secure_headers 0.1.1 → 0.2.0

data/fixtures/rails_3_2_12_no_init/config/locales/en.yml

@@ -0,0 +1,5 @@
+# Sample localization file for English. Add more files in this directory for other locales.
+# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
+
+en:
+  hello: "Hello world"

data/fixtures/rails_3_2_12_no_init/config/routes.rb

@@ -0,0 +1,61 @@
+Rails3212::Application.routes.draw do
+  resources :things
+
+
+  # The priority is based upon order of creation:
+  # first created -> highest priority.
+
+  # Sample of regular route:
+  #   match 'products/:id' => 'catalog#view'
+  # Keep in mind you can assign values other than :controller and :action
+
+  # Sample of named route:
+  #   match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
+  # This route can be invoked with purchase_url(:id => product.id)
+
+  # Sample resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Sample resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Sample resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Sample resource route with more complex sub-resources
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', :on => :collection
+  #     end
+  #   end
+
+  # Sample resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+
+  # You can have the root of your site routed with "root"
+  # just remember to delete public/index.html.
+  # root :to => 'welcome#index'
+
+  # See how all your routes lay out with "rake routes"
+
+  # This is a legacy wild controller route that's not recommended for RESTful applications.
+  # Note: This route will make all actions in every controller accessible via GET requests.
+  match ':controller(/:action(/:id))(.:format)'
+end

data/fixtures/rails_3_2_12_no_init/db/schema.rb

@@ -0,0 +1,16 @@
+# encoding: UTF-8
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended to check this file into your version control system.
+
+ActiveRecord::Schema.define(:version => 0) do
+
+end

data/fixtures/rails_3_2_12_no_init/db/seeds.rb

@@ -0,0 +1,7 @@
+# This file should contain all the record creation needed to seed the database with its default values.
+# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
+#
+# Examples:
+#
+#   cities = City.create([{ name: 'Chicago' }, { name: 'Copenhagen' }])
+#   Mayor.create(name: 'Emanuel', city: cities.first)

data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+describe OtherThingsController do
+  describe "headers" do
+    before(:each) do
+      # Chrome
+      request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
+    end
+
+    it "sets the X-XSS-PROTECTION header" do
+      get :index
+      response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
+    end
+
+    it "sets the X-FRAME-OPTIONS header" do
+      get :index
+      response.headers['X-FRAME-OPTIONS'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
+    end
+
+    it "sets the X-WebKit-CSP header" do
+      get :index
+      response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; img-src data:;"
+    end
+
+    #mock ssl
+    it "sets the STRICT-TRANSPORT-SECURITY header" do
+      request.env['HTTPS'] = 'on'
+      get :index
+      response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
+    end
+
+    context "using IE" do
+      it "sets the X-CONTENT-TYPE-OPTIONS header" do
+        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
+        get :index
+        response.headers['X-Content-Type-Options'].should == "nosniff"
+      end
+    end
+  end
+end

data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+# This controller is meant to be something that inherits config from application controller
+# all values are defaulted because no initializer is configured, and the values in app controller
+# only provide csp => false
+
+describe ThingsController do
+  describe "headers" do
+    before(:each) do
+        # Chrome
+        request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
+    end
+
+    it "sets the X-XSS-PROTECTION header" do
+      get :index
+      response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
+    end
+
+    it "sets the X-FRAME-OPTIONS header" do
+      get :index
+      response.headers['X-FRAME-OPTIONS'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
+    end
+
+    it "sets the X-WebKit-CSP header" do
+      get :index
+      response.headers['X-WebKit-CSP-Report-Only'].should == nil
+    end
+
+    #mock ssl
+    it "sets the STRICT-TRANSPORT-SECURITY header" do
+      request.env['HTTPS'] = 'on'
+      get :index
+      response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
+    end
+
+    context "using IE" do
+      it "sets the X-CONTENT-TYPE-OPTIONS header" do
+        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
+        get :index
+        response.headers['X-Content-Type-Options'].should == "nosniff"
+      end
+    end
+  end
+end

data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb

@@ -0,0 +1,20 @@
+require 'rubygems'
+require 'spork'
+#uncomment the following line to use spork with the debugger
+#require 'spork/ext/ruby-debug'
+
+Spork.prefork do
+  # Loading more in this block will cause your tests to run faster. However,
+  # if you change any configuration or code from libraries loaded here, you'll
+  # need to restart spork for it take effect.
+# This file is copied to spec/ when you run 'rails generate rspec:install'
+  ENV["RAILS_ENV"] ||= 'test'
+  require File.expand_path("../../config/environment", __FILE__)
+  require 'rspec/rails'
+  require 'rspec/autorun'
+  # require 'ruby-debug'
+end
+
+Spork.each_run do
+
+end

data/lib/secure_headers.rb

@@ -13,25 +13,25 @@ module SecureHeaders
   class << self
     def append_features(base)
       base.module_eval do
-        @@secure_headers_options = nil
-
         extend ClassMethods
         include InstanceMethods
-
-        # jank?
-        def self.secure_headers_options=(opts)
-          @@secure_headers_options = opts
-        end
-
-        def self.secure_headers_options
-          @@secure_headers_options
-        end
       end
     end
   end
 
   module ClassMethods
-    def ensure_security_headers options = {}, *args
+    attr_writer :secure_headers_options
+    def secure_headers_options
+      if @secure_headers_options
+        @secure_headers_options
+      elsif superclass.respond_to?(:secure_headers_options) # stop at application_controller
+        superclass.secure_headers_options
+      else
+        {}
+      end
+    end
+
+    def ensure_security_headers options = {}
       self.secure_headers_options = options
       before_filter :set_security_headers
     end
@@ -44,7 +44,7 @@ module SecureHeaders
   end
 
   module InstanceMethods
-    def set_security_headers(options = self.class.secure_headers_options || {})
+    def set_security_headers(options = self.class.secure_headers_options)
       brwsr = Brwsr::Browser.new(:ua => request.env['HTTP_USER_AGENT'])
       set_hsts_header(options[:hsts]) if request.ssl?
       set_x_frame_options_header(options[:x_frame_options])
@@ -59,10 +59,10 @@ module SecureHeaders
       options = self.class.options_for :csp, options
       return if options == false
 
-      header = ContentSecurityPolicy.new(request, options)
+      header = ContentSecurityPolicy.new(options, :request => request)
       set_header(header.name, header.value)
       if options && options[:experimental] && options[:enforce]
-        header = ContentSecurityPolicy.new(request, options, :experimental => true)
+        header = ContentSecurityPolicy.new(options, :experimental => true, :request => request)
         set_header(header.name, header.value)
       end
     end
@@ -107,6 +107,10 @@ end
 
 require "secure_headers/version"
 require "secure_headers/headers/content_security_policy"
+require "secure_headers/headers/content_security_policy/browser_strategy"
+require "secure_headers/headers/content_security_policy/firefox_browser_strategy"
+require "secure_headers/headers/content_security_policy/ie_browser_strategy"
+require "secure_headers/headers/content_security_policy/webkit_browser_strategy"
 require "secure_headers/headers/x_frame_options"
 require "secure_headers/headers/strict_transport_security"
 require "secure_headers/headers/x_xss_protection"

data/lib/secure_headers/headers/content_security_policy.rb

@@ -19,27 +19,39 @@ module SecureHeaders
     end
     include Constants
 
-    META.each do |meta|
-      attr_accessor meta
-    end
-    attr_reader :browser, :ssl_request, :report_uri, :request_uri
+    attr_accessor *META
+    attr_reader :browser, :ssl_request, :report_uri, :request_uri, :experimental, :config
 
-    alias :enforce? :enforce
     alias :disable_chrome_extension? :disable_chrome_extension
     alias :disable_fill_missing? :disable_fill_missing
     alias :ssl_request? :ssl_request
 
-
-    def initialize(request=nil, config=nil, options={})
+    # +options+ param contains
+    # :experimental use experimental block for config
+    # :ssl_request used to determine if http_additions should be used
+    # :request_uri used to determine if firefox should send the report directly
+    # or use the forwarding endpoint
+    # :ua the user agent (or just use Firefox/Chrome/MSIE/etc)
+    #
+    # :report used to determine what :ssl_request, :ua, and :request_uri are set to
+    def initialize(config=nil, options={})
       @experimental = !!options.delete(:experimental)
-      if config
-        configure request, config
-      elsif request
-        parse_request request
+      if options[:request]
+        parse_request(options[:request])
+      else
+        @browser = Brwsr::Browser.new(:ua => options[:ua])
+        # fails open, assumes http. Bad idea? Will always include http additions.
+        # could also fail if not supplied.
+        @ssl_request = !!options.delete(:ssl)
+        # a nil value here means we always assume we are not on the same host,
+        # which causes all FF csp reports to go through the forwarder
+        @request_uri = options.delete(:request_uri)
       end
+
+      configure(config) if config
     end
 
-    def configure request, opts
+    def configure opts
       @config = opts.dup
 
       experimental_config = @config.delete(:experimental)
@@ -48,9 +60,8 @@ module SecureHeaders
         @config.merge!(experimental_config)
       end
 
-      parse_request request
       META.each do |meta|
-        self.send(meta.to_s + "=", @config.delete(meta))
+        self.send("#{meta}=", @config.delete(meta))
       end
 
       @report_uri = @config.delete(:report_uri)
@@ -61,45 +72,39 @@ module SecureHeaders
     end
 
     def name
-      base = if browser.ie?
-               STANDARD_HEADER_NAME
-             elsif browser.firefox?
-               # can't use supports_standard because FF18 does not support this part of the standard.
-               FIREFOX_CSP_HEADER_NAME
-             else
-               WEBKIT_CSP_HEADER_NAME
-             end
-
-      if !enforce || @experimental
-        base += "-Report-Only"
-      end
-      base
+      browser_strategy.name
     end
 
     def value
       return @config if @config.is_a?(String)
-      if @config.nil?
-        return supports_standard? ? WEBKIT_CSP_HEADER : FIREFOX_CSP_HEADER
+
+      if @config
+        build_value
+      else
+        browser_strategy.csp_header
       end
+    end
+
+    private
 
-      build_value
+    def browser_strategy
+      @browser_strategy ||= BrowserStrategy.build(self)
     end
 
     def directives
-      # can't use supports_standard because FF18 does not support this part of the standard.
-      browser.firefox? ? FIREFOX_DIRECTIVES : WEBKIT_DIRECTIVES
+      browser_strategy.directives
     end
 
-    private
-
     def build_value
       fill_directives unless disable_fill_missing?
       add_missing_chrome_extension_values unless disable_chrome_extension?
       append_http_additions unless ssl_request?
 
-      header_value = build_impl_specific_directives
-      header_value += generic_directives(@config)
-      header_value += report_uri_directive(@report_uri)
+      header_value = [
+        build_impl_specific_directives,
+        generic_directives(@config),
+        report_uri_directive(@report_uri)
+      ].join
 
       #store the value for next time
       @config = header_value
@@ -148,12 +153,7 @@ module SecureHeaders
     end
 
     def filter_unsupported_directives
-      if browser.firefox?
-        # can't use supports_standard because FF18 does not support this part of the standard.
-        @config[:xhr_src] = @config.delete(:connect_src) if @config[:connect_src]
-      else
-        @config.delete(:frame_ancestors)
-      end
+      @config = browser_strategy.filter_unsupported_directives(@config)
     end
 
     # translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
@@ -168,104 +168,45 @@ module SecureHeaders
       end
     end
 
-    # inline/eval => impl-specific values
     def translate_inline_or_eval val
-      # can't use supports_standard because FF18 does not support this part of the standard.
-      if browser.firefox?
-        val == 'inline' ? 'inline-script' : 'eval-script'
-      else
-        val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
-      end
+      browser_strategy.translate_inline_or_eval(val)
     end
 
     # if we have a forwarding endpoint setup and we are not on the same origin as our report_uri
     # or only a path was supplied (in which case we assume cross-host)
     # we need to forward the request for Firefox.
     def normalize_reporting_endpoint
-      if browser.firefox? && (!same_origin? || URI.parse(report_uri).host.nil?)
-        if forward_endpoint
-          @report_uri = FF_CSP_ENDPOINT
-        else
-          @report_uri = nil
-        end
-      end
-    end
+      return unless browser_strategy.normalize_reporting_endpoint?
+      return unless !same_origin? || URI.parse(report_uri).host.nil?
 
-    def supports_standard?
-      !browser.firefox?
-    end
-
-    def build_impl_specific_directives
-      header_value = ""
-      default = expect_directive_value(:default_src)
-      # firefox 18 still requires the use of the options value, but can substitute default-src for allow
-      if browser.firefox?
-        header_value += build_firefox_specific_preamble(default) || ''
+      if forward_endpoint
+        @report_uri = FF_CSP_ENDPOINT
       else
-        header_value += "default-src #{default.join(" ")}; " if default.any?
+        @report_uri = nil
       end
-
-      header_value
     end
 
-    def build_firefox_specific_preamble(default_src_value)
-      header_value = ''
-      if supports_standard?
-        header_value += "default-src #{default_src_value.join(" ")}; " if default_src_value.any?
-      elsif default_src_value
-        header_value += "allow #{default_src_value.join(" ")}; " if default_src_value.any?
-      end
-
-      options_directive = build_options_directive
-      header_value += "options #{options_directive.join(" ")}; " if options_directive.any?
-      header_value
+    def build_impl_specific_directives
+      default = expect_directive_value(:default_src)
+      browser_strategy.build_impl_specific_directives(default)
     end
 
     def expect_directive_value key
       @config.delete(key) {|k| raise ContentSecurityPolicyBuildError.new("Expected to find #{k} directive value")}
     end
 
-    # moves inline/eval values from script-src to options
-    # discards those values in the style-src directive
-    def build_options_directive
-      options_directive = []
-      @config.each do |directive, val|
-        next if val.is_a?(String)
-        new_val = []
-        val.each do |token|
-          if ['inline-script', 'eval-script'].include?(token)
-            # Firefox does not support blocking inline styles ATM
-            # https://bugzilla.mozilla.org/show_bug.cgi?id=763879
-            unless directive?(directive, "style_src") || options_directive.include?(token)
-              options_directive << token
-            end
-          else
-            new_val << token
-          end
-        end
-        @config[directive] = new_val
-      end
-
-      options_directive
-    end
-
     def same_origin?
-      return if report_uri.nil?
+      return unless report_uri && request_uri
 
       origin = URI.parse(request_uri)
       uri = URI.parse(report_uri)
       uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
     end
 
-    def directive? val, name
-      val.to_s.casecmp(name) == 0
-    end
-
     def report_uri_directive(report_uri)
-      report_uri.nil? ? '' : "report-uri #{report_uri};"
+      report_uri ? "report-uri #{report_uri};" : ''
     end
 
-
     def generic_directives(config)
       header_value = ''
       if config[:img_src]