RubyGems - secure_headers - Versions diffs - 0.1.1 → 0.2.0 - Mend

secure_headers 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (104) hide show

data/lib/secure_headers/headers/content_security_policy/browser_strategy.rb ADDED Viewed

@@ -0,0 +1,70 @@
+require "forwardable"
+module SecureHeaders
+  class ContentSecurityPolicy
+    class BrowserStrategy
+      extend Forwardable
+      def_delegators :@content_security_policy, :browser, :experimental, :enforce, :config
+      def self.build(content_security_policy)
+        browser = content_security_policy.browser
+        klass = if browser.ie?
+          IeBrowserStrategy
+        elsif browser.firefox?
+          FirefoxBrowserStrategy
+        else
+          WebkitBrowserStrategy
+        end
+        klass.new content_security_policy
+      end
+      def initialize(content_security_policy)
+        @content_security_policy = content_security_policy
+      end
+      def base_name
+        SecureHeaders::ContentSecurityPolicy::STANDARD_HEADER_NAME
+      end
+      def name
+        base = base_name
+        if !enforce || experimental
+          base += "-Report-Only"
+        end
+        base
+      end
+      def csp_header
+        SecureHeaders::ContentSecurityPolicy::WEBKIT_CSP_HEADER
+      end
+      def directives
+        SecureHeaders::ContentSecurityPolicy::WEBKIT_DIRECTIVES
+      end
+      def filter_unsupported_directives(config)
+        config = config.dup
+        config.delete(:frame_ancestors)
+        config
+      end
+      def translate_inline_or_eval val
+        val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
+      end
+      def build_impl_specific_directives(default)
+        if default.any?
+          "default-src #{default.join(" ")}; "
+        else
+          ""
+        end
+      end
+      def normalize_reporting_endpoint?
+        false
+      end
+    end
+  end
+end

data/lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb ADDED Viewed

@@ -0,0 +1,72 @@
+module SecureHeaders
+  class ContentSecurityPolicy
+    class FirefoxBrowserStrategy < BrowserStrategy
+      def base_name
+        SecureHeaders::ContentSecurityPolicy::FIREFOX_CSP_HEADER_NAME
+      end
+      def csp_header
+        SecureHeaders::ContentSecurityPolicy::FIREFOX_CSP_HEADER
+      end
+      def directives
+        SecureHeaders::ContentSecurityPolicy::FIREFOX_DIRECTIVES
+      end
+      def filter_unsupported_directives(config)
+        config = config.dup
+        config[:xhr_src] = config.delete(:connect_src) if config[:connect_src]
+        config
+      end
+      def translate_inline_or_eval val
+        val == 'inline' ? 'inline-script' : 'eval-script'
+      end
+      def build_impl_specific_directives(default)
+        build_firefox_specific_preamble(default) || ''
+      end
+      def build_firefox_specific_preamble(default_src_value)
+        header_value = ''
+        header_value += "allow #{default_src_value.join(" ")}; " if default_src_value.any?
+        options_directive = build_options_directive
+        header_value += "options #{options_directive.join(" ")}; " if options_directive.any?
+        header_value
+      end
+      # moves inline/eval values from script-src to options
+      # discards those values in the style-src directive
+      def build_options_directive
+        options_directive = []
+        config.each do |directive, val|
+          next if val.is_a?(String)
+          new_val = []
+          val.each do |token|
+            if ['inline-script', 'eval-script'].include?(token)
+              # Firefox does not support blocking inline styles ATM
+              # https://bugzilla.mozilla.org/show_bug.cgi?id=763879
+              unless directive?(directive, "style_src") || options_directive.include?(token)
+                options_directive << token
+              end
+            else
+              new_val << token
+            end
+          end
+          config[directive] = new_val
+        end
+        options_directive
+      end
+      def directive? val, name
+        val.to_s.casecmp(name) == 0
+      end
+      def normalize_reporting_endpoint?
+        true
+      end
+    end
+  end
+end

data/lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb ADDED Viewed

@@ -0,0 +1,6 @@
+module SecureHeaders
+  class ContentSecurityPolicy
+    class IeBrowserStrategy < BrowserStrategy
+    end
+  end
+end

data/lib/secure_headers/headers/content_security_policy/webkit_browser_strategy.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module SecureHeaders
+  class ContentSecurityPolicy
+    class WebkitBrowserStrategy < BrowserStrategy
+      def base_name
+        SecureHeaders::ContentSecurityPolicy::WEBKIT_CSP_HEADER_NAME
+      end
+    end
+  end
+end

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/{secure-headers.gemspec → secure_headers.gemspec} RENAMED Viewed

File without changes

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -28,28 +28,31 @@ module SecureHeaders
     end
     describe "#name" do
+      context "when supplying options to override request" do
+        specify { ContentSecurityPolicy.new(default_opts, :ua => IE).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :ua => FIREFOX).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :ua => CHROME).name.should == WEBKIT_CSP_HEADER_NAME + "-Report-Only"}
+      end
       context "when in report-only mode" do
-        specify { ContentSecurityPolicy.new(request_for(IE), default_opts).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(request_for(FIREFOX), default_opts).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(request_for(FIREFOX_18), default_opts).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(request_for(CHROME), default_opts).name.should == WEBKIT_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :request => request_for(IE)).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX)).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME)).name.should == WEBKIT_CSP_HEADER_NAME + "-Report-Only"}
       end
       context "when in enforce mode" do
         let(:opts) { default_opts.merge(:enforce => true)}
-        specify { ContentSecurityPolicy.new(request_for(IE), opts).name.should == STANDARD_HEADER_NAME}
-        specify { ContentSecurityPolicy.new(request_for(FIREFOX), opts).name.should == FIREFOX_CSP_HEADER_NAME}
-        specify { ContentSecurityPolicy.new(request_for(FIREFOX_18), opts).name.should == FIREFOX_CSP_HEADER_NAME}
-        specify { ContentSecurityPolicy.new(request_for(CHROME), opts).name.should == WEBKIT_CSP_HEADER_NAME}
+        specify { ContentSecurityPolicy.new(opts, :request => request_for(IE)).name.should == STANDARD_HEADER_NAME}
+        specify { ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX)).name.should == FIREFOX_CSP_HEADER_NAME}
+        specify { ContentSecurityPolicy.new(opts, :request => request_for(CHROME)).name.should == WEBKIT_CSP_HEADER_NAME}
       end
       context "when in experimental mode" do
         let(:opts) { default_opts.merge(:enforce => true).merge(:experimental => {})}
-        specify { ContentSecurityPolicy.new(request_for(IE), opts, :experimental => true).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(request_for(FIREFOX), opts, :experimental => true).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(request_for(FIREFOX_18), opts, :experimental => true).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(request_for(CHROME), opts, :experimental => true).name.should == WEBKIT_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(IE)}).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(FIREFOX)}).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(CHROME)}).name.should == WEBKIT_CSP_HEADER_NAME + "-Report-Only"}
       end
     end
@@ -63,7 +66,7 @@ module SecureHeaders
       context "X-Content-Security-Policy" do
         it "converts the script values to their equivilents" do
-          csp = ContentSecurityPolicy.new(request_for(FIREFOX), @opts)
+          csp = ContentSecurityPolicy.new(@opts, :request => request_for(FIREFOX))
           csp.value.should include("script-src https://* data: 'self' 'none'")
           csp.value.should include('options inline-script eval-script')
         end
@@ -71,7 +74,7 @@ module SecureHeaders
       context "X-Webkit-CSP" do
         it "converts the script values to their equivilents" do
-          csp = ContentSecurityPolicy.new(request_for(CHROME), @opts)
+          csp = ContentSecurityPolicy.new(@opts, :request => request_for(CHROME))
           csp.value.should include("script-src 'unsafe-inline' 'unsafe-eval' https://* data: 'self' 'none' chrome-extension")
         end
       end
@@ -84,7 +87,7 @@ module SecureHeaders
             :default_src => 'https://*',
             :script_src => "inline eval https://*"
           }
-          csp = ContentSecurityPolicy.new(request_for(FIREFOX), opts)
+          csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX))
           browser_specific = csp.send :build_impl_specific_directives
           browser_specific.should include('options inline-script eval-script;')
         end
@@ -94,7 +97,7 @@ module SecureHeaders
             :default_src => 'https://*',
             :style_src => "inline eval https://*"
           }
-          csp = ContentSecurityPolicy.new(request_for(FIREFOX), opts)
+          csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX))
           browser_specific = csp.send :build_impl_specific_directives
           browser_specific.should_not include('inline-script')
           browser_specific.should_not include('eval-script')
@@ -102,75 +105,55 @@ module SecureHeaders
       end
     end
-    describe "#supports_standard?" do
-      ['IE', 'Safari', 'Chrome'].each do |browser_name|
-        it "returns true for #{browser_name}" do
-          browser = Brwsr::Browser.new(:ua => browser_name)
-          subject.stub(:browser).and_return(browser)
-          subject.send(:supports_standard?).should be_true
-        end
-      end
-      it "returns true for Firefox v >= 18" do
-        browser = Brwsr::Browser.new(:ua => "Firefox 18")
-        subject.stub(:browser).and_return(browser)
-        subject.send(:supports_standard?).should be_true
-      end
-      it "returns false for Firefox v < 18" do
-        browser = Brwsr::Browser.new(:ua => "Firefox 17")
-        subject.stub(:browser).and_return(browser)
-        subject.send(:supports_standard?).should be_false
-      end
-    end
     describe "#same_origin?" do
       let(:origin) {"https://example.com:123"}
       it "matches when host, scheme, and port match" do
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "https://example.com"), {:report_uri => 'https://example.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'https://example.com'}, :request => request_for(FIREFOX, "https://example.com"))
         csp.send(:same_origin?).should be_true
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "https://example.com:443"), {:report_uri => 'https://example.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'https://example.com'}, :request => request_for(FIREFOX, "https://example.com:443"))
         csp.send(:same_origin?).should be_true
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "https://example.com:123"), {:report_uri => 'https://example.com:123'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'https://example.com:123'}, :request => request_for(FIREFOX, "https://example.com:123"))
         csp.send(:same_origin?).should be_true
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "http://example.com"), {:report_uri => 'http://example.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'http://example.com'}, :request => request_for(FIREFOX, "http://example.com"))
         csp.send(:same_origin?).should be_true
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "http://example.com"), {:report_uri => 'http://example.com:80'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'http://example.com:80'}, :request => request_for(FIREFOX, "http://example.com"))
         csp.send(:same_origin?).should be_true
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "http://example.com:80"), {:report_uri => 'http://example.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'http://example.com'}, :request => request_for(FIREFOX, "http://example.com:80"))
         csp.send(:same_origin?).should be_true
       end
       it "does not match port mismatches" do
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "http://example.com:81"), {:report_uri => 'http://example.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'http://example.com'}, :request => request_for(FIREFOX, "http://example.com:81"))
         csp.send(:same_origin?).should be_false
       end
       it "does not match host mismatches" do
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "http://example.com"), {:report_uri => 'http://twitter.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'http://twitter.com'}, :request => request_for(FIREFOX, "http://example.com"))
         csp.send(:same_origin?).should be_false
       end
       it "does not match host mismatches because of subdomains" do
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "http://sub.example.com"), {:report_uri => 'http://example.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'http://example.com'}, :request => request_for(FIREFOX, "http://sub.example.com"))
         csp.send(:same_origin?).should be_false
       end
       it "does not match scheme mismatches" do
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "ftp://example.com"), {:report_uri => 'https://example.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'https://example.com'}, :request => request_for(FIREFOX, "ftp://example.com"))
         csp.send(:same_origin?).should be_false
       end
       it "does not match on substring collisions" do
-        csp = ContentSecurityPolicy.new(request_for(FIREFOX, "https://anotherexample.com"), {:report_uri => 'https://example.com'})
+        csp = ContentSecurityPolicy.new({:report_uri => 'https://example.com'}, :request => request_for(FIREFOX, "https://anotherexample.com"))
         csp.send(:same_origin?).should be_false
       end
     end
     describe "#normalize_reporting_endpoint" do
@@ -178,69 +161,69 @@ module SecureHeaders
       context "when using firefox" do
         it "updates the report-uri when posting to a different host" do
-          subject.configure(request_for(FIREFOX, "https://anexample.com"), opts)
-          subject.report_uri.should == FF_CSP_ENDPOINT
+          csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX, "https://anexample.com"))
+          csp.report_uri.should == FF_CSP_ENDPOINT
         end
-        it "updates the report-uri when posting to a different host for Firefox >= 18" do
-          subject.configure(request_for(FIREFOX, "https://anexample.com"), opts)
-          subject.report_uri.should == FF_CSP_ENDPOINT
+        it "doesn't set report-uri if no forward_endpoint is supplied" do
+          csp = ContentSecurityPolicy.new({:report_uri => "https://another.example.com"}, :request => request_for(FIREFOX, "https://anexample.com"))
+          csp.report_uri.should be_nil
         end
-        it "doesn't set report-uri if no forward_endpoint is supplied" do
-          subject.configure(request_for(FIREFOX, "https://example.com"), :report_uri => "https://another.example.com")
-          subject.report_uri.should be_nil
+        it "forwards if the request_uri is set to a non-matching value" do
+          csp = ContentSecurityPolicy.new({:report_uri => "https://another.example.com", :forward_endpoint => '/somewhere'}, :ua => "Firefox", :request_uri => "https://anexample.com")
+          csp.report_uri.should == FF_CSP_ENDPOINT
         end
       end
       it "does not update the URI is the report_uri is on the same origin" do
         opts = {:report_uri => 'https://example.com/csp', :forward_endpoint => 'https://anotherexample.com'}
-        subject.configure(request_for(FIREFOX, "https://example.com/somewhere"), opts)
-        subject.report_uri.should == 'https://example.com/csp'
+        csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX, "https://example.com/somewhere"))
+        csp.report_uri.should == 'https://example.com/csp'
       end
       it "does not update the report-uri when using a non-firefox browser" do
-        subject.configure(request_for(CHROME), opts)
-        subject.report_uri.should == 'https://example.com/csp'
+        csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
+        csp.report_uri.should == 'https://example.com/csp'
       end
     end
     describe "#value" do
       it "raises an exception when default-src is missing" do
-        subject.configure(request_for(CHROME), {:script_src => 'anything'})
+        csp = ContentSecurityPolicy.new({:script_src => 'anything'}, :request => request_for(CHROME))
         lambda {
-          subject.value
+          csp.value
         }.should raise_error(ContentSecurityPolicyBuildError, "Couldn't build CSP header :( Expected to find default_src directive value")
       end
       context "auto-whitelists data: uris for img-src" do
         it "sets the value if no img-src specified" do
-          csp = ContentSecurityPolicy.new(request_for(CHROME), {:default_src => 'self', :disable_fill_missing => true, :disable_chrome_extension => true})
+          csp = ContentSecurityPolicy.new({:default_src => 'self', :disable_fill_missing => true, :disable_chrome_extension => true}, :request => request_for(CHROME))
           csp.value.should == "default-src 'self'; img-src data:;"
         end
         it "appends the value if img-src is specified" do
-          csp = ContentSecurityPolicy.new(request_for(CHROME), {:default_src => 'self', :img_src => 'self', :disable_fill_missing => true, :disable_chrome_extension => true})
+          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_fill_missing => true, :disable_chrome_extension => true}, :request => request_for(CHROME))
           csp.value.should == "default-src 'self'; img-src 'self' data:;"
         end
       end
       it "fills in directives without values with default-src value" do
         options = default_opts.merge(:disable_fill_missing => false)
-        csp = ContentSecurityPolicy.new(request_for(CHROME), options)
+        csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
         value = "default-src https://*; connect-src https://*; font-src https://*; frame-src https://*; img-src https://* data:; media-src https://*; object-src https://*; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* chrome-extension: about:; report-uri /csp_report;"
         csp.value.should == value
       end
       it "sends the chrome csp header if an unknown browser is supplied" do
-        csp = ContentSecurityPolicy.new(request_for(IE), default_opts)
+        csp = ContentSecurityPolicy.new(default_opts, :request => request_for(IE))
         csp.value.should match "default-src"
       end
       context "X-Content-Security-Policy" do
         it "builds a csp header for firefox" do
-          csp = ContentSecurityPolicy.new(request_for(FIREFOX), default_opts)
+          csp = ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX))
           csp.value.should == "allow https://*; options inline-script eval-script; img-src data:; script-src https://* data:; style-src https://* chrome-extension: about:;"
         end
@@ -251,7 +234,7 @@ module SecureHeaders
             :disable_chrome_extension => true,
             :disable_fill_missing => true
           }
-          csp = ContentSecurityPolicy.new(request_for(FIREFOX), opts)
+          csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX))
           csp.value.should =~ /xhr-src 'self' http:/
         end
@@ -262,24 +245,19 @@ module SecureHeaders
             :disable_chrome_extension => true,
             :disable_fill_missing => true
           }
-          csp = ContentSecurityPolicy.new(request_for(FIREFOX_18), opts)
+          csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX_18))
           csp.value.should =~ /xhr-src 'self' http:\/\/\*\.localhost\.com:\*/
         end
-        it "builds a w3c-style-ish header for Firefox > version 18" do
-          csp = ContentSecurityPolicy.new(request_for(FIREFOX_18), default_opts)
-          csp.value.should =~ /default-src/
-        end
       end
       context "X-Webkit-CSP" do
         it "builds a csp header for chrome" do
-          csp = ContentSecurityPolicy.new(request_for(CHROME), default_opts)
+          csp = ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME))
           csp.value.should == "default-src https://*; img-src data:; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* chrome-extension: about:; report-uri /csp_report;"
         end
         it "ignores :forward_endpoint settings" do
-          csp = ContentSecurityPolicy.new(request_for(CHROME), @options_with_forwarding)
+          csp = ContentSecurityPolicy.new(@options_with_forwarding, :request => request_for(CHROME))
           csp.value.should =~ /report-uri #{@options_with_forwarding[:report_uri]};/
         end
@@ -291,7 +269,7 @@ module SecureHeaders
             :style_src => "inline https://* chrome-extension: about:"
           }
-          csp = ContentSecurityPolicy.new(request_for(CHROME), opts)
+          csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
           # ignore the report-uri directive
           csp.value.split(';')[0...-1].each{|directive| directive.should =~ /chrome-extension:/}
@@ -311,12 +289,12 @@ module SecureHeaders
         let(:header) {}
         it "returns the original value" do
-          header = ContentSecurityPolicy.new(request_for(CHROME), options)
+          header = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
           header.value.should == "default-src 'self'; img-src data:; script-src https://*;"
         end
         it "it returns the experimental value if requested" do
-          header = ContentSecurityPolicy.new(request_for(CHROME), options, :experimental => true)
+          header = ContentSecurityPolicy.new(options, {:request => request_for(CHROME), :experimental => true})
           header.value.should_not =~ /https/
         end
       end
@@ -332,12 +310,17 @@ module SecureHeaders
         }
         it "adds directive values for headers on http" do
-          csp = ContentSecurityPolicy.new(request_for(CHROME), options)
+          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
           csp.value.should == "default-src https://*; frame-src http://*; img-src http://* data:; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* chrome-extension: about:; report-uri /csp_report;"
         end
         it "does not add the directive values if requesting https" do
-          csp = ContentSecurityPolicy.new(request_for(CHROME, '/', :ssl => true), options)
+          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME, '/', :ssl => true))
+          csp.value.should_not =~ /http:/
+        end
+        it "does not add the directive values if requesting https" do
+          csp = ContentSecurityPolicy.new(options, :ua => "Chrome", :ssl => true)
           csp.value.should_not =~ /http:/
         end
@@ -367,12 +350,17 @@ module SecureHeaders
           # "allow 'self; script-src https://* http://*" for http requests
           it "uses the value in the experimental block over SSL" do
-            csp = ContentSecurityPolicy.new(request_for(FIREFOX, '/', :ssl => true), options, :experimental => true)
+            csp = ContentSecurityPolicy.new(options, :experimental => true, :request => request_for(FIREFOX, '/', :ssl => true))
+            csp.value.should == "allow 'self'; img-src data:; script-src 'self';"
+          end
+          it "detects the :ssl => true option" do
+            csp = ContentSecurityPolicy.new(options, :experimental => true, :ua => FIREFOX, :ssl => true)
             csp.value.should == "allow 'self'; img-src data:; script-src 'self';"
           end
           it "merges the values from experimental/http_additions when not over SSL" do
-            csp = ContentSecurityPolicy.new(request_for(FIREFOX), options, :experimental => true)
+            csp = ContentSecurityPolicy.new(options, :experimental => true, :request => request_for(FIREFOX))
             csp.value.should == "allow 'self'; img-src data:; script-src 'self' https://mycdn.example.com;"
           end
         end