1
2
3

def call(env)
  [status, headers, body]
end

1
2
3
4
5
6
7
8

class App
  def call(env)
    status = 200
    headers = { "Content-Type" => "text/plain" }
    body = ["sample"]
    [status, headers, body]
  end
end

1
2
3
4
5
6
7
8
9

$ rackup

Puma starting in single mode...
* Version 4.3.5 (ruby 2.6.6-p146), codename: Mysterious Traveller
* Min threads: 0, max threads: 16
* Environment: development
* Listening on tcp://127.0.0.1:9292
* Listening on tcp://[::1]:9292
Use Ctrl-C to stop

1
2
3

Use Ctrl-C to stop
127.0.0.1 - - [02/Sep/2020:19:51:29 +0900] "GET / HTTP/1.1" 200 6 0.0057
127.0.0.1 - - [02/Sep/2020:19:51:29 +0900] "GET /favicon.ico HTTP/1.1" 200 6 0.0010

1
2
3
4
5

  require "rack"
  require_relative "app"

  use Rack::Runtime
  run App.new

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

class SimpleMiddleware
  def initialize(app)
    @app = app
    # Middlewareとして使われるクラスの初期引数には何が渡されるのか？
    puts "*" * 30
    puts "* #{self.class} initialize(app = #{app.class})"
    puts "*" * 30
  end

  def call(env)
    status, headers, body = @app.call(env)
    puts "*" * 30
    puts "* #{self.class} call(body = #{body})"
    puts "*" * 30
    return [status, headers, body]
  end
end

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

$ rackup
******************************
* SimpleMiddleware initialize(app = App)
******************************
Puma starting in single mode...
* Version 4.3.5 (ruby 2.6.6-p146), codename: Mysterious Traveller
* Min threads: 0, max threads: 16
* Environment: development
* Listening on tcp://127.0.0.1:9292
* Listening on tcp://[::1]:9292
Use Ctrl-C to stop
******************************
* SimpleMiddleware call(body = ["sample"])
******************************
127.0.0.1 - - [02/Sep/2020:20:26:46 +0900] "GET / HTTP/1.1" 200 6 0.0055
******************************
* SimpleMiddleware call(body = ["sample"])
******************************
127.0.0.1 - - [02/Sep/2020:20:26:46 +0900] "GET /favicon.ico HTTP/1.1" 200 6 0.0007

1
2
3
4
5

# This file is used by Rack-based servers to start the application.

require_relative 'config/environment'

run Rails.application

1
2
3
4
5

# Load the Rails application.
require_relative 'application'

# Initialize the Rails application.
Rails.application.initialize!

1
2
3
4
5
6
7
8

$ bundle exec rackup
Puma starting in single mode...
* Version 4.3.5 (ruby 2.6.6-p146), codename: Mysterious Traveller
* Min threads: 5, max threads: 5
* Environment: development
* Listening on tcp://127.0.0.1:9292
* Listening on tcp://[::1]:9292
Use Ctrl-C to stop

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

$ rails middleware
use Webpacker::DevServerProxy
use ActionDispatch::HostAuthorization
use Rack::Sendfile
use ActionDispatch::Static
use ActionDispatch::Executor
use ActiveSupport::Cache::Strategy::LocalCache::Middleware
use Rack::Runtime
use Rack::MethodOverride
use ActionDispatch::RequestId
use ActionDispatch::RemoteIp
use Sprockets::Rails::QuietAssets
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use WebConsole::Middleware
use ActionDispatch::DebugExceptions
use ActionDispatch::ActionableExceptions
use ActionDispatch::Reloader
use ActionDispatch::Callbacks
use ActiveRecord::Migration::CheckPending
use ActionDispatch::Cookies
use ActionDispatch::Session::CookieStore
use ActionDispatch::Flash
use ActionDispatch::ContentSecurityPolicy::Middleware
use Rack::Head
use Rack::ConditionalGet
use Rack::ETag
use Rack::TempfileReaper
run HelloRails::Application.routes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

require_relative 'boot'

require 'rails/all'

require 'midlewares/hoge_middleware'  # 追加

Bundler.require(*Rails.groups)

module HelloRails
  class Application < Rails::Application
    config.load_defaults 6.0

    config.middleware.use HogeMiddleware  # 追加
  end
end

1

config.middleware.insert_after Rack::ETag, HogeMiddleware  # 追加

1
2
3
4
5
6

development:
  secret_key_base: b8f81b...0f8dee
test:
  secret_key_base: 6d2a31...3abc7e
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"]>

1
2
3
4

Rails.application.configure do
  config.credentials.content_path = Rails.root.join('config', 'credentials', 'development.yml.enc')
  config.credentials.key_path = Rails.root.join('config', 'credentials', 'development.key')
end

1
2

<script src="http://trap.example.com/dangerjs"></script>
<script>alert(document.cookie)</script>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# Be sure to restart your server when you modify this file.

# Define an application-wide content security policy
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

# Rails.application.config.content_security_policy do |policy|
#   policy.default_src :self, :https
#   policy.font_src    :self, :https, :data
#   policy.img_src     :self, :https, :data
#   policy.object_src  :none
#   policy.script_src  :self, :https
#   policy.style_src   :self, :https
#   # If you are using webpack-dev-server then specify webpack-dev-server host
#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?

#   # Specify URI for violation reports
#   # policy.report_uri "/csp-violation-report-endpoint"
# end

# If you are using UJS then enable automatic nonce generation
# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

# Set the nonce only to specific directives
# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)

# Report CSP violations to a specified URI
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
# Rails.application.config.content_security_policy_report_only = true

1
2
3
4
5

class PostController < ApplicationController
  content_security_policy do |p|
    p.script_src :self, :https, "https://example.com"
  end
end

1
2
3
4
5

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.report_uri "/csp-violation-report-endpoint"
end
Rails.application.config.content_security_policy_report_only = true

1
2
3

<script nonce="2726c7f26c">
  alert("実行できる")
</script>

1
2
3
4
5

# scriptとstyleにnonceを利用
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

# scriptのみnonceを利用
Rails.application.config.content_security_policy_nonce_directives = %w(script-src)

1
2
3

<head>
  <%= csp_meta_tag %>
</head>