Menu
I used secure_headers gem https://github.com/twitter/secureheaders and i configure the csp as
config.csp = {
:enforce => true,
:default_src => 'http://* inline',
:report_uri => "/report",
:connect_src => 'self',
:style_src => 'self inline',
:script_src => 'self inline eval',
:font_src => 'self'
}
but still i can't view the reports in my http://localhost:3000/report and page is not redirecting
579
Conduct a find (Ctrl-F on Windows, Cmd-F on Mac) and search for the term “Content-Security-Policy”. If “Content-Security-Policy” is found, the CSP will be the code that comes after that term.
'unsafe-eval' allows the application to use the eval() JavaScript function. This reduces the protection against certain types of DOM-based XSS bugs, but makes it easier to adopt CSP. If your application doesn't use eval() , you can remove this keyword and have a safer policy.
The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unauthorized code on your site. To solve this issue, avoid using eval() , new Function() , setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
report-uri is technically deprecated, but the replacement (report-to) isn't supported by most browsers. You can either support both, or wait till report-to is more widely supported by all browsers.
EDIT:
https://report-uri.io/ offers CSP reporting capabilities. They give you a report-uri, and they manage the incoming reports!
Currently the gem does not have any built-in support for aggregating/viewing the reports. This question got me thinking so I filed https://github.com/twitter/secureheaders/issues/71
Please add your thoughts. I don't think it is a trivial task to build something meaningful, but I'm beginning to see how valuable it could be. There's also a good amount of low hanging fruit that might be good enough for the time being.
164
The Secure Headers Gem does not provide a reporting endpoint for CSP violations. It is something you would have to build yourself or use a solution that provides both out of the box.
I posted an overview of the different ways of deploying a Content Security Policy with Ruby on Rails, including SecureHeaders Gem and Templarbit (which includes a reporting endpoint): https://www.templarbit.com/blog/2018/03/14/content-security-policy-with-ruby-on-rails
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
