ezcsp

EzCSP provides a simple object-oriented way to generate Content-Security-Policy HTTP headers. For documentation on CSP, see Mozilla's Content-Security-Policy page.

Basic usage:

require 'ezcsp'
csp = EzCSP.new()

Then, depending on how you output HTTP headers, you could output the CSP header something like this:

headers['Content-Security-Policy'] = csp.to_s

csp.to_s, by default, returns this string:

default-src 'self'; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;

By default, the header value is very restrictive. It basically states that no resources — scripts, styles, images, etc. — from outside the current web site can be used. Expand that set of allowed resources by adding to the accessors listed in the class documentation, usually by using the cdn method. So, for example, to allow the browser to get scripts and styles from code.jquery.com, you would do this:

csp.cdn 'code.jquery.com', 'script_src', 'style_src'

which would produce this header value:

default-src 'self'; script-src 'self' code.jquery.com; style-src 'self' code.jquery.com; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;

EzCSP isn't a substitute for understanding content security policies. Make sure you read up on CSP before using this class.

Install

gem install ezcsp

Author

Mike O'Sullivan mike@idocs.com

History

version	date	notes
0.0.2	Nov 9, 2018	Improved structure of gem. No changes to code.
0.0.1	Nov 5, 2018	Initial upload.