Class: Brut::FrontEnd::RouteHooks::CSPNoInlineStylesOrScripts::ReportOnly

Inherits:
Brut::FrontEnd::RouteHooks::CSPNoInlineStylesOrScripts show all
Defined in:
lib/brut/front_end/route_hooks/csp_no_inline_styles_or_scripts.rb

Overview

Sets content security policy headers that only report the use inline scripts and inline styles, but do allow them. This is useful for existing apps where you want to migrate to a more secure policy, but cannot.

See Also:

Instance Method Summary collapse

Methods inherited from Brut::FrontEnd::RouteHook

#before, #continue

Methods included from Brut::Framework::Errors

#abstract_method!, #bug!

Methods included from HandlingResults

#http_status, #redirect_to

Instance Method Details

#after(response:, request:) ⇒ Object 



21
22
23
24
25
26
27
28
29
 
# File 'lib/brut/front_end/route_hooks/csp_no_inline_styles_or_scripts.rb', line 21

def after(response:,request:)
  csp_reporting_path   = uri(Brut::FrontEnd::Handlers::CspReportingHandler.routing,request:)
  reporting_directives = "report-to csp_reporting;report-uri #{csp_reporting_path}"

  response.headers["Content-Security-Policy-Report-Only"] = header_value + ";" + reporting_directives
  response.headers["Reporting-Endpoints"]                 = "csp_reporting='#{csp_reporting_path}'"

  continue
end