secure_headers 1.1.1 → 1.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +2 -0
- data/Gemfile +0 -4
- data/Guardfile +1 -5
- data/HISTORY.md +47 -0
- data/README.md +74 -27
- data/fixtures/rails_3_2_12/Gemfile +0 -3
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +4 -4
- data/fixtures/rails_3_2_12/config/environments/development.rb +3 -3
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +15 -14
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -3
- data/fixtures/rails_3_2_12_no_init/config/application.rb +1 -4
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +3 -3
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +12 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
- data/lib/secure_headers/headers/content_security_policy.rb +52 -35
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/railtie.rb +6 -2
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +8 -1
- data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +117 -85
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
- data/spec/lib/secure_headers_spec.rb +38 -12
- data/spec/spec_helper.rb +10 -24
- metadata +11 -20
- data/.rvmrc +0 -1
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
|
@@ -4,45 +4,45 @@ require 'spec_helper'
|
|
|
4
4
|
# all values are defaulted because no initializer is configured, and the values in app controller
|
|
5
5
|
# only provide csp => false
|
|
6
6
|
|
|
7
|
-
describe ThingsController do
|
|
7
|
+
describe ThingsController, :type => :controller do
|
|
8
8
|
describe "headers" do
|
|
9
|
-
before(:each) do
|
|
10
|
-
# Chrome
|
|
11
|
-
request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
|
|
12
|
-
end
|
|
13
|
-
|
|
14
9
|
it "sets the X-XSS-Protection header" do
|
|
15
10
|
get :index
|
|
16
|
-
response.headers['X-XSS-Protection'].
|
|
11
|
+
expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
|
|
17
12
|
end
|
|
18
13
|
|
|
19
14
|
it "sets the X-Frame-Options header" do
|
|
20
15
|
get :index
|
|
21
|
-
response.headers['X-Frame-Options'].
|
|
16
|
+
expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
|
|
22
17
|
end
|
|
23
18
|
|
|
24
19
|
it "sets the X-WebKit-CSP header" do
|
|
25
20
|
get :index
|
|
26
|
-
response.headers['Content-Security-Policy-Report-Only'].
|
|
21
|
+
expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
|
|
27
22
|
end
|
|
28
23
|
|
|
29
24
|
#mock ssl
|
|
30
25
|
it "sets the Strict-Transport-Security header" do
|
|
31
26
|
request.env['HTTPS'] = 'on'
|
|
32
27
|
get :index
|
|
33
|
-
response.headers['Strict-Transport-Security'].
|
|
28
|
+
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
it "sets the X-Download-Options header" do
|
|
32
|
+
get :index
|
|
33
|
+
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
it "sets the X-Content-Type-Options header" do
|
|
37
37
|
get :index
|
|
38
|
-
response.headers['X-Content-Type-Options'].
|
|
38
|
+
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
context "using IE" do
|
|
42
42
|
it "sets the X-Content-Type-Options header" do
|
|
43
43
|
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
44
44
|
get :index
|
|
45
|
-
response.headers['X-Content-Type-Options'].
|
|
45
|
+
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
|
46
46
|
end
|
|
47
47
|
end
|
|
48
48
|
end
|
|
@@ -1,20 +1,5 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
require 'spork'
|
|
3
|
-
#uncomment the following line to use spork with the debugger
|
|
4
|
-
#require 'spork/ext/ruby-debug'
|
|
5
2
|
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
# need to restart spork for it take effect.
|
|
10
|
-
# This file is copied to spec/ when you run 'rails generate rspec:install'
|
|
11
|
-
ENV["RAILS_ENV"] ||= 'test'
|
|
12
|
-
require File.expand_path("../../config/environment", __FILE__)
|
|
13
|
-
require 'rspec/rails'
|
|
14
|
-
require 'rspec/autorun'
|
|
15
|
-
# require 'ruby-debug'
|
|
16
|
-
end
|
|
17
|
-
|
|
18
|
-
Spork.each_run do
|
|
19
|
-
|
|
20
|
-
end
|
|
3
|
+
ENV["RAILS_ENV"] ||= 'test'
|
|
4
|
+
require File.expand_path("../../config/environment", __FILE__)
|
|
5
|
+
require 'rspec/rails'
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require 'uri'
|
|
2
|
+
require 'base64'
|
|
2
3
|
|
|
3
4
|
module SecureHeaders
|
|
4
5
|
class ContentSecurityPolicyBuildError < StandardError; end
|
|
@@ -8,7 +9,7 @@ module SecureHeaders
|
|
|
8
9
|
STANDARD_HEADER_NAME = "Content-Security-Policy"
|
|
9
10
|
FF_CSP_ENDPOINT = "/content_security_policy/forward_report"
|
|
10
11
|
DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
|
|
11
|
-
META = [:
|
|
12
|
+
META = [:disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
|
|
12
13
|
end
|
|
13
14
|
include Constants
|
|
14
15
|
|
|
@@ -30,6 +31,7 @@ module SecureHeaders
|
|
|
30
31
|
def initialize(config=nil, options={})
|
|
31
32
|
@experimental = !!options.delete(:experimental)
|
|
32
33
|
@controller = options.delete(:controller)
|
|
34
|
+
|
|
33
35
|
if options[:request]
|
|
34
36
|
parse_request(options[:request])
|
|
35
37
|
else
|
|
@@ -45,6 +47,10 @@ module SecureHeaders
|
|
|
45
47
|
configure(config) if config
|
|
46
48
|
end
|
|
47
49
|
|
|
50
|
+
def nonce
|
|
51
|
+
@nonce ||= SecureRandom.base64(32).chomp
|
|
52
|
+
end
|
|
53
|
+
|
|
48
54
|
def configure(config)
|
|
49
55
|
@config = config.dup
|
|
50
56
|
|
|
@@ -54,21 +60,26 @@ module SecureHeaders
|
|
|
54
60
|
@config.merge!(experimental_config)
|
|
55
61
|
end
|
|
56
62
|
|
|
63
|
+
# these values don't support lambdas because this needs to be rewritten
|
|
64
|
+
@http_additions = @config.delete(:http_additions)
|
|
65
|
+
@app_name = @config.delete(:app_name)
|
|
66
|
+
|
|
67
|
+
normalize_csp_options
|
|
68
|
+
|
|
57
69
|
META.each do |meta|
|
|
58
70
|
self.send("#{meta}=", @config.delete(meta))
|
|
59
71
|
end
|
|
60
72
|
|
|
61
|
-
@
|
|
62
|
-
@
|
|
73
|
+
@enforce = !!@config.delete(:enforce)
|
|
74
|
+
@tag_report_uri = @config.delete(:tag_report_uri)
|
|
63
75
|
|
|
64
|
-
normalize_csp_options
|
|
65
76
|
normalize_reporting_endpoint
|
|
66
77
|
fill_directives unless disable_fill_missing?
|
|
67
78
|
end
|
|
68
79
|
|
|
69
80
|
def name
|
|
70
81
|
base = STANDARD_HEADER_NAME
|
|
71
|
-
if
|
|
82
|
+
if !@enforce || experimental
|
|
72
83
|
base += "-Report-Only"
|
|
73
84
|
end
|
|
74
85
|
base
|
|
@@ -89,16 +100,9 @@ module SecureHeaders
|
|
|
89
100
|
raise "Expected to find default_src directive value" unless @config[:default_src]
|
|
90
101
|
append_http_additions unless ssl_request?
|
|
91
102
|
header_value = [
|
|
92
|
-
# ensure default-src is first
|
|
93
|
-
build_directive(:default_src),
|
|
94
103
|
generic_directives(@config),
|
|
95
|
-
report_uri_directive
|
|
96
|
-
|
|
97
|
-
].join
|
|
98
|
-
|
|
99
|
-
#store the value for next time
|
|
100
|
-
@config = header_value
|
|
101
|
-
header_value.strip
|
|
104
|
+
report_uri_directive
|
|
105
|
+
].join.strip
|
|
102
106
|
rescue StandardError => e
|
|
103
107
|
raise ContentSecurityPolicyBuildError.new("Couldn't build CSP header :( #{e}")
|
|
104
108
|
end
|
|
@@ -115,20 +119,31 @@ module SecureHeaders
|
|
|
115
119
|
end
|
|
116
120
|
|
|
117
121
|
def append_http_additions
|
|
118
|
-
return unless http_additions
|
|
119
|
-
http_additions.each do |k, v|
|
|
122
|
+
return unless @http_additions
|
|
123
|
+
@http_additions.each do |k, v|
|
|
120
124
|
@config[k] ||= []
|
|
121
125
|
@config[k] << v
|
|
122
126
|
end
|
|
123
127
|
end
|
|
124
128
|
|
|
125
129
|
def normalize_csp_options
|
|
126
|
-
@config.
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
+
@config = @config.inject({}) do |hash, (key, value)|
|
|
131
|
+
# lambdas
|
|
132
|
+
config_val = value.respond_to?(:call) ? value.call : value
|
|
133
|
+
# space-delimeted strings
|
|
134
|
+
config_val = config_val.split if config_val.is_a? String
|
|
135
|
+
# array of strings
|
|
136
|
+
if config_val.respond_to?(:map) #skip booleans
|
|
137
|
+
config_val = config_val.map do |val|
|
|
138
|
+
translate_dir_value(val)
|
|
139
|
+
end.flatten.uniq
|
|
130
140
|
end
|
|
141
|
+
|
|
142
|
+
hash[key] = config_val
|
|
143
|
+
hash
|
|
131
144
|
end
|
|
145
|
+
|
|
146
|
+
@report_uri = @config.delete(:report_uri).join(" ") if @config[:report_uri]
|
|
132
147
|
end
|
|
133
148
|
|
|
134
149
|
# translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
|
|
@@ -138,6 +153,9 @@ module SecureHeaders
|
|
|
138
153
|
# self/none are special sources/src-dir-values and need to be quoted in chrome
|
|
139
154
|
elsif %{self none}.include?(val)
|
|
140
155
|
"'#{val}'"
|
|
156
|
+
elsif val == 'nonce'
|
|
157
|
+
@controller.instance_variable_set(:@content_security_policy_nonce, nonce)
|
|
158
|
+
["'nonce-#{nonce}'", "'unsafe-inline'"]
|
|
141
159
|
else
|
|
142
160
|
val
|
|
143
161
|
end
|
|
@@ -156,13 +174,23 @@ module SecureHeaders
|
|
|
156
174
|
@report_uri = FF_CSP_ENDPOINT
|
|
157
175
|
end
|
|
158
176
|
end
|
|
177
|
+
|
|
178
|
+
if @tag_report_uri
|
|
179
|
+
@report_uri = "#{@report_uri}?enforce=#{@enforce}"
|
|
180
|
+
@report_uri += "&app_name=#{@app_name}" if @app_name
|
|
181
|
+
end
|
|
159
182
|
end
|
|
160
183
|
|
|
161
184
|
def same_origin?
|
|
162
185
|
return unless report_uri && request_uri
|
|
163
186
|
|
|
164
|
-
|
|
165
|
-
|
|
187
|
+
begin
|
|
188
|
+
origin = URI.parse(request_uri)
|
|
189
|
+
uri = URI.parse(report_uri)
|
|
190
|
+
rescue URI::InvalidURIError
|
|
191
|
+
return false
|
|
192
|
+
end
|
|
193
|
+
|
|
166
194
|
uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
|
|
167
195
|
end
|
|
168
196
|
|
|
@@ -180,26 +208,15 @@ module SecureHeaders
|
|
|
180
208
|
"report-uri #{@report_uri};"
|
|
181
209
|
end
|
|
182
210
|
|
|
183
|
-
def script_nonce_directive
|
|
184
|
-
return '' if @script_nonce.nil?
|
|
185
|
-
nonce_value = if @script_nonce.is_a?(String)
|
|
186
|
-
@script_nonce
|
|
187
|
-
elsif @controller
|
|
188
|
-
@controller.instance_exec(&@script_nonce)
|
|
189
|
-
else
|
|
190
|
-
@script_nonce.call
|
|
191
|
-
end
|
|
192
|
-
"script-nonce #{nonce_value};"
|
|
193
|
-
end
|
|
194
|
-
|
|
195
211
|
def generic_directives(config)
|
|
196
212
|
header_value = ''
|
|
197
213
|
if config[:img_src]
|
|
198
214
|
config[:img_src] = config[:img_src] + ['data:'] unless config[:img_src].include?('data:')
|
|
199
215
|
else
|
|
200
|
-
config[:img_src] = ['data:']
|
|
216
|
+
config[:img_src] = config[:default_src] + ['data:']
|
|
201
217
|
end
|
|
202
218
|
|
|
219
|
+
header_value = build_directive(:default_src)
|
|
203
220
|
config.keys.sort_by{|k| k.to_s}.each do |k| # ensure consistent ordering
|
|
204
221
|
header_value += build_directive(k)
|
|
205
222
|
end
|
|
@@ -6,7 +6,7 @@ module SecureHeaders
|
|
|
6
6
|
HSTS_HEADER_NAME = 'Strict-Transport-Security'
|
|
7
7
|
HSTS_MAX_AGE = "631138519"
|
|
8
8
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
|
9
|
-
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
|
|
9
|
+
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
|
10
10
|
MESSAGE = "The config value supplied for the HSTS header was invalid."
|
|
11
11
|
end
|
|
12
12
|
include Constants
|
|
@@ -31,6 +31,7 @@ module SecureHeaders
|
|
|
31
31
|
max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
|
|
32
32
|
value = "max-age=" + max_age.to_s
|
|
33
33
|
value += "; includeSubdomains" if @config[:include_subdomains]
|
|
34
|
+
value += "; preload" if @config[:preload]
|
|
34
35
|
|
|
35
36
|
value
|
|
36
37
|
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
class XDOBuildError < StandardError; end
|
|
3
|
+
class XDownloadOptions < Header
|
|
4
|
+
module Constants
|
|
5
|
+
XDO_HEADER_NAME = "X-Download-Options"
|
|
6
|
+
DEFAULT_VALUE = 'noopen'
|
|
7
|
+
end
|
|
8
|
+
include Constants
|
|
9
|
+
|
|
10
|
+
def initialize(config = nil)
|
|
11
|
+
@config = config
|
|
12
|
+
validate_config unless @config.nil?
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def name
|
|
16
|
+
XDO_HEADER_NAME
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def value
|
|
20
|
+
case @config
|
|
21
|
+
when NilClass
|
|
22
|
+
DEFAULT_VALUE
|
|
23
|
+
when String
|
|
24
|
+
@config
|
|
25
|
+
else
|
|
26
|
+
@config[:value]
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
private
|
|
31
|
+
|
|
32
|
+
def validate_config
|
|
33
|
+
value = @config.is_a?(Hash) ? @config[:value] : @config
|
|
34
|
+
unless value.casecmp(DEFAULT_VALUE) == 0
|
|
35
|
+
raise XDOBuildError.new("Value can only be nil or 'noopen'")
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
@@ -4,7 +4,7 @@ module SecureHeaders
|
|
|
4
4
|
module Constants
|
|
5
5
|
X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
|
|
6
6
|
DEFAULT_VALUE = "1"
|
|
7
|
-
VALID_X_XSS_HEADER = /\A[01](; mode=block)?\z/i
|
|
7
|
+
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
|
|
8
8
|
end
|
|
9
9
|
include Constants
|
|
10
10
|
|
|
@@ -26,6 +26,7 @@ module SecureHeaders
|
|
|
26
26
|
else
|
|
27
27
|
value = @config[:value].to_s
|
|
28
28
|
value += "; mode=#{@config[:mode]}" if @config[:mode]
|
|
29
|
+
value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
|
|
29
30
|
value
|
|
30
31
|
end
|
|
31
32
|
end
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
module Padrino
|
|
3
|
+
class << self
|
|
4
|
+
##
|
|
5
|
+
# Main class that register this extension.
|
|
6
|
+
#
|
|
7
|
+
def registered(app)
|
|
8
|
+
app.extend SecureHeaders::ClassMethods
|
|
9
|
+
app.helpers SecureHeaders::InstanceMethods
|
|
10
|
+
end
|
|
11
|
+
alias :included :registered
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
@@ -3,7 +3,11 @@ if defined?(Rails::Railtie)
|
|
|
3
3
|
module SecureHeaders
|
|
4
4
|
class Railtie < Rails::Engine
|
|
5
5
|
isolate_namespace ::SecureHeaders if defined? isolate_namespace # rails 3.0
|
|
6
|
-
|
|
6
|
+
initializer "secure_headers.action_controller" do
|
|
7
|
+
ActiveSupport.on_load(:action_controller) do
|
|
8
|
+
include ::SecureHeaders
|
|
9
|
+
end
|
|
10
|
+
end
|
|
7
11
|
end
|
|
8
12
|
end
|
|
9
13
|
else
|
|
@@ -34,4 +38,4 @@ else
|
|
|
34
38
|
if defined? ActionController::Routing
|
|
35
39
|
ActionController::Routing::RouteSet::Mapper.send :include, ::SecureHeaders::Routing::MapperExtensions
|
|
36
40
|
end
|
|
37
|
-
end
|
|
41
|
+
end
|
data/lib/secure_headers.rb
CHANGED
|
@@ -2,7 +2,7 @@ module SecureHeaders
|
|
|
2
2
|
module Configuration
|
|
3
3
|
class << self
|
|
4
4
|
attr_accessor :hsts, :x_frame_options, :x_content_type_options,
|
|
5
|
-
:x_xss_protection, :csp
|
|
5
|
+
:x_xss_protection, :csp, :x_download_options
|
|
6
6
|
|
|
7
7
|
def configure &block
|
|
8
8
|
instance_eval &block
|
|
@@ -38,6 +38,7 @@ module SecureHeaders
|
|
|
38
38
|
before_filter :set_csp_header
|
|
39
39
|
before_filter :set_x_xss_protection_header
|
|
40
40
|
before_filter :set_x_content_type_options_header
|
|
41
|
+
before_filter :set_x_download_options_header
|
|
41
42
|
end
|
|
42
43
|
|
|
43
44
|
# we can't use ||= because I'm overloading false => disable, nil => default
|
|
@@ -55,6 +56,7 @@ module SecureHeaders
|
|
|
55
56
|
set_x_frame_options_header(options[:x_frame_options])
|
|
56
57
|
set_x_xss_protection_header(options[:x_xss_protection])
|
|
57
58
|
set_x_content_type_options_header(options[:x_content_type_options])
|
|
59
|
+
set_x_download_options_header(options[:x_download_options])
|
|
58
60
|
end
|
|
59
61
|
|
|
60
62
|
# backwards compatibility jank, to be removed in 1.0. Old API required a request
|
|
@@ -99,6 +101,10 @@ module SecureHeaders
|
|
|
99
101
|
set_a_header(:hsts, StrictTransportSecurity, options)
|
|
100
102
|
end
|
|
101
103
|
|
|
104
|
+
def set_x_download_options_header(options=self.class.secure_headers_options[:x_download_options])
|
|
105
|
+
set_a_header(:x_download_options, XDownloadOptions, options)
|
|
106
|
+
end
|
|
107
|
+
|
|
102
108
|
private
|
|
103
109
|
|
|
104
110
|
def set_a_header(name, klass, options=nil)
|
|
@@ -128,4 +134,5 @@ require "secure_headers/headers/x_frame_options"
|
|
|
128
134
|
require "secure_headers/headers/strict_transport_security"
|
|
129
135
|
require "secure_headers/headers/x_xss_protection"
|
|
130
136
|
require "secure_headers/headers/x_content_type_options"
|
|
137
|
+
require "secure_headers/headers/x_download_options"
|
|
131
138
|
require "secure_headers/railtie"
|
|
@@ -32,58 +32,58 @@ describe ContentSecurityPolicyController do
|
|
|
32
32
|
let(:secondary_endpoint) { "https://internal.example.com" }
|
|
33
33
|
|
|
34
34
|
before(:each) do
|
|
35
|
-
SecureHeaders::Configuration.
|
|
36
|
-
subject.
|
|
37
|
-
subject.
|
|
38
|
-
subject.
|
|
39
|
-
Net::HTTP.
|
|
35
|
+
allow(SecureHeaders::Configuration).to receive(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
|
|
36
|
+
expect(subject).to receive :head
|
|
37
|
+
allow(subject).to receive(:params).and_return(params)
|
|
38
|
+
allow(subject).to receive(:request).and_return(FakeRequest.new)
|
|
39
|
+
allow_any_instance_of(Net::HTTP).to receive(:request)
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
context "delivery endpoint" do
|
|
43
43
|
it "posts over ssl" do
|
|
44
|
-
subject.
|
|
44
|
+
expect(subject).to receive(:use_ssl)
|
|
45
45
|
subject.scribe
|
|
46
46
|
end
|
|
47
47
|
|
|
48
48
|
it "posts over plain http" do
|
|
49
|
-
SecureHeaders::Configuration.
|
|
50
|
-
subject.
|
|
49
|
+
allow(SecureHeaders::Configuration).to receive(:csp).and_return(:report_uri => 'http://example.com')
|
|
50
|
+
expect(subject).not_to receive(:use_ssl)
|
|
51
51
|
subject.scribe
|
|
52
52
|
end
|
|
53
53
|
end
|
|
54
54
|
|
|
55
55
|
it "makes a POST request" do
|
|
56
|
-
Net::HTTP.
|
|
57
|
-
request.
|
|
58
|
-
params.
|
|
56
|
+
allow(Net::HTTP).to receive(:new).and_return(request)
|
|
57
|
+
expect(request).to receive(:request).with(instance_of(::Net::HTTP::Post))
|
|
58
|
+
allow(params).to receive(:to_json)
|
|
59
59
|
subject.scribe
|
|
60
60
|
end
|
|
61
61
|
|
|
62
62
|
it "POSTs to the configured forward_endpoint" do
|
|
63
|
-
Net::HTTP::Post.
|
|
63
|
+
expect(Net::HTTP::Post).to receive(:new).with(secondary_endpoint).and_return(request)
|
|
64
64
|
subject.scribe
|
|
65
65
|
end
|
|
66
66
|
|
|
67
67
|
it "does not POST if there is no forwarder configured" do
|
|
68
|
-
SecureHeaders::Configuration.
|
|
69
|
-
Net::HTTP::Post.
|
|
68
|
+
allow(SecureHeaders::Configuration).to receive(:csp).and_return({})
|
|
69
|
+
expect(Net::HTTP::Post).not_to receive(:new)
|
|
70
70
|
subject.scribe
|
|
71
71
|
end
|
|
72
72
|
|
|
73
73
|
it "eliminates known phony CSP reports" do
|
|
74
|
-
SecureHeaders::Configuration.
|
|
75
|
-
Net::HTTP::Post.
|
|
74
|
+
allow(SecureHeaders::Configuration).to receive(:csp).and_return(:report_uri => nil)
|
|
75
|
+
expect(Net::HTTP::Post).not_to receive :new
|
|
76
76
|
subject.scribe
|
|
77
77
|
end
|
|
78
78
|
|
|
79
79
|
it "logs errors when it cannot forward the CSP report" do
|
|
80
80
|
class Rails; def logger; end; end
|
|
81
81
|
logger = double(:repond_to? => true)
|
|
82
|
-
Rails.
|
|
82
|
+
allow(Rails).to receive(:logger).and_return(logger)
|
|
83
83
|
|
|
84
|
-
SecureHeaders::Configuration.
|
|
84
|
+
allow(SecureHeaders::Configuration).to receive(:csp).and_raise(StandardError)
|
|
85
85
|
|
|
86
|
-
logger.
|
|
86
|
+
expect(logger).to receive(:warn)
|
|
87
87
|
subject.scribe
|
|
88
88
|
end
|
|
89
89
|
end
|