secure_headers 1.4.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +4 -8
- data/.travis.yml +7 -1
- data/Gemfile +4 -4
- data/README.md +115 -79
- data/Rakefile +11 -116
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -1
- data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -1
- data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
- data/fixtures/rails_3_2_12/config.ru +3 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +55 -18
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +6 -1
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
- data/fixtures/rails_4_1_8/Gemfile +5 -0
- data/fixtures/rails_4_1_8/README.rdoc +28 -0
- data/fixtures/rails_4_1_8/Rakefile +6 -0
- data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
- data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/models/.keep +0 -0
- data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
- data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
- data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
- data/fixtures/rails_4_1_8/config/application.rb +15 -0
- data/fixtures/rails_4_1_8/config/boot.rb +4 -0
- data/fixtures/rails_4_1_8/config/environment.rb +5 -0
- data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
- data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
- data/fixtures/rails_4_1_8/config/routes.rb +4 -0
- data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
- data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
- data/fixtures/rails_4_1_8/config.ru +4 -0
- data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
- data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
- data/fixtures/rails_4_1_8/log/.keep +0 -0
- data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
- data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
- data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
- data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
- data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
- data/lib/secure_headers/hash_helper.rb +7 -0
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
- data/lib/secure_headers/headers/content_security_policy.rb +141 -135
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
- data/lib/secure_headers/railtie.rb +13 -22
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers/view_helper.rb +68 -0
- data/lib/secure_headers.rb +59 -17
- data/lib/tasks/tasks.rake +48 -0
- data/secure_headers.gemspec +4 -4
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +1 -1
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
- data/spec/lib/secure_headers_spec.rb +36 -61
- data/spec/spec_helper.rb +26 -1
- metadata +44 -11
- data/HISTORY.md +0 -162
- data/app/controllers/content_security_policy_controller.rb +0 -76
- data/config/curl-ca-bundle.crt +0 -5420
- data/config/routes.rb +0 -3
- data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
data/.gitignore
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
*.gem
|
|
2
|
+
*.DS_STORE
|
|
2
3
|
*.rbc
|
|
3
4
|
.bundle
|
|
4
5
|
.config
|
|
@@ -15,12 +16,7 @@ rdoc
|
|
|
15
16
|
spec/reports
|
|
16
17
|
test/tmp
|
|
17
18
|
test/version_tmp
|
|
18
|
-
tmp
|
|
19
|
-
|
|
20
|
-
/fixtures/rails_3_2_12/log/test.log
|
|
21
|
-
/fixtures/rails_3_2_12_no_init/log/test.log
|
|
19
|
+
*tmp
|
|
22
20
|
*.sqlite3
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
/fixtures/rails_3_2_12_no_init/db/test.sqlite3
|
|
26
|
-
/fixtures/rails_3_2_12/db/test.sqlite3
|
|
21
|
+
fixtures/rails_3_2_12_no_init/log
|
|
22
|
+
fixtures/rails_3_2_12/log
|
data/.travis.yml
CHANGED
data/Gemfile
CHANGED
|
@@ -4,12 +4,12 @@ gemspec
|
|
|
4
4
|
|
|
5
5
|
group :test do
|
|
6
6
|
gem 'rails', '3.2.12'
|
|
7
|
-
gem 'sqlite3', :
|
|
8
|
-
gem 'jdbc-sqlite3', :
|
|
7
|
+
gem 'sqlite3', :platforms => [:ruby, :mswin, :mingw]
|
|
8
|
+
gem 'jdbc-sqlite3', :platforms => [:jruby]
|
|
9
9
|
gem 'rspec-rails', '>= 3.1'
|
|
10
10
|
gem 'rspec', '>= 3.1'
|
|
11
11
|
gem 'growl'
|
|
12
12
|
gem 'rb-fsevent'
|
|
13
|
-
gem '
|
|
14
|
-
gem '
|
|
13
|
+
gem 'coveralls', :platforms => [:ruby_19]
|
|
14
|
+
gem 'i18n', '< 0.7.0', :platforms => [:ruby_18]
|
|
15
15
|
end
|
data/README.md
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# SecureHeaders [](http://travis-ci.org/twitter/secureheaders) [](https://codeclimate.com/github/twitter/secureheaders)
|
|
1
|
+
# SecureHeaders [](http://travis-ci.org/twitter/secureheaders) [](https://codeclimate.com/github/twitter/secureheaders) [](https://coveralls.io/r/twitter/secureheaders)
|
|
2
2
|
|
|
3
3
|
The gem will automatically apply several headers that are related to security. This includes:
|
|
4
4
|
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
|
|
@@ -6,36 +6,12 @@ The gem will automatically apply several headers that are related to security.
|
|
|
6
6
|
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
|
|
7
7
|
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
|
8
8
|
- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
## Installation
|
|
13
|
-
|
|
14
|
-
Add to your Gemfile
|
|
15
|
-
|
|
16
|
-
```ruby
|
|
17
|
-
gem 'secure_headers'
|
|
18
|
-
```
|
|
19
|
-
|
|
20
|
-
And then execute:
|
|
21
|
-
|
|
22
|
-
```console
|
|
23
|
-
$ bundle
|
|
24
|
-
```
|
|
25
|
-
|
|
26
|
-
Or install it yourself as:
|
|
27
|
-
|
|
28
|
-
```console
|
|
29
|
-
$ gem install secure_headers
|
|
30
|
-
```
|
|
9
|
+
- X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
|
|
10
|
+
- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
|
|
31
11
|
|
|
32
12
|
## Usage
|
|
33
13
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
- `ensure_security_headers`: will set security-related headers automatically based on the configuration below.
|
|
37
|
-
|
|
38
|
-
By default, it will set all of the headers listed in the options section below unless specified.
|
|
14
|
+
- `ensure_security_headers` in a controller will set security-related headers automatically based on the configuration below.
|
|
39
15
|
|
|
40
16
|
### Disabling
|
|
41
17
|
|
|
@@ -48,14 +24,14 @@ The following methods are going to be called, unless they are provided in a `ski
|
|
|
48
24
|
* `:set_x_frame_options_header`
|
|
49
25
|
* `:set_x_xss_protection_header`
|
|
50
26
|
* `:set_x_content_type_options_header`
|
|
27
|
+
* `:set_x_download_options_header`
|
|
28
|
+
* `:set_x_permitted_cross_domain_policies_header`
|
|
51
29
|
|
|
52
30
|
### Bonus Features
|
|
53
31
|
|
|
54
32
|
This gem makes a few assumptions about how you will use some features. For example:
|
|
55
33
|
|
|
56
34
|
* It fills any blank directives with the value in `:default_src` Getting a default\-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying `:disable_fill_missing => true`. This is referred to as the "effective-directive" in the spec, but is not well supported as of Nov 5, 2013.
|
|
57
|
-
* Firefox does not support cross\-origin CSP reports. If we are using Firefox, AND the value for `:report_uri` does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`). This is also the case if `:report_uri` only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in `:forward_endpoint` without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
|
|
58
|
-
|
|
59
35
|
|
|
60
36
|
## Configuration
|
|
61
37
|
|
|
@@ -67,10 +43,12 @@ This gem makes a few assumptions about how you will use some features. For exam
|
|
|
67
43
|
config.x_frame_options = 'DENY'
|
|
68
44
|
config.x_content_type_options = "nosniff"
|
|
69
45
|
config.x_xss_protection = {:value => 1, :mode => 'block'}
|
|
46
|
+
config.x_download_options = 'noopen'
|
|
47
|
+
config.x_permitted_cross_domain_policies = 'none'
|
|
70
48
|
config.csp = {
|
|
71
|
-
:default_src => "https
|
|
72
|
-
:frame_src => "https
|
|
73
|
-
:img_src => "https
|
|
49
|
+
:default_src => "https: self",
|
|
50
|
+
:frame_src => "https: http:.twimg.com http://itunes.apple.com",
|
|
51
|
+
:img_src => "https:",
|
|
74
52
|
:report_uri => '//example.com/uri-directive'
|
|
75
53
|
}
|
|
76
54
|
end
|
|
@@ -108,14 +86,12 @@ This configuration will likely work for most applications without modification.
|
|
|
108
86
|
:x_frame_options => {:value => 'SAMEORIGIN'}
|
|
109
87
|
:x_xss_protection => {:value => 1, :mode => 'block'} # set the :mode option to false to use "warning only" mode
|
|
110
88
|
:x_content_type_options => {:value => 'nosniff'}
|
|
89
|
+
:x_download_options => {:value => 'noopen'}
|
|
90
|
+
:x_permitted_cross_domain_policies => {:value => 'none'}
|
|
111
91
|
```
|
|
112
92
|
|
|
113
93
|
### Content Security Policy (CSP)
|
|
114
94
|
|
|
115
|
-
All browsers will receive the webkit csp header except Firefox, which gets its own header.
|
|
116
|
-
See [WebKit specification](http://www.w3.org/TR/CSP/)
|
|
117
|
-
and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification)
|
|
118
|
-
|
|
119
95
|
```ruby
|
|
120
96
|
:csp => {
|
|
121
97
|
:enforce => false, # sets header to report-only, by default
|
|
@@ -125,11 +101,6 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
|
125
101
|
# Where reports are sent. Use protocol relative URLs if you are posting to the same domain (TLD+1). Use paths if you are posting to the application serving the header
|
|
126
102
|
:report_uri => '//mysite.example.com',
|
|
127
103
|
|
|
128
|
-
# Send reports that cannot be sent across host here. These requests are sent
|
|
129
|
-
# the server, not the browser. If no value is supplied, it will default to
|
|
130
|
-
# the value in report_uri. Use this if you cannot use relative protocols mentioned above due to host mismatches.
|
|
131
|
-
:forward_endpoint => 'https://internal.mylogaggregator.example.com'
|
|
132
|
-
|
|
133
104
|
# these directives all take 'none', 'self', or a globbed pattern
|
|
134
105
|
:img_src => nil,
|
|
135
106
|
:frame_src => nil,
|
|
@@ -144,25 +115,12 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
|
144
115
|
# over http, relaxing the policy
|
|
145
116
|
# e.g.
|
|
146
117
|
# :csp => {
|
|
147
|
-
# :img_src => 'https
|
|
148
|
-
# :http_additions => {:img_src => 'http
|
|
118
|
+
# :img_src => 'https:',
|
|
119
|
+
# :http_additions => {:img_src => 'http'}
|
|
149
120
|
# }
|
|
150
|
-
# would produce the directive: "img-src https
|
|
121
|
+
# would produce the directive: "img-src https: http:;"
|
|
151
122
|
# when over http, ignored for https requests
|
|
152
123
|
:http_additions => {}
|
|
153
|
-
|
|
154
|
-
# If you have enforce => true, you can use the `experiments` block to
|
|
155
|
-
# also produce a report-only header. Values in this block override the
|
|
156
|
-
# parent config for the report-only, and leave the enforcing header
|
|
157
|
-
# unaltered. http_additions work the same way described above, but
|
|
158
|
-
# are added to your report-only header as expected.
|
|
159
|
-
:experimental => {
|
|
160
|
-
:script_src => 'self',
|
|
161
|
-
:img_src => 'https://mycdn.example.com',
|
|
162
|
-
:http_additions {
|
|
163
|
-
:img_src => 'http://mycdn.example.com'
|
|
164
|
-
}
|
|
165
|
-
}
|
|
166
124
|
}
|
|
167
125
|
```
|
|
168
126
|
|
|
@@ -172,19 +130,19 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
|
172
130
|
```ruby
|
|
173
131
|
# most basic example
|
|
174
132
|
:csp => {
|
|
175
|
-
:default_src => "https
|
|
133
|
+
:default_src => "https: inline eval",
|
|
176
134
|
:report_uri => '/uri-directive'
|
|
177
135
|
}
|
|
178
136
|
|
|
179
|
-
> "default-src 'unsafe-inline' 'unsafe-eval' https
|
|
137
|
+
> "default-src 'unsafe-inline' 'unsafe-eval' https:; report-uri /uri-directive;"
|
|
180
138
|
|
|
181
139
|
# turn off inline scripting/eval
|
|
182
140
|
:csp => {
|
|
183
|
-
:default_src => 'https
|
|
141
|
+
:default_src => 'https:',
|
|
184
142
|
:report_uri => '/uri-directive'
|
|
185
143
|
}
|
|
186
144
|
|
|
187
|
-
> "default-src https
|
|
145
|
+
> "default-src https:; report-uri /uri-directive;"
|
|
188
146
|
|
|
189
147
|
# Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
|
|
190
148
|
:csp => {
|
|
@@ -217,9 +175,13 @@ report-uri csp_reports?enforce=true&app_name=twitter
|
|
|
217
175
|
|
|
218
176
|
### CSP Level 2 features
|
|
219
177
|
|
|
178
|
+
*NOTE: Currently, only erb is supported. Mustache support isn't far off. Hash sources are valid for inline style blocks but are not yet supported by secure_headers.*
|
|
179
|
+
|
|
180
|
+
#### Nonce
|
|
181
|
+
|
|
220
182
|
script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
|
|
221
183
|
|
|
222
|
-
|
|
184
|
+
Setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.
|
|
223
185
|
|
|
224
186
|
```ruby
|
|
225
187
|
:csp => {
|
|
@@ -243,29 +205,99 @@ script/style-nonce can be used to whitelist inline content. To do this, add "non
|
|
|
243
205
|
console.log("won't execute, not whitelisted")
|
|
244
206
|
</script>
|
|
245
207
|
```
|
|
208
|
+
You can use a view helper to automatically add nonces to script tags:
|
|
209
|
+
```erb
|
|
210
|
+
<%= nonced_javascript_tag do %>
|
|
211
|
+
console.log("nonced!")
|
|
212
|
+
<% end %>
|
|
213
|
+
<%= nonced_javascript_tag("nonced without a block!") %>
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
becomes:
|
|
217
|
+
|
|
218
|
+
```html
|
|
219
|
+
<script nonce="/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=">
|
|
220
|
+
console.log("nonced!")
|
|
221
|
+
</script>
|
|
222
|
+
```
|
|
246
223
|
|
|
247
|
-
|
|
224
|
+
#### Hash
|
|
248
225
|
|
|
249
|
-
|
|
226
|
+
setting hash source values will also set 'unsafe-inline' for browsers that don't support hash sources for backwards compatibility. 'unsafe-inline' is ignored if a hash is present in a directive in compliant browsers.
|
|
250
227
|
|
|
251
|
-
|
|
228
|
+
Hash source support works by taking the hash value of the contents of an inline script block and adding the hash "fingerprint" to the CSP header.
|
|
252
229
|
|
|
253
|
-
|
|
254
|
-
**This is an unauthenticated, unauthorized endpoint. Only do this if your report\-uri is not on the same origin as your application!!!**
|
|
230
|
+
If you only have a few hashes, you can hardcode them for the entire app:
|
|
255
231
|
|
|
256
|
-
|
|
232
|
+
```ruby
|
|
233
|
+
config.csp = {
|
|
234
|
+
:default_src => "https:",
|
|
235
|
+
:script_src => 'self'
|
|
236
|
+
:script_hashes => ['sha1-abc', 'sha1-qwe']
|
|
237
|
+
}
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
The following will work as well, but may not be as clear:
|
|
257
241
|
|
|
258
242
|
```ruby
|
|
259
|
-
|
|
243
|
+
config.csp = {
|
|
244
|
+
:default_src => "https:",
|
|
245
|
+
:script_src => "self 'sha1-qwe'"
|
|
246
|
+
}
|
|
260
247
|
```
|
|
261
248
|
|
|
262
|
-
|
|
249
|
+
If you find you have many hashes or the content of the script tags change frequently, you can apply these hashes in a more intelligent way. This method expects config/script_hashes.yml to contain a map of templates => [hashes]. When the individual templates, layouts, or partials are rendered the hash values for the script tags in those templates will be automatically added to the header. *Currently, only erb layouts are supported.* This requires the use of middleware:
|
|
263
250
|
|
|
264
|
-
|
|
251
|
+
```ruby
|
|
252
|
+
# config.ru
|
|
253
|
+
require 'secure_headers/headers/content_security_policy/script_hash_middleware'
|
|
254
|
+
use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
|
|
255
|
+
```
|
|
265
256
|
|
|
266
257
|
```ruby
|
|
267
|
-
|
|
258
|
+
config.csp = {
|
|
259
|
+
:default_src => "https:",
|
|
260
|
+
:script_src => 'self',
|
|
261
|
+
:script_hash_middleware => true
|
|
262
|
+
}
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
Hashes are stored in a yaml file with a mapping of Filename => [list of hashes] in config/script_hashes.yml. You can automatically populate this file by running the following rake task:
|
|
266
|
+
|
|
267
|
+
```$ bundle exec rake secure_headers:generate_hashes```
|
|
268
|
+
|
|
269
|
+
Which will generate something like:
|
|
270
|
+
|
|
271
|
+
```yaml
|
|
272
|
+
# config/script_hashes.yml
|
|
273
|
+
app/views/layouts/application.html.erb:
|
|
274
|
+
- sha256-l8OLjZqYRnKilpdE0VosRMvhdYArjXT4NZaK2p7QVvs=
|
|
275
|
+
app/templates/articles/edit.html.erb:
|
|
276
|
+
- sha256-+7mij1/uCwtCQRWrof2NmOln5qX+5WdVwTLMpi8nuoA=
|
|
277
|
+
- sha256-Ny4TRIhhFpnYnSeKC274P6bfAz4TOkezLabavIAU4dA=
|
|
278
|
+
- sha256-I5e58Gqbu4WpO9dck18QxO7aYOHKrELIi70it4jIPi0=
|
|
279
|
+
- sha256-Po4LMynwnAJHxiTp3DQaQ3YDBj3paN/xrDoKl4OyxY4=
|
|
280
|
+
```
|
|
281
|
+
|
|
282
|
+
In this example, if we visit /articles/edit/[id], the above hashes will automatically be added to the CSP header's
|
|
283
|
+
script-src value!
|
|
284
|
+
|
|
285
|
+
You can use plain "script" tags or you can use a built-in helper:
|
|
286
|
+
|
|
287
|
+
```erb
|
|
288
|
+
<%= hashed_javascript_tag do %>
|
|
289
|
+
console.log("hashed automatically!")
|
|
290
|
+
<% end %>
|
|
268
291
|
```
|
|
292
|
+
|
|
293
|
+
By using the helper, hash values will be computed dynamically in development/test environments. If a dynamically computed hash value does not match what is expected to be found in config/script_hashes.yml a warning message will be printed to the console. If you want to raise exceptions instead, use:
|
|
294
|
+
|
|
295
|
+
```erb
|
|
296
|
+
<%= hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
|
|
297
|
+
console.log("will raise an exception if not in script_hashes.yml!")
|
|
298
|
+
<% end %>
|
|
299
|
+
```
|
|
300
|
+
|
|
269
301
|
### Using with Sinatra
|
|
270
302
|
|
|
271
303
|
Here's an example using SecureHeaders for Sinatra applications:
|
|
@@ -281,11 +313,13 @@ require 'secure_headers'
|
|
|
281
313
|
config.x_frame_options = 'DENY'
|
|
282
314
|
config.x_content_type_options = "nosniff"
|
|
283
315
|
config.x_xss_protection = {:value => 1, :mode => false}
|
|
316
|
+
config.x_download_options = 'noopen'
|
|
317
|
+
config.x_permitted_cross_domain_policies = 'none'
|
|
284
318
|
config.csp = {
|
|
285
|
-
:default_src => "https
|
|
319
|
+
:default_src => "https: inline eval",
|
|
286
320
|
:report_uri => '//example.com/uri-directive',
|
|
287
|
-
:img_src => "https
|
|
288
|
-
:frame_src => "https
|
|
321
|
+
:img_src => "https: data:",
|
|
322
|
+
:frame_src => "https: http:.twimg.com http://itunes.apple.com"
|
|
289
323
|
}
|
|
290
324
|
end
|
|
291
325
|
|
|
@@ -336,11 +370,13 @@ def before_load
|
|
|
336
370
|
config.x_frame_options = 'DENY'
|
|
337
371
|
config.x_content_type_options = "nosniff"
|
|
338
372
|
config.x_xss_protection = {:value => '1', :mode => false}
|
|
373
|
+
config.x_download_options = 'noopen'
|
|
374
|
+
config.x_permitted_cross_domain_policies = 'none'
|
|
339
375
|
config.csp = {
|
|
340
|
-
:default_src => "https
|
|
376
|
+
:default_src => "https: inline eval",
|
|
341
377
|
:report_uri => '//example.com/uri-directive',
|
|
342
|
-
:img_src => "https
|
|
343
|
-
:frame_src => "https
|
|
378
|
+
:img_src => "https: data:",
|
|
379
|
+
:frame_src => "https: http:.twimg.com http://itunes.apple.com"
|
|
344
380
|
}
|
|
345
381
|
end
|
|
346
382
|
end
|
data/Rakefile
CHANGED
|
@@ -33,6 +33,17 @@ task :all_spec => :spec do
|
|
|
33
33
|
fail "Header tests with app not using initializer failed"
|
|
34
34
|
Dir.chdir pwd
|
|
35
35
|
end
|
|
36
|
+
|
|
37
|
+
Dir.chdir pwd
|
|
38
|
+
Dir.chdir 'fixtures/rails_4_1_8'
|
|
39
|
+
puts Dir.pwd
|
|
40
|
+
puts `bundle install >> /dev/null; bundle exec rspec spec`
|
|
41
|
+
|
|
42
|
+
unless $? == 0
|
|
43
|
+
fail "Header tests with Rails 4 failed"
|
|
44
|
+
Dir.chdir pwd
|
|
45
|
+
end
|
|
46
|
+
|
|
36
47
|
end
|
|
37
48
|
|
|
38
49
|
begin
|
|
@@ -49,119 +60,3 @@ RDoc::Task.new(:rdoc) do |rdoc|
|
|
|
49
60
|
rdoc.options << '--line-numbers'
|
|
50
61
|
rdoc.rdoc_files.include('lib/**/*.rb')
|
|
51
62
|
end
|
|
52
|
-
|
|
53
|
-
UPDATE_URI = 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'
|
|
54
|
-
CA_FILE = File.expand_path(File.join('..', 'config', 'curl-ca-bundle.crt'), __FILE__)
|
|
55
|
-
task :fetch_ca_bundle do
|
|
56
|
-
begin
|
|
57
|
-
FileUtils.cp CA_FILE, CA_FILE + ".bak"
|
|
58
|
-
uri = URI.parse(UPDATE_URI)
|
|
59
|
-
http = Net::HTTP.new(uri.host, uri.port)
|
|
60
|
-
http.use_ssl = true
|
|
61
|
-
http.ca_file = CA_FILE
|
|
62
|
-
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
63
|
-
request = Net::HTTP::Get.new(uri.request_uri)
|
|
64
|
-
|
|
65
|
-
ca_file = StringIO.new(http.request(request).body)
|
|
66
|
-
File.open(CA_FILE, 'w') do |f|
|
|
67
|
-
f.puts mozilla_license
|
|
68
|
-
end
|
|
69
|
-
|
|
70
|
-
while line = ca_file.gets
|
|
71
|
-
next if line =~ /^#/
|
|
72
|
-
next if line =~ /^\s*$/
|
|
73
|
-
line.chomp!
|
|
74
|
-
|
|
75
|
-
if line =~ /CKA_LABEL/
|
|
76
|
-
label,type,cert_name = line.split(' ',3)
|
|
77
|
-
cert_name.sub!(/^"/, "")
|
|
78
|
-
cert_name.sub!(/"$/, "")
|
|
79
|
-
next
|
|
80
|
-
end
|
|
81
|
-
if line =~ /CKA_VALUE MULTILINE_OCTAL/
|
|
82
|
-
puts "reading cert for #{cert_name}"
|
|
83
|
-
data=''
|
|
84
|
-
while line = ca_file.gets
|
|
85
|
-
break if line =~ /^END/
|
|
86
|
-
line.chomp!
|
|
87
|
-
line.gsub(/\\([0-3][0-7][0-7])/) { data += $1.oct.chr }
|
|
88
|
-
end
|
|
89
|
-
|
|
90
|
-
open(CA_FILE, "a") do |fp|
|
|
91
|
-
puts "Appending"
|
|
92
|
-
fp.puts cert_name
|
|
93
|
-
fp.puts "================"
|
|
94
|
-
fp.puts "-----BEGIN CERTIFICATE-----"
|
|
95
|
-
fp.puts [data].pack("m*")
|
|
96
|
-
fp.puts "-----END CERTIFICATE-----"
|
|
97
|
-
fp.puts
|
|
98
|
-
end
|
|
99
|
-
puts "Parsing: " + cert_name
|
|
100
|
-
end
|
|
101
|
-
end
|
|
102
|
-
|
|
103
|
-
FileUtils.rm CA_FILE + ".bak"
|
|
104
|
-
rescue => e
|
|
105
|
-
puts "ERRROR #{e}"
|
|
106
|
-
puts e.backtrace
|
|
107
|
-
FileUtils.mv CA_FILE + '.bak', CA_FILE
|
|
108
|
-
end
|
|
109
|
-
end
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
def mozilla_license
|
|
113
|
-
<<-EOM
|
|
114
|
-
## generated using a modified version of http://curl.haxx.se/mail/lib-2004-07/att-0134/parse-certs.sh
|
|
115
|
-
##
|
|
116
|
-
## lib/ca-bundle.crt -- Bundle of CA Root Certificates
|
|
117
|
-
##
|
|
118
|
-
## Certificate data from Mozilla as of: Tue Mar 27 20:21:58 2012
|
|
119
|
-
##
|
|
120
|
-
## This is a bundle of X.509 certificates of public Certificate Authorities
|
|
121
|
-
## (CA). These were automatically extracted from Mozilla's root certificates
|
|
122
|
-
## file (certdata.txt). This file can be found in the mozilla source tree:
|
|
123
|
-
## http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
|
|
124
|
-
##
|
|
125
|
-
## It contains the certificates in PEM format and therefore
|
|
126
|
-
## can be directly used with curl / libcurl / php_curl, or with
|
|
127
|
-
## an Apache+mod_ssl webserver for SSL client authentication.
|
|
128
|
-
## Just configure this file as the SSLCACertificateFile.
|
|
129
|
-
##
|
|
130
|
-
|
|
131
|
-
# ***** BEGIN LICENSE BLOCK *****
|
|
132
|
-
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
133
|
-
#
|
|
134
|
-
# The contents of this file are subject to the Mozilla Public License Version
|
|
135
|
-
# 1.1 (the "License"); you may not use this file except in compliance with
|
|
136
|
-
# the License. You may obtain a copy of the License at
|
|
137
|
-
# http://www.mozilla.org/MPL/
|
|
138
|
-
#
|
|
139
|
-
# Software distributed under the License is distributed on an "AS IS" basis,
|
|
140
|
-
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
141
|
-
# for the specific language governing rights and limitations under the
|
|
142
|
-
# License.
|
|
143
|
-
#
|
|
144
|
-
# The Original Code is the Netscape security libraries.
|
|
145
|
-
#
|
|
146
|
-
# The Initial Developer of the Original Code is
|
|
147
|
-
# Netscape Communications Corporation.
|
|
148
|
-
# Portions created by the Initial Developer are Copyright (C) 1994-2000
|
|
149
|
-
# the Initial Developer. All Rights Reserved.
|
|
150
|
-
#
|
|
151
|
-
# Contributor(s):
|
|
152
|
-
#
|
|
153
|
-
# Alternatively, the contents of this file may be used under the terms of
|
|
154
|
-
# either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
155
|
-
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
156
|
-
# in which case the provisions of the GPL or the LGPL are applicable instead
|
|
157
|
-
# of those above. If you wish to allow use of your version of this file only
|
|
158
|
-
# under the terms of either the GPL or the LGPL, and not to allow others to
|
|
159
|
-
# use your version of this file under the terms of the MPL, indicate your
|
|
160
|
-
# decision by deleting the provisions above and replace them with the notice
|
|
161
|
-
# and other provisions required by the GPL or the LGPL. If you do not delete
|
|
162
|
-
# the provisions above, a recipient may use your version of this file under
|
|
163
|
-
# the terms of any one of the MPL, the GPL or the LGPL.
|
|
164
|
-
#
|
|
165
|
-
# ***** END LICENSE BLOCK *****
|
|
166
|
-
EOM
|
|
167
|
-
end
|
|
@@ -1 +1,2 @@
|
|
|
1
|
-
index
|
|
1
|
+
index
|
|
2
|
+
<script>console.log("oh what")</script>
|
|
@@ -3,12 +3,13 @@
|
|
|
3
3
|
config.x_frame_options = 'SAMEORIGIN'
|
|
4
4
|
config.x_content_type_options = "nosniff"
|
|
5
5
|
config.x_xss_protection = {:value => 1, :mode => 'block'}
|
|
6
|
+
config.x_permitted_cross_domain_policies = 'none'
|
|
6
7
|
csp = {
|
|
7
8
|
:default_src => "self",
|
|
8
9
|
:script_src => "self nonce",
|
|
9
|
-
:disable_chrome_extension => true,
|
|
10
10
|
:disable_fill_missing => true,
|
|
11
11
|
:report_uri => 'somewhere',
|
|
12
|
+
:script_hash_middleware => true,
|
|
12
13
|
:enforce => false # false means warnings only
|
|
13
14
|
}
|
|
14
15
|
|
|
@@ -1,45 +1,82 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
|
+
require 'secure_headers/headers/content_security_policy/script_hash_middleware'
|
|
4
|
+
|
|
3
5
|
describe OtherThingsController, :type => :controller do
|
|
6
|
+
include Rack::Test::Methods
|
|
7
|
+
|
|
8
|
+
def app
|
|
9
|
+
OtherThingsController.action(:index)
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def request(opts = {})
|
|
13
|
+
options = opts.merge(
|
|
14
|
+
{
|
|
15
|
+
'HTTPS' => 'on',
|
|
16
|
+
'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
17
|
+
}
|
|
18
|
+
)
|
|
19
|
+
|
|
20
|
+
|
|
21
|
+
Rack::MockRequest.env_for('/', options)
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
|
|
4
25
|
describe "headers" do
|
|
26
|
+
before(:each) do
|
|
27
|
+
_, @env = app.call(request)
|
|
28
|
+
end
|
|
29
|
+
|
|
5
30
|
it "sets the X-XSS-Protection header" do
|
|
6
|
-
get
|
|
7
|
-
expect(
|
|
31
|
+
get '/'
|
|
32
|
+
expect(@env['X-XSS-Protection']).to eq('1; mode=block')
|
|
8
33
|
end
|
|
9
34
|
|
|
10
35
|
it "sets the X-Frame-Options header" do
|
|
11
|
-
get
|
|
12
|
-
expect(
|
|
36
|
+
get '/'
|
|
37
|
+
expect(@env['X-Frame-Options']).to eq('SAMEORIGIN')
|
|
13
38
|
end
|
|
14
39
|
|
|
15
40
|
it "sets the CSP header with a local reference to a nonce" do
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
expect(
|
|
19
|
-
|
|
41
|
+
middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
|
|
42
|
+
_, env = middleware.call(request(@env))
|
|
43
|
+
expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
it "sets the required hashes to whitelist inline script" do
|
|
47
|
+
middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
|
|
48
|
+
_, env = middleware.call(request(@env))
|
|
49
|
+
hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
|
|
50
|
+
hashes.each do |hash|
|
|
51
|
+
expect(env['Content-Security-Policy-Report-Only']).to include(hash)
|
|
52
|
+
end
|
|
20
53
|
end
|
|
21
54
|
|
|
22
55
|
it "sets the Strict-Transport-Security header" do
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
|
56
|
+
get '/'
|
|
57
|
+
expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
|
|
26
58
|
end
|
|
27
59
|
|
|
28
60
|
it "sets the X-Download-Options header" do
|
|
29
|
-
get
|
|
30
|
-
expect(
|
|
61
|
+
get '/'
|
|
62
|
+
expect(@env['X-Download-Options']).to eq('noopen')
|
|
31
63
|
end
|
|
32
64
|
|
|
33
65
|
it "sets the X-Content-Type-Options header" do
|
|
34
|
-
get
|
|
35
|
-
expect(
|
|
66
|
+
get '/'
|
|
67
|
+
expect(@env['X-Content-Type-Options']).to eq("nosniff")
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
it "sets the X-Permitted-Cross-Domain-Policies" do
|
|
71
|
+
get '/'
|
|
72
|
+
expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
|
36
73
|
end
|
|
37
74
|
|
|
38
75
|
context "using IE" do
|
|
39
76
|
it "sets the X-Content-Type-Options header" do
|
|
40
|
-
|
|
41
|
-
get
|
|
42
|
-
expect(
|
|
77
|
+
@env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
|
78
|
+
get '/'
|
|
79
|
+
expect(@env['X-Content-Type-Options']).to eq("nosniff")
|
|
43
80
|
end
|
|
44
81
|
end
|
|
45
82
|
end
|