bridgetown-content-security-policy 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ce83a05c8a7eecd5f4f48d4e7cfcf6b85fc523f7dc50c9450296430500a21db3
+  data.tar.gz: aa48a40dda361021a71ac67295ec6c702140fb5150dc541827d134038d786bc9
+SHA512:
+  metadata.gz: ebf42495d3701613d9ce87225a801df3f0b3f5779fb83a7385fb2722c94cc045444e15db29335920eea6da78e58040a055a3362f364dd29fe800f770d5a8d1fc
+  data.tar.gz: 763fd7f7c7b5c6ecd63127411c76aa5eae0837e43755c202615ea3064228f552f6e07f8f364ccb232c368829f82f0a7d245eabcdcc1c65f6814ef64e44dde57b

data/.gitignore

@@ -0,0 +1,38 @@
+/vendor
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+*.gem
+Gemfile.lock
+.bundle
+.ruby-version
+
+# Node
+node_modules
+.npm
+.node_repl_history
+
+# Yarn
+yarn-error.log
+yarn-debug.log*
+.pnp/
+.pnp.js
+
+# Yarn Integrity file
+.yarn-integrity
+
+test/dest
+.bridgetown-metadata
+.bridgetown-cache
+.bridgetown-webpack

data/.rubocop.yml

@@ -0,0 +1,22 @@
+require: rubocop-bridgetown
+
+inherit_gem:
+  rubocop-bridgetown: .rubocop.yml
+
+AllCops:
+  TargetRubyVersion: 2.5
+  Include:
+    - lib/**/*.rb
+
+  Exclude:
+    - .gitignore
+    - .rspec
+    - .rubocop.yml
+
+    - Gemfile.lock
+    - CHANGELOG.md
+    - LICENSE.txt
+    - README.md
+
+    - script/**/*
+    - vendor/**/*

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+# main
+
+# 0.1.0 / 13-01-2021
+
+* First version

data/Gemfile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+gemspec
+
+gem "bridgetown", ENV["BRIDGETOWN_VERSION"] if ENV["BRIDGETOWN_VERSION"]
+
+group :test do
+  gem "minitest"
+  gem "minitest-profile"
+  gem "minitest-reporters"
+  gem "shoulda"
+end
+

data/LICENSE.txt

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2020-present
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,37 @@
+# Bridgetown Content Security Policy
+
+A Bridgetown plugin to include a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) as a meta tag on all your pages.
+
+## Installation
+
+Run this command to install this plugin:
+
+```shell
+$ bundle exec bridgetown apply https://github.com/ayushn21/bridgetown-content-security-policy
+```
+
+## Usage
+
+The plugin allows you to define one or more Content Security Policies using a convenient Ruby DSL.
+
+The installation should create a `content_security_policy.config.rb` file in your project root. More info about the DSL is contained in the file.
+
+Add `{% content_security_policy %}` in the `head` tag of *your layout file* to include the CSP on all your pages.
+
+You can also define a specific CSP for pages by setting `content_security_policy:` in your frontmatter; and then defining the relevent CSP in `content_security_policy.config.rb`.
+
+All page specific CSPs will inherit from the `default` CSP.
+
+## Testing
+
+* Run `bundle exec rake test` to run the test suite
+* Or run `script/cibuild` to validate with Rubocop and run tests together.
+
+## Contributing
+
+1. Fork it (https://github.com/ayushn21/bridgetown-content-security-policy/fork)
+2. Clone the fork using `git clone` to your local development machine.
+3. Create your feature branch (`git checkout -b my-new-feature`)
+4. Commit your changes (`git commit -am 'Add some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+
+task spec: :test
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |test|
+  test.libs << "lib" << "test"
+  test.pattern = "test/**/test_*.rb"
+  test.verbose = true
+end

data/bridgetown-content-security-policy.gemspec

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative "lib/bridgetown-content-security-policy/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "bridgetown-content-security-policy"
+  spec.version       = BridgetownContentSecurityPolicy::VERSION
+  spec.author        = "Ayush Newatia"
+  spec.email         = "ayush@hey.com"
+  spec.summary       = "Add a content security policy to your website using Ruby"
+  spec.homepage      = "https://github.com/ayushn21/bridgetown-content-security-policy"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r!^(test|script|features|frontend)/!) }
+  spec.test_files    = spec.files.grep(%r!^test/!)
+  spec.require_paths = ["lib"]
+  spec.metadata      = {}
+
+  spec.required_ruby_version = ">= 2.5.0"
+
+  spec.add_dependency "bridgetown", ">= 0.15", "< 2.0"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "nokogiri", "~> 1.6"
+  spec.add_development_dependency "rake", "~> 12.0"
+  spec.add_development_dependency "rubocop-bridgetown", "~> 0.2"
+end

data/bridgetown.automation.rb

@@ -0,0 +1,9 @@
+say_status :content_security_policy, "Installing the bridgetown-content-security-policy plugin..."
+
+add_bridgetown_plugin "bridgetown-content-security-policy"
+
+copy_file "./templates/content_security_policy.config.rb", "content_security_policy.config.rb"
+
+say_status :content_security_policy, "All done! Please add {% content_security_policy %} to the head tag in your layouts."
+say_status :content_security_policy, "Please see the new content_security_policy.rb file for details"
+say_status :content_security_policy, "More info available at: https://github.com/ayushn21/bridgetown-content-security-policy"

data/lib/bridgetown-content-security-policy.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require "bridgetown"
+require "bridgetown-content-security-policy/policy"
+require "bridgetown-content-security-policy/builder"
+
+BridgetownContentSecurityPolicy::Builder.register

data/lib/bridgetown-content-security-policy/builder.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module BridgetownContentSecurityPolicy
+  mattr_reader :policies, default: {}
+
+  def self.configure(name, &block)
+    @@policies[name.to_sym] = BridgetownContentSecurityPolicy::Policy.new(&block)
+  end
+
+  class Builder < Bridgetown::Builder
+    def build
+      require_relative site.in_root_dir("content_security_policy.config.rb")
+
+      unless default_policy
+        # rubocop:disable Layout/LineLength
+        Bridgetown.logger.error "\nDefault Content Security Policy not configured"
+        Bridgetown.logger.info "Please configure a default CSP in content_security_policy.config.rb\n"
+        # rubocop:enable Layout/LineLength
+      end
+
+      liquid_tag "content_security_policy", :render
+    end
+
+    private
+
+    def render(_attributes, tag)
+      return "" unless default_policy
+
+      page_specific_policy_name = tag.context["page"]["content_security_policy"]&.to_sym
+      page_specific_policy = BridgetownContentSecurityPolicy.policies[page_specific_policy_name]
+
+      if page_specific_policy_name && page_specific_policy.nil?
+        Bridgetown.logger.warn "Unknown Content Security Policy:", page_specific_policy_name.to_s
+      end
+
+      policy = default_policy.merge(page_specific_policy)
+
+      render_policy policy
+    end
+
+    def render_policy(policy)
+      "<meta http-equiv=\"Content-Security-Policy\" content=\"#{policy.build}\">"
+    end
+
+    def default_policy
+      BridgetownContentSecurityPolicy.policies[:default]
+    end
+  end
+end

data/lib/bridgetown-content-security-policy/policy.rb

@@ -0,0 +1,172 @@
+# frozen_string_literal: true
+
+module BridgetownContentSecurityPolicy
+  class Policy
+    MAPPINGS = {
+      self: "'self'",
+      unsafe_eval: "'unsafe-eval'",
+      unsafe_inline: "'unsafe-inline'",
+      none: "'none'",
+      http: "http:",
+      https: "https:",
+      data: "data:",
+      mediastream: "mediastream:",
+      blob: "blob:",
+      filesystem: "filesystem:",
+      report_sample: "'report-sample'",
+      strict_dynamic: "'strict-dynamic'",
+      ws: "ws:",
+      wss: "wss:",
+    }.freeze
+
+    DIRECTIVES = {
+      base_uri: "base-uri",
+      child_src: "child-src",
+      connect_src: "connect-src",
+      default_src: "default-src",
+      font_src: "font-src",
+      form_action: "form-action",
+      frame_ancestors: "frame-ancestors",
+      frame_src: "frame-src",
+      img_src: "img-src",
+      manifest_src: "manifest-src",
+      media_src: "media-src",
+      object_src: "object-src",
+      prefetch_src: "prefetch-src",
+      script_src: "script-src",
+      script_src_attr: "script-src-attr",
+      script_src_elem: "script-src-elem",
+      style_src: "style-src",
+      style_src_attr: "style-src-attr",
+      style_src_elem: "style-src-elem",
+      worker_src: "worker-src",
+    }.freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES
+
+    attr_reader :directives
+
+    def initialize(directives = nil)
+      if directives
+        @directives = directives
+      else
+        @directives = {}
+        yield self if block_given?
+      end
+    end
+
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
+    def block_all_mixed_content(enabled = true)
+      if enabled
+        @directives["block-all-mixed-content"] = true
+      else
+        @directives.delete("block-all-mixed-content")
+      end
+    end
+
+    def plugin_types(*types)
+      if types.first
+        @directives["plugin-types"] = types
+      else
+        @directives.delete("plugin-types")
+      end
+    end
+
+    def report_uri(uri)
+      @directives["report-uri"] = [uri]
+    end
+
+    def require_sri_for(*types)
+      if types.first
+        @directives["require-sri-for"] = types
+      else
+        @directives.delete("require-sri-for")
+      end
+    end
+
+    def sandbox(*values)
+      if values.empty?
+        @directives["sandbox"] = true
+      elsif values.first
+        @directives["sandbox"] = values
+      else
+        @directives.delete("sandbox")
+      end
+    end
+
+    def upgrade_insecure_requests(enabled = true)
+      if enabled
+        @directives["upgrade-insecure-requests"] = true
+      else
+        @directives.delete("upgrade-insecure-requests")
+      end
+    end
+
+    def build
+      build_directives.compact.join("; ")
+    end
+
+    def merge(policy)
+      if policy
+        self.class.new(@directives.merge(policy.directives))
+      else
+        self
+      end
+    end
+
+    private
+
+    def apply_mappings(sources)
+      sources.map do |source|
+        case source
+        when Symbol
+          apply_mapping(source)
+        when String
+          source
+        else
+          raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
+        end
+      end
+    end
+
+    def apply_mapping(source)
+      MAPPINGS.fetch(source) do
+        raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
+      end
+    end
+
+    def build_directives
+      @directives.map do |directive, sources|
+        if sources.is_a?(Array)
+          "#{directive} #{build_directive(sources).join(" ")}"
+        elsif sources
+          directive
+        end
+      end
+    end
+
+    def build_directive(sources)
+      sources.map { |source| resolve_source(source) }
+    end
+
+    def resolve_source(source)
+      case source
+      when String
+        source
+      when Symbol
+        source.to_s
+      else
+        raise "Unexpected content security policy source: #{source.inspect}"
+      end
+    end
+  end
+end

data/lib/bridgetown-content-security-policy/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module BridgetownContentSecurityPolicy
+  VERSION = "0.1.0"
+end

data/templates/content_security_policy.config.rb

@@ -0,0 +1,29 @@
+# The recommended default Content Security Policy 
+
+BridgetownContentSecurityPolicy.configure :default do |policy|
+    policy.default_src :self
+    policy.img_src     :self, :data
+    policy.object_src  :none
+end
+
+# All other policies with inherit from :default
+# To allow inline styles on certain pages, we can define the following
+# policy which inherits all the values from :default and defines a style_src
+# 
+# BridgetownContentSecurityPolicy.configure :allow_inline_styles do |policy|
+#     policy.style_src   :self, :unsafe_inline
+# end
+
+
+# This is an example of a more complex policy demonstrating the DSL
+# For further information see the following documentation
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
+# BridgetownContentSecurityPolicy.configure :default do |policy|
+#     policy.default_src :self
+#     policy.font_src    :self, :https, :data
+#     policy.img_src     :self, :https, :data
+#     policy.object_src  :none
+#     policy.script_src  :self, :https
+#     policy.style_src   :self, :https
+# end

metadata

@@ -0,0 +1,133 @@
+--- !ruby/object:Gem::Specification
+name: bridgetown-content-security-policy
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Ayush Newatia
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-01-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bridgetown
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.15'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.15'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-bridgetown
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+description: 
+email: ayush@hey.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".DS_Store"
+- ".gitignore"
+- ".rubocop.yml"
+- CHANGELOG.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bridgetown-content-security-policy.gemspec
+- bridgetown.automation.rb
+- lib/bridgetown-content-security-policy.rb
+- lib/bridgetown-content-security-policy/builder.rb
+- lib/bridgetown-content-security-policy/policy.rb
+- lib/bridgetown-content-security-policy/version.rb
+- templates/content_security_policy.config.rb
+homepage: https://github.com/ayushn21/bridgetown-content-security-policy
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key: 
+specification_version: 4
+summary: Add a content security policy to your website using Ruby
+test_files: []