I'm hoping to implement a Content-Security-Policy in my application and iterate on the policy by adding rules to a Content-Security-Policy-Report-Only header so I can maintain the existing security while testing new policies in my production environment.
According to the W3C CSP2 recommendation, this is an intended use of the Content-Security-Policy-Report-Only header. However, when trying to configure Rails to achieve this, it appears you can either have your CSP in report only mode or "enforcement" mode:
Rails.application.config.content_security_policy_report_only = true
I've tried looking into the Rails source to see if there is a way to achieve this but it appears as if the either/or behaviour is intended:
ActionDispatch::ContentSecurityPolicy::Middleware#Line:40
def call(env)
...
return response if policy_present?(headers)
if policy = request.content_security_policy
...
headers[header_name(request)] = policy.build(context, nonce, nonce_directives)
end
response
end
...
def header_name(request)
if request.content_security_policy_report_only
POLICY_REPORT_ONLY
else
POLICY
end
end
def policy_present?(headers)
headers[POLICY] || headers[POLICY_REPORT_ONLY]
end
Is there a way to configure Rails to handle both headers in the same request? Or am I going to have to set my headers manually without using Rails' built-in DSL?
