context = nil, nonce = nil, nonce_directives = nil)

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 291
def build(context = nil, nonce = nil, nonce_directives = nil)
  nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
  build_directives(context, nonce, nonce_directives).compact.join("; ")
end

initialize_copy(other)

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 179
def initialize_copy(other)
  @directives = other.directives.deep_dup
end

plugin_types(*types)

限制可嵌入的插件組

policy.plugin_types "application/x-shockwave-flash"

留空以允許所有插件

policy.plugin_types

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 218
def plugin_types(*types)
  if types.first
    @directives["plugin-types"] = types
  else
    @directives.delete("plugin-types")
  end
end

report_uri(uri)

啟用 report-uri 指令。違規報告將傳送到指定的 URI

policy.report_uri "/csp-violation-report-endpoint"

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 231
def report_uri(uri)
  @directives["report-uri"] = [uri]
end

require_sri_for(*types)

指定需要 子資源完整性 的資產類型

policy.require_sri_for :script, :style

留空表示不需要子資源完整性

policy.require_sri_for

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 244
def require_sri_for(*types)
  if types.first
    @directives["require-sri-for"] = types
  else
    @directives.delete("require-sri-for")
  end
end

sandbox(*values)

指定是否應為請求的資源啟用 沙箱

policy.sandbox

值可以作為引數傳遞

policy.sandbox "allow-scripts", "allow-modals"

傳遞 false 以停用沙箱

policy.sandbox false

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 265
def sandbox(*values)
  if values.empty?
    @directives["sandbox"] = true
  elsif values.first
    @directives["sandbox"] = values
  else
    @directives.delete("sandbox")
  end
end

upgrade_insecure_requests(enabled = true)

指定使用者代理是否應將 HTTP 上的任何資源視為 HTTPS

policy.upgrade_insecure_requests

傳遞 false 以停用它

policy.upgrade_insecure_requests false

來源:顯示 | 在 GitHub 上 

# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 283
def upgrade_insecure_requests(enabled = true)
  if enabled
    @directives["upgrade-insecure-requests"] = true
  else
    @directives.delete("upgrade-insecure-requests")
  end
end