content-security-policy 0.1.1

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+
+gemspec
+

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009-2012 Alexey Rodionov
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,66 @@
+## Content Security Policy
+
+[![Build Status](https://secure.travis-ci.org/p0deje/content-security-policy.png)](http://travis-ci.org/p0deje/content-security-policy)
+
+Implementation of Content Security Policy as Rack middleware.
+
+More information about Content Security Policy - http://www.w3.org/TR/CSP/.
+
+## Installation
+
+Install as usually `gem install content-security-policy`
+
+## Usage
+
+Add Content Security Policy to your Rack configuration `config.ru`.
+
+```ruby
+require 'content-security-policy'
+
+ContentSecurityPolicy.configure do |csp|
+  csp['default-src'] = "'self'"
+  csp['script-src']  = '*.example.com'
+end
+
+use ContentSecurityPolicy
+run MyApplication
+```
+
+You can also pass directives during initialization.
+
+```ruby
+require 'content-security-policy'
+
+use ContentSecurityPolicy, :directives => { 'policy-uri' => 'policy.xml' }
+run MyApplication
+```
+
+You can also use report-only mode.
+
+```ruby
+require 'content-security-policy'
+
+ContentSecurityPolicy.configure do |csp|
+  csp.report_only = true
+  csp['default-src'] = "'self'"
+  csp['script-src']  = '*.example.com'
+end
+
+use ContentSecurityPolicy
+run MyApplication
+```
+
+```ruby
+require 'content-security-policy'
+
+use ContentSecurityPolicy, :directives => { 'policy-uri' => 'policy.xml' }, :report_only => true
+run MyApplication
+```
+
+## Status
+
+Content Security Policy is now implemented with `X-Content-Security-Policy` and `X-WebKit-CSP` headers.
+
+## Copyright
+
+Copyright (c) 2012 Alexey Rodionov. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,12 @@
+require 'bundler'
+require 'rspec/core/rake_task'
+
+Bundler::GemHelper.install_tasks
+
+RSpec::Core::RakeTask.new :spec do |spec|
+  spec.ruby_opts = "-I lib:spec"
+  spec.pattern   = 'spec/**/*_spec.rb'
+end
+
+task :default => :spec
+

data/content-security-policy.gemspec

@@ -0,0 +1,26 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+require 'content-security-policy/version'
+
+Gem::Specification.new do |s|
+  s.name     = 'content-security-policy'
+  s.version  = ContentSecurityPolicy::VERSION
+
+  s.author = 'Alex Rodionov'
+  s.email  = 'p0deje@gmail.com'
+
+  s.homepage    = 'https://github.com/p0deje/content-security-policy'
+  s.summary     = 'Full-featured Content Security Policy as Rack middleware'
+  s.description = 'Full-featured Content Security Policy as Rack middleware'
+
+  s.files       = `git ls-files`.split("\n")
+  s.test_files  = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+
+  s.require_path = 'lib'
+
+  s.add_dependency 'rack'
+
+  s.add_development_dependency 'rack-test'
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'rake'
+end

data/lib/content-security-policy.rb

@@ -0,0 +1,45 @@
+require 'content-security-policy/middleware'
+require 'content-security-policy/errors'
+require 'content-security-policy/version'
+
+class ContentSecurityPolicy
+  class << self
+
+    # @attr_accessor [Boolean] use in report only mode
+    attr_accessor :report_only
+    # @attr_reader [Hash] directives hash
+    attr_reader :directives
+
+    #
+    # Configures Content Security Policy directives.
+    #
+    # Note that default-src directive should always be set.
+    #
+    # @example
+    #   ContentSecurityPolicy.configure do |csp|
+    #     csp.report_only = true
+    #     csp['default-src'] = "'self'"
+    #     csp['script-src']  = '*.example.com'
+    #   end
+    #   use ContentSecurityPolicy
+    #
+    # @yield [self]
+    #
+    def configure(&blk)
+      @directives ||= {}
+      blk.call(self)
+    end
+
+    #
+    # Sets directive.
+    #
+    # @param [String] name Directive name
+    # @param [String] value Directive value
+    #
+    def []=(name, value)
+      @directives[name] = value
+    end
+
+  end # << self
+end # ContentSecurityPolicy
+

data/lib/content-security-policy/errors.rb

@@ -0,0 +1,7 @@
+class ContentSecurityPolicy
+
+  class NoDirectivesError        < StandardError; end
+  class IncorrectDirectivesError < StandardError; end
+
+end # ContentSecurityPolicy
+

data/lib/content-security-policy/middleware.rb

@@ -0,0 +1,67 @@
+class ContentSecurityPolicy
+
+  # @attr_reader [Boolean] use in report only mode
+  attr_reader :report_only
+
+  # @attr_reader [Hash] directives hash
+  attr_reader :directives
+
+  #
+  # Initializes Content Security Policy middleware.
+  #
+  # @param [Hash] opts Options hash
+  # @option [Boolean] :report_only Set to true if use in report-only mode
+  # @option [Hash] :directives Directives
+  #
+  # @example
+  #   use ContentSecurityPolicy, :directives => { 'default-src' => "'self'" }
+  #   use ContentSecurityPolicy, :directives => { 'default-src' => "'self'", :report_only => true }
+  #
+  def initialize(app, options = {})
+    @app = app
+    @report_only = options[:report_only] || ContentSecurityPolicy.report_only
+    @directives = options[:directives] || ContentSecurityPolicy.directives
+
+    @directives or raise NoDirectivesError, 'No directives were passed.'
+
+    # make sure directives with policy-uri don't contain any other directives
+    if @directives['policy-uri'] && @directives.keys.length > 1
+      raise IncorrectDirectivesError, 'You passed both policy-uri and other directives.'
+    # make sure default-src is present
+    elsif !@directives['policy-uri'] && !@directives['default-src']
+      raise IncorrectDirectivesError, 'You have to set default-src directive.'
+    end
+  end
+
+  #
+  # @api private
+  #
+  def call(env)
+    dup._call(env)
+  end
+
+  #
+  # @api private
+  #
+  def _call(env)
+    status, headers, response = @app.call(env)
+
+    # flatten directives
+    directives = @directives.sort.map { |dir| "#{dir[0]} #{dir[1]}" }.join('; ')
+
+    # prepare response headers names
+    if @report_only
+      resp_headers = %w(X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only)
+    else
+      resp_headers = %w(X-Content-Security-Policy X-WebKit-CSP)
+    end
+
+    # append response header
+    resp_headers.each do |resp_header|
+      headers[resp_header] = directives
+    end
+
+    [status, headers, response]
+  end
+
+end # ContentSecurityPolicy

data/lib/content-security-policy/version.rb

@@ -0,0 +1,5 @@
+class ContentSecurityPolicy
+
+  VERSION = '0.1.1'
+
+end # ContentSecurityPolicy

data/spec/content-security-policy_spec.rb

@@ -0,0 +1,137 @@
+require 'spec_helper'
+
+describe ContentSecurityPolicy do
+
+  context 'configuration' do
+    let(:app) do
+      [200, { 'Content-Type' => 'text/plain' }, %w(ok)]
+    end
+
+    describe '#initialize' do
+      it 'should raise error if directives hash is not present' do
+        lambda do
+          ContentSecurityPolicy.new(app)
+        end.should raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
+      end
+
+      it 'should raise error if default-src was not set' do
+        lambda do
+          options = { :directives => { 'script-src' => "'self'" }}
+          ContentSecurityPolicy.new(app, options)
+        end.should raise_error(ContentSecurityPolicy::IncorrectDirectivesError, 'You have to set default-src directive.')
+      end
+
+      it 'should raise error if both policy-uri and other directive was set' do
+        lambda do
+          options = { :directives => { 'policy-uri' => 'policy.xml', 'script-src' => "'self'" }}
+          ContentSecurityPolicy.new(app, options)
+        end.should raise_error(ContentSecurityPolicy::IncorrectDirectivesError, "You passed both policy-uri and other directives.")
+      end
+
+      it 'should allow setting directives with ContentSecurityPolicy.configure' do
+        ContentSecurityPolicy.configure { |csp| csp['default-src'] = "'self'" }
+        ContentSecurityPolicy.should_receive(:directives).and_return('default-src' => '*')
+
+        lambda do
+          ContentSecurityPolicy.new(app)
+        end.should_not raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
+      end
+
+      it 'should allow passing hash of directives' do
+        lambda do
+          options = { :directives => { 'default-src' => "'self'" }}
+          ContentSecurityPolicy.new(app, options)
+        end.should_not raise_error
+      end
+
+      it 'should allow passing report_only attribute' do
+        lambda do
+          options = { :directives => { 'default-src' => "'self'" }, :report_only => true }
+          ContentSecurityPolicy.new(app, options)
+        end.should_not raise_error
+      end
+    end
+
+    describe '#configure' do
+      it 'should call block for self' do
+        ContentSecurityPolicy.should_receive(:configure).and_yield(ContentSecurityPolicy)
+        ContentSecurityPolicy.configure { |csp| csp['default-src'] = '*' }
+      end
+
+      it 'should save directives hash' do
+        ContentSecurityPolicy.configure { |csp| csp['default-src'] = '*' }
+        ContentSecurityPolicy.directives.should == { 'default-src' => '*' }
+      end
+
+      it 'should append directives' do
+        ContentSecurityPolicy.configure { |csp| csp['default-src'] = '*' }
+        ContentSecurityPolicy.configure { |csp| csp['script-src']  = '*' }
+        ContentSecurityPolicy.directives.should == { 'default-src' => '*',
+                                                     'script-src'  => '*' }
+      end
+
+      it 'should save report_only attribute' do
+        ContentSecurityPolicy.configure { |csp| csp.report_only = true }
+        ContentSecurityPolicy.report_only.should be_true
+      end
+    end
+  end
+
+  context 'middleware' do
+    let(:app) do
+      Rack::Builder.app do
+        use ContentSecurityPolicy
+        run lambda { |env| [200, {'Content-Type' => 'text/plain'}, %w(ok)] }
+      end
+    end
+
+    before(:each) do
+      ContentSecurityPolicy.configure do |csp|
+        csp.report_only = false
+        csp['default-src'] = '*'
+        csp['script-src']  = "'self'"
+        csp['img-src']     = '*.google.com'
+      end
+    end
+
+    describe '#call' do
+      it 'should respond with X-Content-Security-Policy HTTP response header' do
+        directives = "default-src *; img-src *.google.com; script-src 'self'"
+
+        header = get('/').headers['X-Content-Security-Policy']
+        header.should_not be_nil
+        header.should_not be_empty
+        header.should == directives
+      end
+
+      it 'should respond with X-WebKit-CSP HTTP response header' do
+        directives = "default-src *; img-src *.google.com; script-src 'self'"
+
+        header = get('/').headers['X-WebKit-CSP']
+        header.should_not be_nil
+        header.should_not be_empty
+        header.should == directives
+      end
+
+      it 'should respond with X-Content-Security-Policy-Report-Only HTTP response header' do
+        ContentSecurityPolicy.configure { |csp| csp.report_only = true }
+        directives = "default-src *; img-src *.google.com; script-src 'self'"
+
+        header = get('/').headers['X-Content-Security-Policy-Report-Only']
+        header.should_not be_nil
+        header.should_not be_empty
+        header.should == directives
+      end
+
+      it 'should respond with X-WebKit-CSP HTTP response header' do
+        ContentSecurityPolicy.configure { |csp| csp.report_only = true }
+        directives = "default-src *; img-src *.google.com; script-src 'self'"
+
+        header = get('/').headers['X-WebKit-CSP-Report-Only']
+        header.should_not be_nil
+        header.should_not be_empty
+        header.should == directives
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,7 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+require 'content-security-policy'
+require 'rack/test'
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+end

metadata

@@ -0,0 +1,103 @@
+--- !ruby/object:Gem::Specification
+name: content-security-policy
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+  prerelease: 
+platform: ruby
+authors:
+- Alex Rodionov
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-02-17 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: &21497820 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *21497820
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: &21497260 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *21497260
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &21496620 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *21496620
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &21495520 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *21495520
+description: Full-featured Content Security Policy as Rack middleware
+email: p0deje@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .travis.yml
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- content-security-policy.gemspec
+- lib/content-security-policy.rb
+- lib/content-security-policy/errors.rb
+- lib/content-security-policy/middleware.rb
+- lib/content-security-policy/version.rb
+- spec/content-security-policy_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/p0deje/content-security-policy
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.16
+signing_key: 
+specification_version: 3
+summary: Full-featured Content Security Policy as Rack middleware
+test_files:
+- spec/content-security-policy_spec.rb
+- spec/spec_helper.rb
+has_rdoc: