bridgetown-content-security-policy 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: ce83a05c8a7eecd5f4f48d4e7cfcf6b85fc523f7dc50c9450296430500a21db3
4
+ data.tar.gz: aa48a40dda361021a71ac67295ec6c702140fb5150dc541827d134038d786bc9
5
+ SHA512:
6
+ metadata.gz: ebf42495d3701613d9ce87225a801df3f0b3f5779fb83a7385fb2722c94cc045444e15db29335920eea6da78e58040a055a3362f364dd29fe800f770d5a8d1fc
7
+ data.tar.gz: 763fd7f7c7b5c6ecd63127411c76aa5eae0837e43755c202615ea3064228f552f6e07f8f364ccb232c368829f82f0a7d245eabcdcc1c65f6814ef64e44dde57b
Binary file
@@ -0,0 +1,38 @@
1
+ /vendor
2
+ /.bundle/
3
+ /.yardoc
4
+ /Gemfile.lock
5
+ /_yardoc/
6
+ /coverage/
7
+ /doc/
8
+ /pkg/
9
+ /spec/reports/
10
+ /tmp/
11
+ *.bundle
12
+ *.so
13
+ *.o
14
+ *.a
15
+ mkmf.log
16
+ *.gem
17
+ Gemfile.lock
18
+ .bundle
19
+ .ruby-version
20
+
21
+ # Node
22
+ node_modules
23
+ .npm
24
+ .node_repl_history
25
+
26
+ # Yarn
27
+ yarn-error.log
28
+ yarn-debug.log*
29
+ .pnp/
30
+ .pnp.js
31
+
32
+ # Yarn Integrity file
33
+ .yarn-integrity
34
+
35
+ test/dest
36
+ .bridgetown-metadata
37
+ .bridgetown-cache
38
+ .bridgetown-webpack
@@ -0,0 +1,22 @@
1
+ require: rubocop-bridgetown
2
+
3
+ inherit_gem:
4
+ rubocop-bridgetown: .rubocop.yml
5
+
6
+ AllCops:
7
+ TargetRubyVersion: 2.5
8
+ Include:
9
+ - lib/**/*.rb
10
+
11
+ Exclude:
12
+ - .gitignore
13
+ - .rspec
14
+ - .rubocop.yml
15
+
16
+ - Gemfile.lock
17
+ - CHANGELOG.md
18
+ - LICENSE.txt
19
+ - README.md
20
+
21
+ - script/**/*
22
+ - vendor/**/*
@@ -0,0 +1,5 @@
1
+ # main
2
+
3
+ # 0.1.0 / 13-01-2021
4
+
5
+ * First version
data/Gemfile ADDED
@@ -0,0 +1,14 @@
1
+ # frozen_string_literal: true
2
+
3
+ source "https://rubygems.org"
4
+ gemspec
5
+
6
+ gem "bridgetown", ENV["BRIDGETOWN_VERSION"] if ENV["BRIDGETOWN_VERSION"]
7
+
8
+ group :test do
9
+ gem "minitest"
10
+ gem "minitest-profile"
11
+ gem "minitest-reporters"
12
+ gem "shoulda"
13
+ end
14
+
@@ -0,0 +1,22 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2020-present
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,37 @@
1
+ # Bridgetown Content Security Policy
2
+
3
+ A Bridgetown plugin to include a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) as a meta tag on all your pages.
4
+
5
+ ## Installation
6
+
7
+ Run this command to install this plugin:
8
+
9
+ ```shell
10
+ $ bundle exec bridgetown apply https://github.com/ayushn21/bridgetown-content-security-policy
11
+ ```
12
+
13
+ ## Usage
14
+
15
+ The plugin allows you to define one or more Content Security Policies using a convenient Ruby DSL.
16
+
17
+ The installation should create a `content_security_policy.config.rb` file in your project root. More info about the DSL is contained in the file.
18
+
19
+ Add `{% content_security_policy %}` in the `head` tag of *your layout file* to include the CSP on all your pages.
20
+
21
+ You can also define a specific CSP for pages by setting `content_security_policy:` in your frontmatter; and then defining the relevent CSP in `content_security_policy.config.rb`.
22
+
23
+ All page specific CSPs will inherit from the `default` CSP.
24
+
25
+ ## Testing
26
+
27
+ * Run `bundle exec rake test` to run the test suite
28
+ * Or run `script/cibuild` to validate with Rubocop and run tests together.
29
+
30
+ ## Contributing
31
+
32
+ 1. Fork it (https://github.com/ayushn21/bridgetown-content-security-policy/fork)
33
+ 2. Clone the fork using `git clone` to your local development machine.
34
+ 3. Create your feature branch (`git checkout -b my-new-feature`)
35
+ 4. Commit your changes (`git commit -am 'Add some feature'`)
36
+ 5. Push to the branch (`git push origin my-new-feature`)
37
+ 6. Create a new Pull Request
@@ -0,0 +1,12 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "bundler/gem_tasks"
4
+
5
+ task spec: :test
6
+ require "rake/testtask"
7
+
8
+ Rake::TestTask.new(:test) do |test|
9
+ test.libs << "lib" << "test"
10
+ test.pattern = "test/**/test_*.rb"
11
+ test.verbose = true
12
+ end
@@ -0,0 +1,27 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_relative "lib/bridgetown-content-security-policy/version"
4
+
5
+ Gem::Specification.new do |spec|
6
+ spec.name = "bridgetown-content-security-policy"
7
+ spec.version = BridgetownContentSecurityPolicy::VERSION
8
+ spec.author = "Ayush Newatia"
9
+ spec.email = "ayush@hey.com"
10
+ spec.summary = "Add a content security policy to your website using Ruby"
11
+ spec.homepage = "https://github.com/ayushn21/bridgetown-content-security-policy"
12
+ spec.license = "MIT"
13
+
14
+ spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r!^(test|script|features|frontend)/!) }
15
+ spec.test_files = spec.files.grep(%r!^test/!)
16
+ spec.require_paths = ["lib"]
17
+ spec.metadata = {}
18
+
19
+ spec.required_ruby_version = ">= 2.5.0"
20
+
21
+ spec.add_dependency "bridgetown", ">= 0.15", "< 2.0"
22
+
23
+ spec.add_development_dependency "bundler"
24
+ spec.add_development_dependency "nokogiri", "~> 1.6"
25
+ spec.add_development_dependency "rake", "~> 12.0"
26
+ spec.add_development_dependency "rubocop-bridgetown", "~> 0.2"
27
+ end
@@ -0,0 +1,9 @@
1
+ say_status :content_security_policy, "Installing the bridgetown-content-security-policy plugin..."
2
+
3
+ add_bridgetown_plugin "bridgetown-content-security-policy"
4
+
5
+ copy_file "./templates/content_security_policy.config.rb", "content_security_policy.config.rb"
6
+
7
+ say_status :content_security_policy, "All done! Please add {% content_security_policy %} to the head tag in your layouts."
8
+ say_status :content_security_policy, "Please see the new content_security_policy.rb file for details"
9
+ say_status :content_security_policy, "More info available at: https://github.com/ayushn21/bridgetown-content-security-policy"
@@ -0,0 +1,7 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "bridgetown"
4
+ require "bridgetown-content-security-policy/policy"
5
+ require "bridgetown-content-security-policy/builder"
6
+
7
+ BridgetownContentSecurityPolicy::Builder.register
@@ -0,0 +1,49 @@
1
+ # frozen_string_literal: true
2
+
3
+ module BridgetownContentSecurityPolicy
4
+ mattr_reader :policies, default: {}
5
+
6
+ def self.configure(name, &block)
7
+ @@policies[name.to_sym] = BridgetownContentSecurityPolicy::Policy.new(&block)
8
+ end
9
+
10
+ class Builder < Bridgetown::Builder
11
+ def build
12
+ require_relative site.in_root_dir("content_security_policy.config.rb")
13
+
14
+ unless default_policy
15
+ # rubocop:disable Layout/LineLength
16
+ Bridgetown.logger.error "\nDefault Content Security Policy not configured"
17
+ Bridgetown.logger.info "Please configure a default CSP in content_security_policy.config.rb\n"
18
+ # rubocop:enable Layout/LineLength
19
+ end
20
+
21
+ liquid_tag "content_security_policy", :render
22
+ end
23
+
24
+ private
25
+
26
+ def render(_attributes, tag)
27
+ return "" unless default_policy
28
+
29
+ page_specific_policy_name = tag.context["page"]["content_security_policy"]&.to_sym
30
+ page_specific_policy = BridgetownContentSecurityPolicy.policies[page_specific_policy_name]
31
+
32
+ if page_specific_policy_name && page_specific_policy.nil?
33
+ Bridgetown.logger.warn "Unknown Content Security Policy:", page_specific_policy_name.to_s
34
+ end
35
+
36
+ policy = default_policy.merge(page_specific_policy)
37
+
38
+ render_policy policy
39
+ end
40
+
41
+ def render_policy(policy)
42
+ "<meta http-equiv=\"Content-Security-Policy\" content=\"#{policy.build}\">"
43
+ end
44
+
45
+ def default_policy
46
+ BridgetownContentSecurityPolicy.policies[:default]
47
+ end
48
+ end
49
+ end
@@ -0,0 +1,172 @@
1
+ # frozen_string_literal: true
2
+
3
+ module BridgetownContentSecurityPolicy
4
+ class Policy
5
+ MAPPINGS = {
6
+ self: "'self'",
7
+ unsafe_eval: "'unsafe-eval'",
8
+ unsafe_inline: "'unsafe-inline'",
9
+ none: "'none'",
10
+ http: "http:",
11
+ https: "https:",
12
+ data: "data:",
13
+ mediastream: "mediastream:",
14
+ blob: "blob:",
15
+ filesystem: "filesystem:",
16
+ report_sample: "'report-sample'",
17
+ strict_dynamic: "'strict-dynamic'",
18
+ ws: "ws:",
19
+ wss: "wss:",
20
+ }.freeze
21
+
22
+ DIRECTIVES = {
23
+ base_uri: "base-uri",
24
+ child_src: "child-src",
25
+ connect_src: "connect-src",
26
+ default_src: "default-src",
27
+ font_src: "font-src",
28
+ form_action: "form-action",
29
+ frame_ancestors: "frame-ancestors",
30
+ frame_src: "frame-src",
31
+ img_src: "img-src",
32
+ manifest_src: "manifest-src",
33
+ media_src: "media-src",
34
+ object_src: "object-src",
35
+ prefetch_src: "prefetch-src",
36
+ script_src: "script-src",
37
+ script_src_attr: "script-src-attr",
38
+ script_src_elem: "script-src-elem",
39
+ style_src: "style-src",
40
+ style_src_attr: "style-src-attr",
41
+ style_src_elem: "style-src-elem",
42
+ worker_src: "worker-src",
43
+ }.freeze
44
+
45
+ private_constant :MAPPINGS, :DIRECTIVES
46
+
47
+ attr_reader :directives
48
+
49
+ def initialize(directives = nil)
50
+ if directives
51
+ @directives = directives
52
+ else
53
+ @directives = {}
54
+ yield self if block_given?
55
+ end
56
+ end
57
+
58
+ DIRECTIVES.each do |name, directive|
59
+ define_method(name) do |*sources|
60
+ if sources.first
61
+ @directives[directive] = apply_mappings(sources)
62
+ else
63
+ @directives.delete(directive)
64
+ end
65
+ end
66
+ end
67
+
68
+ def block_all_mixed_content(enabled = true)
69
+ if enabled
70
+ @directives["block-all-mixed-content"] = true
71
+ else
72
+ @directives.delete("block-all-mixed-content")
73
+ end
74
+ end
75
+
76
+ def plugin_types(*types)
77
+ if types.first
78
+ @directives["plugin-types"] = types
79
+ else
80
+ @directives.delete("plugin-types")
81
+ end
82
+ end
83
+
84
+ def report_uri(uri)
85
+ @directives["report-uri"] = [uri]
86
+ end
87
+
88
+ def require_sri_for(*types)
89
+ if types.first
90
+ @directives["require-sri-for"] = types
91
+ else
92
+ @directives.delete("require-sri-for")
93
+ end
94
+ end
95
+
96
+ def sandbox(*values)
97
+ if values.empty?
98
+ @directives["sandbox"] = true
99
+ elsif values.first
100
+ @directives["sandbox"] = values
101
+ else
102
+ @directives.delete("sandbox")
103
+ end
104
+ end
105
+
106
+ def upgrade_insecure_requests(enabled = true)
107
+ if enabled
108
+ @directives["upgrade-insecure-requests"] = true
109
+ else
110
+ @directives.delete("upgrade-insecure-requests")
111
+ end
112
+ end
113
+
114
+ def build
115
+ build_directives.compact.join("; ")
116
+ end
117
+
118
+ def merge(policy)
119
+ if policy
120
+ self.class.new(@directives.merge(policy.directives))
121
+ else
122
+ self
123
+ end
124
+ end
125
+
126
+ private
127
+
128
+ def apply_mappings(sources)
129
+ sources.map do |source|
130
+ case source
131
+ when Symbol
132
+ apply_mapping(source)
133
+ when String
134
+ source
135
+ else
136
+ raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
137
+ end
138
+ end
139
+ end
140
+
141
+ def apply_mapping(source)
142
+ MAPPINGS.fetch(source) do
143
+ raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
144
+ end
145
+ end
146
+
147
+ def build_directives
148
+ @directives.map do |directive, sources|
149
+ if sources.is_a?(Array)
150
+ "#{directive} #{build_directive(sources).join(" ")}"
151
+ elsif sources
152
+ directive
153
+ end
154
+ end
155
+ end
156
+
157
+ def build_directive(sources)
158
+ sources.map { |source| resolve_source(source) }
159
+ end
160
+
161
+ def resolve_source(source)
162
+ case source
163
+ when String
164
+ source
165
+ when Symbol
166
+ source.to_s
167
+ else
168
+ raise "Unexpected content security policy source: #{source.inspect}"
169
+ end
170
+ end
171
+ end
172
+ end
@@ -0,0 +1,5 @@
1
+ # frozen_string_literal: true
2
+
3
+ module BridgetownContentSecurityPolicy
4
+ VERSION = "0.1.0"
5
+ end
@@ -0,0 +1,29 @@
1
+ # The recommended default Content Security Policy
2
+
3
+ BridgetownContentSecurityPolicy.configure :default do |policy|
4
+ policy.default_src :self
5
+ policy.img_src :self, :data
6
+ policy.object_src :none
7
+ end
8
+
9
+ # All other policies with inherit from :default
10
+ # To allow inline styles on certain pages, we can define the following
11
+ # policy which inherits all the values from :default and defines a style_src
12
+ #
13
+ # BridgetownContentSecurityPolicy.configure :allow_inline_styles do |policy|
14
+ # policy.style_src :self, :unsafe_inline
15
+ # end
16
+
17
+
18
+ # This is an example of a more complex policy demonstrating the DSL
19
+ # For further information see the following documentation
20
+ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
21
+
22
+ # BridgetownContentSecurityPolicy.configure :default do |policy|
23
+ # policy.default_src :self
24
+ # policy.font_src :self, :https, :data
25
+ # policy.img_src :self, :https, :data
26
+ # policy.object_src :none
27
+ # policy.script_src :self, :https
28
+ # policy.style_src :self, :https
29
+ # end
metadata ADDED
@@ -0,0 +1,133 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: bridgetown-content-security-policy
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Ayush Newatia
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2021-01-12 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bridgetown
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0.15'
20
+ - - "<"
21
+ - !ruby/object:Gem::Version
22
+ version: '2.0'
23
+ type: :runtime
24
+ prerelease: false
25
+ version_requirements: !ruby/object:Gem::Requirement
26
+ requirements:
27
+ - - ">="
28
+ - !ruby/object:Gem::Version
29
+ version: '0.15'
30
+ - - "<"
31
+ - !ruby/object:Gem::Version
32
+ version: '2.0'
33
+ - !ruby/object:Gem::Dependency
34
+ name: bundler
35
+ requirement: !ruby/object:Gem::Requirement
36
+ requirements:
37
+ - - ">="
38
+ - !ruby/object:Gem::Version
39
+ version: '0'
40
+ type: :development
41
+ prerelease: false
42
+ version_requirements: !ruby/object:Gem::Requirement
43
+ requirements:
44
+ - - ">="
45
+ - !ruby/object:Gem::Version
46
+ version: '0'
47
+ - !ruby/object:Gem::Dependency
48
+ name: nokogiri
49
+ requirement: !ruby/object:Gem::Requirement
50
+ requirements:
51
+ - - "~>"
52
+ - !ruby/object:Gem::Version
53
+ version: '1.6'
54
+ type: :development
55
+ prerelease: false
56
+ version_requirements: !ruby/object:Gem::Requirement
57
+ requirements:
58
+ - - "~>"
59
+ - !ruby/object:Gem::Version
60
+ version: '1.6'
61
+ - !ruby/object:Gem::Dependency
62
+ name: rake
63
+ requirement: !ruby/object:Gem::Requirement
64
+ requirements:
65
+ - - "~>"
66
+ - !ruby/object:Gem::Version
67
+ version: '12.0'
68
+ type: :development
69
+ prerelease: false
70
+ version_requirements: !ruby/object:Gem::Requirement
71
+ requirements:
72
+ - - "~>"
73
+ - !ruby/object:Gem::Version
74
+ version: '12.0'
75
+ - !ruby/object:Gem::Dependency
76
+ name: rubocop-bridgetown
77
+ requirement: !ruby/object:Gem::Requirement
78
+ requirements:
79
+ - - "~>"
80
+ - !ruby/object:Gem::Version
81
+ version: '0.2'
82
+ type: :development
83
+ prerelease: false
84
+ version_requirements: !ruby/object:Gem::Requirement
85
+ requirements:
86
+ - - "~>"
87
+ - !ruby/object:Gem::Version
88
+ version: '0.2'
89
+ description:
90
+ email: ayush@hey.com
91
+ executables: []
92
+ extensions: []
93
+ extra_rdoc_files: []
94
+ files:
95
+ - ".DS_Store"
96
+ - ".gitignore"
97
+ - ".rubocop.yml"
98
+ - CHANGELOG.md
99
+ - Gemfile
100
+ - LICENSE.txt
101
+ - README.md
102
+ - Rakefile
103
+ - bridgetown-content-security-policy.gemspec
104
+ - bridgetown.automation.rb
105
+ - lib/bridgetown-content-security-policy.rb
106
+ - lib/bridgetown-content-security-policy/builder.rb
107
+ - lib/bridgetown-content-security-policy/policy.rb
108
+ - lib/bridgetown-content-security-policy/version.rb
109
+ - templates/content_security_policy.config.rb
110
+ homepage: https://github.com/ayushn21/bridgetown-content-security-policy
111
+ licenses:
112
+ - MIT
113
+ metadata: {}
114
+ post_install_message:
115
+ rdoc_options: []
116
+ require_paths:
117
+ - lib
118
+ required_ruby_version: !ruby/object:Gem::Requirement
119
+ requirements:
120
+ - - ">="
121
+ - !ruby/object:Gem::Version
122
+ version: 2.5.0
123
+ required_rubygems_version: !ruby/object:Gem::Requirement
124
+ requirements:
125
+ - - ">="
126
+ - !ruby/object:Gem::Version
127
+ version: '0'
128
+ requirements: []
129
+ rubygems_version: 3.1.4
130
+ signing_key:
131
+ specification_version: 4
132
+ summary: Add a content security policy to your website using Ruby
133
+ test_files: []