rack-content_security_policy 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1c74e025fe99f4261fae5e2e702595beb9b583e6
+  data.tar.gz: 3a7a571e64ff5f6c9c6544cbdafec917a3486534
+SHA512:
+  metadata.gz: b7f8a959b4aff650ec3ee02dbe8b58721d3c769b1c41486568a6c92439ead14673d37cede35bc51ee951c444af36e431cd3d029620dc86aabdd6be2e0ae494bd
+  data.tar.gz: 98b3604f10022434f6209398afb7bb99839573ddc8d09ac8ff30bd97639b5af1a32fea78c4eaaf61c9563ebdeb6d9db8c014bb540915d7c4576d95561ce0a68d

data/LICENSE.txt

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Glenn Rempe
+Copyright (c) 2009-2012 Alexey Rodionov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,165 @@
+# Rack::ContentSecurityPolicy
+
+[![Build Status](https://travis-ci.org/grempe/rack-content_security_policy.svg?branch=master)](https://travis-ci.org/grempe/rack-content_security_policy)
+[![Code Climate](https://codeclimate.com/github/grempe/rack-content_security_policy/badges/gpa.svg)](https://codeclimate.com/github/grempe/rack-content_security_policy)
+
+## WARNING
+
+This is pre-release software. It is pretty well tested but has not yet
+been used in production. Your feedback is requested.
+
+## About
+
+`Rack::ContentSecurityPolicy` is a Rack middleware that makes it easy for your
+Rack based application (Sinatra, Rails) to serve Content Security Policy headers
+for HTML pages.
+
+This middleware was inspired by the [p0deje/content-security-policy](https://github.com/p0deje/content-security-policy)
+middleware and borrows quite a bit of code from that gem. This gem also makes
+extensive use of the [contracts](https://egonschiele.github.io/contracts.ruby/)
+gem to enforce strict type checking and validation on all inputs and outputs.
+It is designed to fail-fast on errors.
+
+It provides full support for Content Security Policy Level 1/2/3 directives.
+
+## Installation
+
+Add this line to your application's `Gemfile`:
+
+```ruby
+gem 'rack-content_security_policy', '~> 0.1'
+```
+
+And then execute:
+
+```
+$ bundle install
+```
+
+Or install it directly with:
+
+```
+$ gem install rack-content_security_policy
+```
+
+## Usage
+
+This middleware can be configured with a block or a hash of config options. It
+accepts two primary configuration options:
+
+* `report_only` : boolean `true` or `false`. Returns a `Content-Security-Policy-Report-Only` header instead of `Content-Security-Policy` when `true`. Defaults to true.
+* `directives` : A collection of valid CSP directives provided as key/value pairs. The key must be a lowercase String and must be comprised of the characters [a-z] and the `-`. The value must also be a String but is not limited to remain flexible as the CSP standards evolve. You can use conditional statements within the configuration block to set values dynamically at startup time. Defaults to an empty config that you must configure. An empty config will raise an exception.
+
+Learn more about the Content Security Policy at the following sites:
+
+* W3C CSP Level 1 (deprecated) : [https://www.w3.org/TR/CSP1/](https://www.w3.org/TR/CSP1/)
+* W3C CSP Level 2 (current) : [https://www.w3.org/TR/CSP2/](https://www.w3.org/TR/CSP2/)
+* W3C CSP Level 3 (draft) : [https://www.w3.org/TR/CSP3/](https://www.w3.org/TR/CSP3/)
+* [https://developer.mozilla.org/en-US/docs/Web/Security/CSP](https://developer.mozilla.org/en-US/docs/Web/Security/CSP)
+* [http://caniuse.com/#search=ContentSecurityPolicy](http://caniuse.com/#search=ContentSecurityPolicy)
+* [http://content-security-policy.com/](http://content-security-policy.com/)
+* [https://securityheaders.io](https://securityheaders.io)
+* [https://scotthelme.co.uk/csp-cheat-sheet/](https://scotthelme.co.uk/csp-cheat-sheet/)
+* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
+* [https://hacks.mozilla.org/2016/02/implementing-content-security-policy/](https://hacks.mozilla.org/2016/02/implementing-content-security-policy/)
+
+### Block Configuration Example
+
+``` ruby
+require 'rack/content_security_policy'
+
+Rack::ContentSecurityPolicy.configure do |d|
+  d.report_only = ENV.fetch('RACK_ENV') != 'production'
+  d['default-src'] = "'none'"
+  d['script-src']  = "'self'"
+end
+
+use Rack::ContentSecurityPolicy
+```
+
+### Hash Configuration Example
+
+``` ruby
+require 'rack/content_security_policy'
+
+use Rack::ContentSecurityPolicy, report_only: true, directives: { 'default-src' => "'self'" }
+```
+
+## Development
+
+After checking out the repo, run `bundle install` to install dependencies. Then,
+run `bundle exec rake` to run the specs.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+### Installation Security : Signed Ruby Gem
+
+This gem is cryptographically signed. To be sure the gem you install hasn’t
+been tampered with you can install it using the following method:
+
+Add my public key (if you haven’t already) as a trusted certificate
+
+```
+# Caveat: Gem certificates are trusted globally, such that adding a
+# cert.pem for one gem automatically trusts all gems signed by that cert.
+gem cert --add <(curl -Ls https://raw.github.com/grempe/rack-content_security_policy/master/certs/gem-public_cert_grempe_2026.pem)
+```
+
+To install, it is possible to specify either `HighSecurity` or `MediumSecurity`
+mode. Since this gem depends on one or more gems that are not cryptographically
+signed you will likely need to use `MediumSecurity`. You should receive a warning
+if any signed gem does not match its signature.
+
+```
+# All signed dependent gems must be verified.
+gem install rack-content_security_policy -P MediumSecurity
+```
+
+You can [learn more about security and signed Ruby Gems](http://guides.rubygems.org/security/).
+
+### Installation Security : Signed Git Commits
+
+Most, if not all, of the commits and tags to this repository are
+signed with my PGP/GPG code signing key. I have uploaded my code signing public
+keys to GitHub and you can now verify those signatures with the GitHub UI.
+See [this list of commits](https://github.com/grempe/rack-content_security_policy/commits/master)
+and look for the `Verified` tag next to each commit. You can click on that tag
+for additional information.
+
+You can also clone the repository and verify the signatures locally using your
+own GnuPG installation. You can find my certificates and read about how to conduct
+this verification at [https://www.rempe.us/keys/](https://www.rempe.us/keys/).
+
+### Contributing
+
+Bug reports and pull requests are welcome on GitHub
+at [https://github.com/grempe/rack-content_security_policy](https://github.com/grempe/rack-content_security_policy). This project is intended to be a safe, welcoming space for collaboration, and
+contributors are expected to adhere to the
+[Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## Legal
+
+### Copyright
+
+Copyright (c) 2016 Glenn Rempe <[glenn@rempe.us](mailto:glenn@rempe.us)> ([https://www.rempe.us/](https://www.rempe.us/))
+
+Some portions Copyright (c) 2009-2012 Alexey Rodionov
+
+### License
+
+The gem is available as open source under the terms of
+the [MIT License](http://opensource.org/licenses/MIT).
+
+### Warranty
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied. See the LICENSE.txt file for the
+specific language governing permissions and limitations under
+the License.
+
+## Thank You!
+
+Thanks to Alexey Rodionov ([@p0deje](https://github.com/p0deje)) for
+his well written original implementation of CSP.

data/lib/rack/content_security_policy.rb

@@ -0,0 +1,94 @@
+require 'contracts'
+require 'rack/content_security_policy/contracts'
+
+module Rack
+  class ContentSecurityPolicy
+    include Contracts::Core
+    include Contracts::Builtin
+
+    CSP_HEADER = 'Content-Security-Policy'.freeze
+    CSP_REPORT_ONLY_HEADER = 'Content-Security-Policy-Report-Only'.freeze
+    NO_ARG_DIRECTIVES = ['block-all-mixed-content',
+                         'disown-opener',
+                         'upgrade-insecure-requests'].freeze
+
+    Contract Any, KeywordArgs[directives: Optional[Directives], report_only: Optional[Bool]] => Any
+    def initialize(app, directives: {}, report_only: false)
+      @app = app
+
+      class_dirs = Rack::ContentSecurityPolicy.directives
+      if directives.empty? && class_dirs.empty?
+        raise ArgumentError, 'no directives provided'
+      end
+      @directives = class_dirs.merge(directives)
+
+      class_report_only = Rack::ContentSecurityPolicy.report_only
+      @report_only = report_only || class_report_only ? true : false
+    end
+
+    Contract None => Bool
+    def report_only
+      @report_only
+    end
+
+    Contract None => Directives
+    def directives
+      @directives
+    end
+
+    Contract Hash => RackResponse
+    def call(env)
+      dup._call(env)
+    end
+
+    Contract Hash => RackResponse
+    def _call(env)
+      status, headers, response = @app.call(env)
+
+      if headers['Content-Type'].include?('text/html')
+        directives = @directives.sort.map do |d|
+          if NO_ARG_DIRECTIVES.include?(d[0])
+            d[0]
+          else
+            "#{d[0]} #{d[1]}"
+          end
+        end.join('; ')
+
+        csp_hdr = @report_only ? CSP_REPORT_ONLY_HEADER : CSP_HEADER
+        headers[csp_hdr] = directives
+      end
+
+      [status, headers, response]
+    end
+
+    ################################
+    # CLASS METHODS
+    ################################
+
+    Contract Bool => Bool
+    def self.report_only=(ro)
+      @report_only = ro
+    end
+
+    Contract None => Bool
+    def self.report_only
+      @report_only
+    end
+
+    Contract None => Directives
+    def self.directives
+      @directives
+    end
+
+    Contract Proc => Or[String, Bool, nil]
+    def self.configure
+      @directives ||= {}
+      yield(self)
+    end
+
+    Contract DirectiveKey, DirectiveVal => Or[String, Bool]
+    def self.[]=(name, value)
+      @directives[name] = value
+    end
+  end
+end

data/lib/rack/content_security_policy/contracts.rb

@@ -0,0 +1,46 @@
+module Rack
+  class ContentSecurityPolicy
+    # Custom Contracts
+    # See : https://egonschiele.github.io/contracts.ruby/
+
+    class DirectiveKey
+      def self.valid?(val)
+        Contract.valid?(val, /^[[a-z]+\-?]+$/)
+      end
+
+      def self.to_s
+        'A CSP directive key must be one or more lowercase ASCII (a-z) characters with optional dashes (-)'
+      end
+    end
+
+    class DirectiveVal
+      def self.valid?(val)
+        Contract.valid?(val, Contracts::Or[String, Contracts::Bool])
+      end
+
+      def self.to_s
+        'A CSP directive value must be a String or Boolean'
+      end
+    end
+
+    class Directives
+      def self.valid?(val)
+        Contract.valid?(val, Contracts::HashOf[DirectiveKey => DirectiveVal])
+      end
+
+      def self.to_s
+        'A CSP directive key/value Hash'
+      end
+    end
+
+    class RackResponse
+      def self.valid?(val)
+        Contract.valid?(val, [Contracts::Int, Hash, Contracts::RespondTo[:each]])
+      end
+
+      def self.to_s
+        'A Rack response'
+      end
+    end
+  end
+end

data/lib/rack/content_security_policy/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class ContentSecurityPolicy
+    VERSION = '0.1.0'.freeze
+  end
+end

metadata

@@ -0,0 +1,199 @@
+--- !ruby/object:Gem::Specification
+name: rack-content_security_policy
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Glenn Rempe
+autorequire: 
+bindir: bin
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDYDCCAkigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQ4wDAYDVQQDDAVnbGVu
+  bjEVMBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwHhcN
+  MTYxMDEzMDEzMjM5WhcNMjYxMDExMDEzMjM5WjA7MQ4wDAYDVQQDDAVnbGVubjEV
+  MBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrEuLEy11cjgMC4+ldcgLzBrGcfWWg
+  nUhdCRn3Arzo2EV1d4V4h6VOHmk4o7kumBeajUMMZ0+xKtu8euRCnbDnlxowfJvT
+  S0nzsOt1dm++INeKMpZU84LuH7BbAlyL+B//l1YkI33gsbA8wm06+vV8tUEBuQch
+  vBU2xrCyS2+0LQTCaCS+VvHbV97hzIwSIgUFJuFjrcnnpV8Qt1R0Bi8pzDk+2jyN
+  AgxaWa41UHn70O0gFRRDGXacRpvy3HRSJrvlHPPAC02CjhKjsOLjZowaHxCv9XIJ
+  tCQnVEOUUo9+owG2Gna4k4DMLIjiGChHNFXtO8WyuksukVqcsdc9kvdzAgMBAAGj
+  bzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBR68/Ook0uwfe6t
+  FbLHXIReYQ2VpzAZBgNVHREEEjAQgQ5nbGVubkByZW1wZS51czAZBgNVHRIEEjAQ
+  gQ5nbGVubkByZW1wZS51czANBgkqhkiG9w0BAQUFAAOCAQEAI27KUzTE9BoD2irI
+  CkMVPC0YS6iANrzQy3zIJI4yLKEZmI1jDE+W2APL11Woo5+sttgqY7148W84ZWdK
+  mD9ueqH5hPC8NOd3wYXVMNwmyLhnyh80cOzGeurW1SJ0VV3BqSKEE8q4EFjCzUK9
+  Oq8dW9i9Bxn8qgcOSFTYITJZ/mNyy2shHs5gg0MIz0uOsKaHqrrMseVfG7ZoTgV1
+  kkyRaYAHI1MSDNGFNwgURPQsgnxQrX8YG48q0ypFC1gOl/l6D0e/oF4SKMS156uc
+  vprF5QiDz8HshVP9DjJT2I1wyGyvxEdU3cTRo0upMP/VZLcgyBVFy90N2XYWWk2D
+  GIxGSw==
+  -----END CERTIFICATE-----
+date: 2016-11-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: contracts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.41'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.41'
+- !ruby/object:Gem::Dependency
+  name: wwtd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+description: Rack middleware for declaratively setting the HTTP ContentSecurityPolicy
+  (W3C CSP Level 2/3) security header to help prevent against XSS and other browser
+  based attacks.
+email:
+- glenn@rempe.us
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/rack/content_security_policy.rb
+- lib/rack/content_security_policy/contracts.rb
+- lib/rack/content_security_policy/version.rb
+homepage: https://github.com/grempe/rack-content_security_policy
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.2.5
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Rack middleware for setting Content Security Policy (CSP) security headers
+test_files: []