secure_headers 1.1.1 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +4 -8
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +8 -3
- data/Gemfile +6 -11
- data/README.md +219 -104
- data/Rakefile +11 -116
- data/fixtures/rails_3_2_12/Gemfile +0 -8
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
- data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
- data/fixtures/rails_3_2_12/config.ru +3 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +57 -19
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +18 -13
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +17 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +17 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
- data/fixtures/rails_4_1_8/Gemfile +5 -0
- data/fixtures/rails_4_1_8/README.rdoc +28 -0
- data/fixtures/rails_4_1_8/Rakefile +6 -0
- data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
- data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/models/.keep +0 -0
- data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
- data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
- data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
- data/fixtures/rails_4_1_8/config/application.rb +15 -0
- data/fixtures/rails_4_1_8/config/boot.rb +4 -0
- data/fixtures/rails_4_1_8/config/environment.rb +5 -0
- data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
- data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
- data/fixtures/rails_4_1_8/config/routes.rb +4 -0
- data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
- data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
- data/fixtures/rails_4_1_8/config.ru +4 -0
- data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
- data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
- data/fixtures/rails_4_1_8/log/.keep +0 -0
- data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
- data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
- data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
- data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
- data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
- data/lib/secure_headers/hash_helper.rb +7 -0
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
- data/lib/secure_headers/headers/content_security_policy.rb +160 -129
- data/lib/secure_headers/headers/public_key_pins.rb +95 -0
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/railtie.rb +19 -24
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers/view_helper.rb +68 -0
- data/lib/secure_headers.rb +78 -16
- data/lib/tasks/tasks.rake +48 -0
- data/secure_headers.gemspec +4 -4
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +127 -220
- data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +37 -0
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
- data/spec/lib/secure_headers_spec.rb +115 -73
- data/spec/spec_helper.rb +30 -18
- metadata +62 -58
- data/.rvmrc +0 -1
- data/Guardfile +0 -10
- data/HISTORY.md +0 -115
- data/app/controllers/content_security_policy_controller.rb +0 -75
- data/config/curl-ca-bundle.crt +0 -5420
- data/config/routes.rb +0 -3
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
- data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
class ContentSecurityPolicy
|
|
3
|
+
class ScriptHashMiddleware
|
|
4
|
+
def initialize(app)
|
|
5
|
+
@app = app
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
def call(env)
|
|
9
|
+
status, headers, response = @app.call(env)
|
|
10
|
+
metadata = env[ContentSecurityPolicy::ENV_KEY]
|
|
11
|
+
if !metadata.nil?
|
|
12
|
+
config, options = metadata.values_at(:config, :options)
|
|
13
|
+
config.merge!(:script_hashes => env[HASHES_ENV_KEY])
|
|
14
|
+
csp_header = ContentSecurityPolicy.new(config, options)
|
|
15
|
+
headers[csp_header.name] = csp_header.value
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
[status, headers, response]
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
@@ -1,79 +1,160 @@
|
|
|
1
1
|
require 'uri'
|
|
2
|
+
require 'base64'
|
|
3
|
+
require 'securerandom'
|
|
2
4
|
|
|
3
5
|
module SecureHeaders
|
|
4
6
|
class ContentSecurityPolicyBuildError < StandardError; end
|
|
5
7
|
class ContentSecurityPolicy < Header
|
|
6
8
|
module Constants
|
|
7
|
-
DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
DIRECTIVES = [
|
|
11
|
-
|
|
9
|
+
DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
|
|
10
|
+
HEADER_NAME = "Content-Security-Policy"
|
|
11
|
+
ENV_KEY = 'secure_headers.content_security_policy'
|
|
12
|
+
DIRECTIVES = [
|
|
13
|
+
:default_src,
|
|
14
|
+
:connect_src,
|
|
15
|
+
:font_src,
|
|
16
|
+
:frame_src,
|
|
17
|
+
:img_src,
|
|
18
|
+
:media_src,
|
|
19
|
+
:object_src,
|
|
20
|
+
:script_src,
|
|
21
|
+
:style_src
|
|
22
|
+
]
|
|
23
|
+
|
|
24
|
+
NON_DEFAULT_SOURCES = [
|
|
25
|
+
:base_uri,
|
|
26
|
+
:child_src,
|
|
27
|
+
:form_action,
|
|
28
|
+
:frame_ancestors,
|
|
29
|
+
:plugin_types,
|
|
30
|
+
:referrer,
|
|
31
|
+
:reflected_xss
|
|
32
|
+
]
|
|
33
|
+
|
|
34
|
+
OTHER = [
|
|
35
|
+
:report_uri
|
|
36
|
+
]
|
|
37
|
+
|
|
38
|
+
SOURCE_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
|
|
39
|
+
|
|
40
|
+
ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES + OTHER
|
|
12
41
|
end
|
|
13
42
|
include Constants
|
|
14
43
|
|
|
15
|
-
|
|
16
|
-
attr_reader :browser, :ssl_request, :report_uri, :request_uri, :experimental
|
|
17
|
-
|
|
18
|
-
alias :disable_chrome_extension? :disable_chrome_extension
|
|
44
|
+
attr_reader :disable_fill_missing, :ssl_request
|
|
19
45
|
alias :disable_fill_missing? :disable_fill_missing
|
|
20
46
|
alias :ssl_request? :ssl_request
|
|
21
47
|
|
|
48
|
+
class << self
|
|
49
|
+
def generate_nonce
|
|
50
|
+
SecureRandom.base64(32).chomp
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
def set_nonce(controller, nonce = generate_nonce)
|
|
54
|
+
controller.instance_variable_set(:@content_security_policy_nonce, nonce)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def add_to_env(request, controller, config)
|
|
58
|
+
set_nonce(controller)
|
|
59
|
+
options = options_from_request(request).merge(:controller => controller)
|
|
60
|
+
request.env[Constants::ENV_KEY] = {
|
|
61
|
+
:config => config,
|
|
62
|
+
:options => options,
|
|
63
|
+
}
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def options_from_request(request)
|
|
67
|
+
{
|
|
68
|
+
:ssl => request.ssl?,
|
|
69
|
+
:ua => request.env['HTTP_USER_AGENT'],
|
|
70
|
+
:request_uri => request_uri_from_request(request),
|
|
71
|
+
}
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
def request_uri_from_request(request)
|
|
75
|
+
if request.respond_to?(:original_url)
|
|
76
|
+
# rails 3.1+
|
|
77
|
+
request.original_url
|
|
78
|
+
else
|
|
79
|
+
# rails 2/3.0
|
|
80
|
+
request.url
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
def symbol_to_hyphen_case sym
|
|
85
|
+
sym.to_s.gsub('_', '-')
|
|
86
|
+
end
|
|
87
|
+
end
|
|
88
|
+
|
|
22
89
|
# +options+ param contains
|
|
23
|
-
# :
|
|
90
|
+
# :controller used for setting instance variables for nonces/hashes
|
|
24
91
|
# :ssl_request used to determine if http_additions should be used
|
|
25
|
-
# :request_uri used to determine if firefox should send the report directly
|
|
26
|
-
# or use the forwarding endpoint
|
|
27
92
|
# :ua the user agent (or just use Firefox/Chrome/MSIE/etc)
|
|
28
93
|
#
|
|
29
94
|
# :report used to determine what :ssl_request, :ua, and :request_uri are set to
|
|
30
95
|
def initialize(config=nil, options={})
|
|
31
|
-
|
|
32
|
-
|
|
96
|
+
return unless config
|
|
97
|
+
|
|
33
98
|
if options[:request]
|
|
34
|
-
|
|
35
|
-
else
|
|
36
|
-
@ua = options[:ua]
|
|
37
|
-
# fails open, assumes http. Bad idea? Will always include http additions.
|
|
38
|
-
# could also fail if not supplied.
|
|
39
|
-
@ssl_request = !!options.delete(:ssl)
|
|
40
|
-
# a nil value here means we always assume we are not on the same host,
|
|
41
|
-
# which causes all FF csp reports to go through the forwarder
|
|
42
|
-
@request_uri = options.delete(:request_uri)
|
|
99
|
+
options = options.merge(self.class.options_from_request(options[:request]))
|
|
43
100
|
end
|
|
44
101
|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
102
|
+
@controller = options[:controller]
|
|
103
|
+
@ua = options[:ua]
|
|
104
|
+
@ssl_request = !!options.delete(:ssl)
|
|
105
|
+
@request_uri = options.delete(:request_uri)
|
|
106
|
+
|
|
107
|
+
# Config values can be string, array, or lamdba values
|
|
108
|
+
@config = config.inject({}) do |hash, (key, value)|
|
|
109
|
+
config_val = value.respond_to?(:call) ? value.call : value
|
|
110
|
+
|
|
111
|
+
if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
|
|
112
|
+
config_val = config_val.split if config_val.is_a? String
|
|
113
|
+
if config_val.is_a?(Array)
|
|
114
|
+
config_val = config_val.map do |val|
|
|
115
|
+
translate_dir_value(val)
|
|
116
|
+
end.flatten.uniq
|
|
117
|
+
end
|
|
118
|
+
end
|
|
56
119
|
|
|
57
|
-
|
|
58
|
-
|
|
120
|
+
hash[key] = config_val
|
|
121
|
+
hash
|
|
59
122
|
end
|
|
60
123
|
|
|
124
|
+
@http_additions = @config.delete(:http_additions)
|
|
125
|
+
@app_name = @config.delete(:app_name)
|
|
61
126
|
@report_uri = @config.delete(:report_uri)
|
|
62
|
-
@script_nonce = @config.delete(:script_nonce)
|
|
63
127
|
|
|
64
|
-
|
|
65
|
-
|
|
128
|
+
@disable_fill_missing = !!@config.delete(:disable_fill_missing)
|
|
129
|
+
@enforce = !!@config.delete(:enforce)
|
|
130
|
+
@tag_report_uri = !!@config.delete(:tag_report_uri)
|
|
131
|
+
@script_hashes = @config.delete(:script_hashes) || []
|
|
132
|
+
|
|
133
|
+
add_script_hashes if @script_hashes.any?
|
|
66
134
|
fill_directives unless disable_fill_missing?
|
|
67
135
|
end
|
|
68
136
|
|
|
137
|
+
##
|
|
138
|
+
# Return or initialize the nonce value used for this header.
|
|
139
|
+
# If a reference to a controller is passed in the config, this method
|
|
140
|
+
# will check if a nonce has already been set and use it.
|
|
141
|
+
def nonce
|
|
142
|
+
@nonce ||= @controller.instance_variable_get(:@content_security_policy_nonce) || self.class.generate_nonce
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
##
|
|
146
|
+
# Returns the name to use for the header. Either "Content-Security-Policy" or
|
|
147
|
+
# "Content-Security-Policy-Report-Only"
|
|
69
148
|
def name
|
|
70
|
-
base =
|
|
71
|
-
if
|
|
149
|
+
base = HEADER_NAME
|
|
150
|
+
if !@enforce
|
|
72
151
|
base += "-Report-Only"
|
|
73
152
|
end
|
|
74
153
|
base
|
|
75
154
|
end
|
|
76
155
|
|
|
156
|
+
##
|
|
157
|
+
# Return the value of the CSP header
|
|
77
158
|
def value
|
|
78
159
|
return @config if @config.is_a?(String)
|
|
79
160
|
if @config
|
|
@@ -85,87 +166,52 @@ module SecureHeaders
|
|
|
85
166
|
|
|
86
167
|
private
|
|
87
168
|
|
|
169
|
+
def add_script_hashes
|
|
170
|
+
@config[:script_src] << @script_hashes.map {|hash| "'#{hash}'"} << ["'unsafe-inline'"]
|
|
171
|
+
end
|
|
172
|
+
|
|
88
173
|
def build_value
|
|
89
174
|
raise "Expected to find default_src directive value" unless @config[:default_src]
|
|
90
175
|
append_http_additions unless ssl_request?
|
|
91
176
|
header_value = [
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
script_nonce_directive,
|
|
97
|
-
].join
|
|
98
|
-
|
|
99
|
-
#store the value for next time
|
|
100
|
-
@config = header_value
|
|
101
|
-
header_value.strip
|
|
102
|
-
rescue StandardError => e
|
|
103
|
-
raise ContentSecurityPolicyBuildError.new("Couldn't build CSP header :( #{e}")
|
|
177
|
+
generic_directives,
|
|
178
|
+
non_default_directives,
|
|
179
|
+
report_uri_directive
|
|
180
|
+
].join.strip
|
|
104
181
|
end
|
|
105
182
|
|
|
106
183
|
def fill_directives
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
184
|
+
if default = @config[:default_src]
|
|
185
|
+
DIRECTIVES.each do |directive|
|
|
186
|
+
unless @config[directive]
|
|
187
|
+
@config[directive] = default
|
|
188
|
+
end
|
|
112
189
|
end
|
|
113
190
|
end
|
|
114
|
-
@config
|
|
115
191
|
end
|
|
116
192
|
|
|
117
193
|
def append_http_additions
|
|
118
|
-
return unless http_additions
|
|
119
|
-
http_additions.each do |k, v|
|
|
194
|
+
return unless @http_additions
|
|
195
|
+
@http_additions.each do |k, v|
|
|
120
196
|
@config[k] ||= []
|
|
121
197
|
@config[k] << v
|
|
122
198
|
end
|
|
123
199
|
end
|
|
124
200
|
|
|
125
|
-
def normalize_csp_options
|
|
126
|
-
@config.each do |k,v|
|
|
127
|
-
@config[k] = v.split if v.is_a? String
|
|
128
|
-
@config[k] = @config[k].map do |val|
|
|
129
|
-
translate_dir_value(val)
|
|
130
|
-
end
|
|
131
|
-
end
|
|
132
|
-
end
|
|
133
|
-
|
|
134
|
-
# translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
|
|
135
201
|
def translate_dir_value val
|
|
136
202
|
if %w{inline eval}.include?(val)
|
|
137
203
|
val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
|
|
138
|
-
# self/none are special sources/src-dir-values and need to be quoted
|
|
204
|
+
# self/none are special sources/src-dir-values and need to be quoted
|
|
139
205
|
elsif %{self none}.include?(val)
|
|
140
206
|
"'#{val}'"
|
|
207
|
+
elsif val == 'nonce'
|
|
208
|
+
self.class.set_nonce(@controller, nonce)
|
|
209
|
+
["'nonce-#{nonce}'", "'unsafe-inline'"]
|
|
141
210
|
else
|
|
142
211
|
val
|
|
143
212
|
end
|
|
144
213
|
end
|
|
145
214
|
|
|
146
|
-
# if we have a forwarding endpoint setup and we are not on the same origin as our report_uri
|
|
147
|
-
# or only a path was supplied (in which case we assume cross-host)
|
|
148
|
-
# we need to forward the request for Firefox.
|
|
149
|
-
def normalize_reporting_endpoint
|
|
150
|
-
if @ua && @ua =~ /Firefox/
|
|
151
|
-
if same_origin? || report_uri.nil? || URI.parse(report_uri).host.nil?
|
|
152
|
-
return
|
|
153
|
-
end
|
|
154
|
-
|
|
155
|
-
if forward_endpoint
|
|
156
|
-
@report_uri = FF_CSP_ENDPOINT
|
|
157
|
-
end
|
|
158
|
-
end
|
|
159
|
-
end
|
|
160
|
-
|
|
161
|
-
def same_origin?
|
|
162
|
-
return unless report_uri && request_uri
|
|
163
|
-
|
|
164
|
-
origin = URI.parse(request_uri)
|
|
165
|
-
uri = URI.parse(report_uri)
|
|
166
|
-
uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
|
|
167
|
-
end
|
|
168
|
-
|
|
169
215
|
def report_uri_directive
|
|
170
216
|
return '' if @report_uri.nil?
|
|
171
217
|
|
|
@@ -177,55 +223,40 @@ module SecureHeaders
|
|
|
177
223
|
end
|
|
178
224
|
end
|
|
179
225
|
|
|
180
|
-
|
|
181
|
-
|
|
226
|
+
if @tag_report_uri
|
|
227
|
+
@report_uri = "#{@report_uri}?enforce=#{@enforce}"
|
|
228
|
+
@report_uri += "&app_name=#{@app_name}" if @app_name
|
|
229
|
+
end
|
|
182
230
|
|
|
183
|
-
|
|
184
|
-
return '' if @script_nonce.nil?
|
|
185
|
-
nonce_value = if @script_nonce.is_a?(String)
|
|
186
|
-
@script_nonce
|
|
187
|
-
elsif @controller
|
|
188
|
-
@controller.instance_exec(&@script_nonce)
|
|
189
|
-
else
|
|
190
|
-
@script_nonce.call
|
|
191
|
-
end
|
|
192
|
-
"script-nonce #{nonce_value};"
|
|
231
|
+
"report-uri #{@report_uri};"
|
|
193
232
|
end
|
|
194
233
|
|
|
195
|
-
def generic_directives
|
|
234
|
+
def generic_directives
|
|
196
235
|
header_value = ''
|
|
197
|
-
if config[:img_src]
|
|
198
|
-
config[:img_src] = config[:img_src] + ['data:'] unless config[:img_src].include?('data:')
|
|
236
|
+
if @config[:img_src]
|
|
237
|
+
@config[:img_src] = @config[:img_src] + ['data:'] unless @config[:img_src].include?('data:')
|
|
199
238
|
else
|
|
200
|
-
config[:img_src] = ['data:']
|
|
239
|
+
@config[:img_src] = @config[:default_src] + ['data:']
|
|
201
240
|
end
|
|
202
241
|
|
|
203
|
-
|
|
204
|
-
header_value += build_directive(
|
|
242
|
+
DIRECTIVES.each do |directive_name|
|
|
243
|
+
header_value += build_directive(directive_name) if @config[directive_name]
|
|
205
244
|
end
|
|
206
245
|
|
|
207
246
|
header_value
|
|
208
247
|
end
|
|
209
248
|
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
249
|
+
def non_default_directives
|
|
250
|
+
header_value = ''
|
|
251
|
+
NON_DEFAULT_SOURCES.each do |directive_name|
|
|
252
|
+
header_value += build_directive(directive_name) if @config[directive_name]
|
|
253
|
+
end
|
|
214
254
|
|
|
215
|
-
|
|
216
|
-
sym.to_s.gsub('_', '-')
|
|
255
|
+
header_value
|
|
217
256
|
end
|
|
218
257
|
|
|
219
|
-
def
|
|
220
|
-
@
|
|
221
|
-
@ua = request.env['HTTP_USER_AGENT']
|
|
222
|
-
@request_uri = if request.respond_to?(:original_url)
|
|
223
|
-
# rails 3.1+
|
|
224
|
-
request.original_url
|
|
225
|
-
else
|
|
226
|
-
# rails 2/3.0
|
|
227
|
-
request.url
|
|
228
|
-
end
|
|
258
|
+
def build_directive(key)
|
|
259
|
+
"#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
|
|
229
260
|
end
|
|
230
261
|
end
|
|
231
262
|
end
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
class PublicKeyPinsBuildError < StandardError; end
|
|
3
|
+
class PublicKeyPins < Header
|
|
4
|
+
module Constants
|
|
5
|
+
HPKP_HEADER_NAME = "Public-Key-Pins"
|
|
6
|
+
ENV_KEY = 'secure_headers.public_key_pins'
|
|
7
|
+
HASH_ALGORITHMS = [:sha256]
|
|
8
|
+
DIRECTIVES = [:max_age]
|
|
9
|
+
end
|
|
10
|
+
class << self
|
|
11
|
+
def symbol_to_hyphen_case sym
|
|
12
|
+
sym.to_s.gsub('_', '-')
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
include Constants
|
|
16
|
+
|
|
17
|
+
def initialize(config=nil)
|
|
18
|
+
@config = validate_config(config)
|
|
19
|
+
|
|
20
|
+
@pins = @config.fetch(:pins, nil)
|
|
21
|
+
@report_uri = @config.fetch(:report_uri, nil)
|
|
22
|
+
@app_name = @config.fetch(:app_name, nil)
|
|
23
|
+
@enforce = !!@config.fetch(:enforce, nil)
|
|
24
|
+
@include_subdomains = !!@config.fetch(:include_subdomains, nil)
|
|
25
|
+
@tag_report_uri = !!@config.fetch(:tag_report_uri, nil)
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def name
|
|
29
|
+
base = HPKP_HEADER_NAME
|
|
30
|
+
if !@enforce
|
|
31
|
+
base += "-Report-Only"
|
|
32
|
+
end
|
|
33
|
+
base
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def value
|
|
37
|
+
header_value = [
|
|
38
|
+
generic_directives,
|
|
39
|
+
pin_directives,
|
|
40
|
+
report_uri_directive,
|
|
41
|
+
subdomain_directive
|
|
42
|
+
].compact.join('; ').strip
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def validate_config(config)
|
|
46
|
+
raise PublicKeyPinsBuildError.new("config must be a hash.") unless config.is_a? Hash
|
|
47
|
+
|
|
48
|
+
if !config[:max_age]
|
|
49
|
+
raise PublicKeyPinsBuildError.new("max-age is a required directive.")
|
|
50
|
+
elsif config[:max_age].to_s !~ /\A\d+\z/
|
|
51
|
+
raise PublicKeyPinsBuildError.new("max-age must be a number.
|
|
52
|
+
#{config[:max_age]} was supplied.")
|
|
53
|
+
elsif config[:pins] && config[:pins].length < 2
|
|
54
|
+
raise PublicKeyPinsBuildError.new("A minimum of 2 pins are required.")
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
config
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
def pin_directives
|
|
61
|
+
return nil if @pins.nil?
|
|
62
|
+
@pins.collect do |pin|
|
|
63
|
+
pin.map do |token, hash|
|
|
64
|
+
"pin-#{token}=\"#{hash}\"" if HASH_ALGORITHMS.include?(token)
|
|
65
|
+
end
|
|
66
|
+
end.join('; ')
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
def generic_directives
|
|
70
|
+
DIRECTIVES.collect do |directive_name|
|
|
71
|
+
build_directive(directive_name) if @config[directive_name]
|
|
72
|
+
end.join('; ')
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def build_directive(key)
|
|
76
|
+
"#{self.class.symbol_to_hyphen_case(key)}=#{@config[key]}"
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def report_uri_directive
|
|
80
|
+
return nil if @report_uri.nil?
|
|
81
|
+
|
|
82
|
+
if @tag_report_uri
|
|
83
|
+
@report_uri = "#{@report_uri}?enforce=#{@enforce}"
|
|
84
|
+
@report_uri += "&app_name=#{@app_name}" if @app_name
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
"report-uri=\"#{@report_uri}\""
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
|
|
91
|
+
def subdomain_directive
|
|
92
|
+
@include_subdomains ? 'includeSubDomains' : nil
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
end
|
|
@@ -6,7 +6,7 @@ module SecureHeaders
|
|
|
6
6
|
HSTS_HEADER_NAME = 'Strict-Transport-Security'
|
|
7
7
|
HSTS_MAX_AGE = "631138519"
|
|
8
8
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
|
9
|
-
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
|
|
9
|
+
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
|
10
10
|
MESSAGE = "The config value supplied for the HSTS header was invalid."
|
|
11
11
|
end
|
|
12
12
|
include Constants
|
|
@@ -31,6 +31,7 @@ module SecureHeaders
|
|
|
31
31
|
max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
|
|
32
32
|
value = "max-age=" + max_age.to_s
|
|
33
33
|
value += "; includeSubdomains" if @config[:include_subdomains]
|
|
34
|
+
value += "; preload" if @config[:preload]
|
|
34
35
|
|
|
35
36
|
value
|
|
36
37
|
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
class XDOBuildError < StandardError; end
|
|
3
|
+
class XDownloadOptions < Header
|
|
4
|
+
module Constants
|
|
5
|
+
XDO_HEADER_NAME = "X-Download-Options"
|
|
6
|
+
DEFAULT_VALUE = 'noopen'
|
|
7
|
+
end
|
|
8
|
+
include Constants
|
|
9
|
+
|
|
10
|
+
def initialize(config = nil)
|
|
11
|
+
@config = config
|
|
12
|
+
validate_config unless @config.nil?
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def name
|
|
16
|
+
XDO_HEADER_NAME
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def value
|
|
20
|
+
case @config
|
|
21
|
+
when NilClass
|
|
22
|
+
DEFAULT_VALUE
|
|
23
|
+
when String
|
|
24
|
+
@config
|
|
25
|
+
else
|
|
26
|
+
@config[:value]
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
private
|
|
31
|
+
|
|
32
|
+
def validate_config
|
|
33
|
+
value = @config.is_a?(Hash) ? @config[:value] : @config
|
|
34
|
+
unless value.casecmp(DEFAULT_VALUE) == 0
|
|
35
|
+
raise XDOBuildError.new("Value can only be nil or 'noopen'")
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
class XPCDPBuildError < StandardError; end
|
|
3
|
+
class XPermittedCrossDomainPolicies < Header
|
|
4
|
+
module Constants
|
|
5
|
+
XPCDP_HEADER_NAME = "X-Permitted-Cross-Domain-Policies"
|
|
6
|
+
DEFAULT_VALUE = 'none'
|
|
7
|
+
VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
|
|
8
|
+
end
|
|
9
|
+
include Constants
|
|
10
|
+
|
|
11
|
+
def initialize(config = nil)
|
|
12
|
+
@config = config
|
|
13
|
+
validate_config unless @config.nil?
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def name
|
|
17
|
+
XPCDP_HEADER_NAME
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def value
|
|
21
|
+
case @config
|
|
22
|
+
when NilClass
|
|
23
|
+
DEFAULT_VALUE
|
|
24
|
+
when String
|
|
25
|
+
@config
|
|
26
|
+
else
|
|
27
|
+
@config[:value]
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
private
|
|
32
|
+
|
|
33
|
+
def validate_config
|
|
34
|
+
value = @config.is_a?(Hash) ? @config[:value] : @config
|
|
35
|
+
unless VALID_POLICIES.include?(value.downcase)
|
|
36
|
+
raise XPCDPBuildError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
@@ -4,7 +4,7 @@ module SecureHeaders
|
|
|
4
4
|
module Constants
|
|
5
5
|
X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
|
|
6
6
|
DEFAULT_VALUE = "1"
|
|
7
|
-
VALID_X_XSS_HEADER = /\A[01](; mode=block)?\z/i
|
|
7
|
+
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
|
|
8
8
|
end
|
|
9
9
|
include Constants
|
|
10
10
|
|
|
@@ -26,6 +26,7 @@ module SecureHeaders
|
|
|
26
26
|
else
|
|
27
27
|
value = @config[:value].to_s
|
|
28
28
|
value += "; mode=#{@config[:mode]}" if @config[:mode]
|
|
29
|
+
value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
|
|
29
30
|
value
|
|
30
31
|
end
|
|
31
32
|
end
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
module SecureHeaders
|
|
2
|
+
module Padrino
|
|
3
|
+
class << self
|
|
4
|
+
##
|
|
5
|
+
# Main class that register this extension.
|
|
6
|
+
#
|
|
7
|
+
def registered(app)
|
|
8
|
+
app.extend SecureHeaders::ClassMethods
|
|
9
|
+
app.helpers SecureHeaders::InstanceMethods
|
|
10
|
+
end
|
|
11
|
+
alias :included :registered
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|