secure_headers 2.5.3 → 3.0.0.pre

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -2,336 +2,171 @@ require 'spec_helper'
 
 module SecureHeaders
   describe ContentSecurityPolicy do
-    let(:default_opts) do
+    let (:default_opts) do
       {
-        :default_src => 'https:',
-        :img_src => "https: data:",
-        :script_src => "'unsafe-inline' 'unsafe-eval' https: data:",
-        :style_src => "'unsafe-inline' https: about:",
-        :report_uri => '/csp_report'
+        default_src: %w(https:),
+        img_src: %w(https: data:),
+        script_src: %w('unsafe-inline' 'unsafe-eval' https: data:),
+        style_src: %w('unsafe-inline' https: about:),
+        report_uri: %w(/csp_report)
       }
     end
-    let(:controller) { DummyClass.new }
-
-    IE = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
-    FIREFOX = "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
-    FIREFOX_23 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0"
-    CHROME = "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
-    CHROME_25 = "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
-    SAFARI = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
-    OPERA = "Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16"
-
-    def request_for user_agent, request_uri=nil, options={:ssl => false}
-      double(:ssl? => options[:ssl], :env => {'HTTP_USER_AGENT' => user_agent}, :url => (request_uri || 'http://areallylongdomainexample.com') )
-    end
-
-    before(:each) do
-      @options_with_forwarding = default_opts.merge(:report_uri => 'https://example.com/csp', :forward_endpoint => 'https://anotherexample.com')
-    end
 
     describe "#name" do
-      context "when supplying options to override request" do
-        specify { expect(ContentSecurityPolicy.new(default_opts, :ua => IE).name).to eq(HEADER_NAME + "-Report-Only")}
-        specify { expect(ContentSecurityPolicy.new(default_opts, :ua => FIREFOX).name).to eq(HEADER_NAME + "-Report-Only")}
-        specify { expect(ContentSecurityPolicy.new(default_opts, :ua => FIREFOX_23).name).to eq(HEADER_NAME + "-Report-Only")}
-        specify { expect(ContentSecurityPolicy.new(default_opts, :ua => CHROME).name).to eq(HEADER_NAME + "-Report-Only")}
-        specify { expect(ContentSecurityPolicy.new(default_opts, :ua => CHROME_25).name).to eq(HEADER_NAME + "-Report-Only")}
-      end
-
       context "when in report-only mode" do
-        specify { expect(ContentSecurityPolicy.new(default_opts, :request => request_for(IE)).name).to eq(HEADER_NAME + "-Report-Only")}
-        specify { expect(ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX)).name).to eq(HEADER_NAME + "-Report-Only")}
-        specify { expect(ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX_23)).name).to eq(HEADER_NAME + "-Report-Only")}
-        specify { expect(ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME)).name).to eq(HEADER_NAME + "-Report-Only")}
-        specify { expect(ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME_25)).name).to eq(HEADER_NAME + "-Report-Only")}
+        specify { expect(ContentSecurityPolicy.new(default_opts.merge(report_only: true)).name).to eq(ContentSecurityPolicy::HEADER_NAME + "-Report-Only") }
       end
 
       context "when in enforce mode" do
-        let(:opts) { default_opts.merge(:enforce => true)}
-
-        specify { expect(ContentSecurityPolicy.new(opts, :request => request_for(IE)).name).to eq(HEADER_NAME)}
-        specify { expect(ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX)).name).to eq(HEADER_NAME)}
-        specify { expect(ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX_23)).name).to eq(HEADER_NAME)}
-        specify { expect(ContentSecurityPolicy.new(opts, :request => request_for(CHROME)).name).to eq(HEADER_NAME)}
-        specify { expect(ContentSecurityPolicy.new(opts, :request => request_for(CHROME_25)).name).to eq(HEADER_NAME)}
+        specify { expect(ContentSecurityPolicy.new(default_opts).name).to eq(ContentSecurityPolicy::HEADER_NAME) }
       end
     end
 
-    it "exports a policy to JSON" do
-      policy = ContentSecurityPolicy.new(default_opts)
-      expected = %({"default-src":["https:"],"img-src":["https:","data:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"report-uri":["/csp_report"]})
-      expect(policy.to_json).to eq(expected)
-    end
-
-    it "imports JSON to build a policy" do
-      json1 = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"]})
-      json2 = %({"style-src":["'unsafe-inline'"],"img-src":["https:","data:"]})
-      json3 = %({"style-src":["https:","about:"]})
-      config = ContentSecurityPolicy.from_json(json1, json2, json3)
-      policy = ContentSecurityPolicy.new(config)
+    describe "#validate_config!" do
+      it "requires a :default_src value" do
+        expect do
+          CSP.validate_config!(script_src: %('self'))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
 
-      expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
-      expect(policy.to_json).to eq(expected)
-    end
+      it "requires :report_only to be a truthy value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(report_only: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
 
-    context "when using hash sources" do
-      it "adds hashes and unsafe-inline to the script-src" do
-        policy = ContentSecurityPolicy.new(default_opts.merge(:script_hashes => ['sha256-abc123']))
-        expect(policy.value).to match /script-src[^;]*'sha256-abc123'/
+      it "requires :block_all_mixed_content to be a boolean value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(block_all_mixed_content: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
       end
-    end
 
-    describe "#normalize_csp_options" do
-      before(:each) do
-        default_opts[:script_src] <<  " 'self' 'none'"
-        @opts = default_opts
+      it "requires all source lists to be an array of strings" do
+        expect do
+          CSP.validate_config!(default_src: "steve")
+        end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
-      context "Content-Security-Policy" do
-        it "converts the script values to their equivilents" do
-          csp = ContentSecurityPolicy.new(@opts, :request => request_for(CHROME))
-          expect(csp.value).to include("script-src 'unsafe-inline' 'unsafe-eval' https: data: 'self' 'none'")
-        end
+      it "rejects unknown directives / config" do
+        expect do
+          CSP.validate_config!(default_src: %w('self'), default_src_totally_mispelled: "steve")
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
 
-        it "adds a @enforce and @app_name variables to the report uri" do
-          opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => proc { 'twitter' })
-          csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
-          expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
-        end
+      # this is mostly to ensure people don't use the antiquated shorthands common in other configs
+      it "performs light validation on source lists" do
+        expect do
+          CSP.validate_config!(default_src: %w(self none inline eval))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+    end
 
-        it "does not add an empty @app_name variable to the report uri" do
-          opts = @opts.merge(:tag_report_uri => true, :enforce => true)
-          csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
-          expect(csp.value).to include("/csp_report?enforce=true")
-        end
+    describe "#combine_policies" do
+      it "combines the default-src value with the override if the directive was unconfigured" do
+        combined_config = CSP.combine_policies(Configuration.default.csp, script_src: %w(anothercdn.com))
+        csp = ContentSecurityPolicy.new(combined_config)
+        expect(csp.name).to eq(CSP::HEADER_NAME)
+        expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
+      end
 
-        it "accepts procs for report-uris" do
-          opts = {
-            :default_src => "'self'",
-            :report_uri => proc { "http://lambda/result" }
+      it "overrides the report_only flag" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w('self'),
+            report_only: false
           }
-
-          csp = ContentSecurityPolicy.new(opts)
-          expect(csp.value).to match("report-uri http://lambda/result")
         end
+        combined_config = CSP.combine_policies(Configuration.get.csp, report_only: true)
+        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        expect(csp.name).to eq(CSP::REPORT_ONLY)
+      end
 
-        it "accepts procs for other fields" do
-          opts = {
-            :default_src => proc { "http://lambda/result" },
-            :enforce => proc { true },
+      it "overrides the :block_all_mixed_content flag" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w(https:),
+            block_all_mixed_content: false
           }
-
-          csp = ContentSecurityPolicy.new(opts)
-          expect(csp.value).to eq("default-src http://lambda/result; img-src http://lambda/result data:;")
-          expect(csp.name).to match("Content-Security-Policy")
         end
+        combined_config = CSP.combine_policies(Configuration.get.csp, block_all_mixed_content: true)
+        csp = ContentSecurityPolicy.new(combined_config)
+        expect(csp.value).to eq("default-src https:; block-all-mixed-content")
+      end
 
-        it "passes a reference to the controller to the proc" do
-          controller = double
-          user = double(:beta_testing? => true)
-
-          allow(controller).to receive(:current_user).and_return(user)
-          opts = {
-            :default_src => "'self'",
-            :enforce => lambda { |c| c.current_user.beta_testing? }
-          }
-          csp = ContentSecurityPolicy.new(opts, :controller => controller)
-          expect(csp.name).to match("Content-Security-Policy")
+      it "raises an error if appending to a OPT_OUT policy" do
+        Configuration.default do |config|
+          config.csp = OPT_OUT
         end
+        expect do
+          CSP.combine_policies(Configuration.get.csp, script_src: %w(anothercdn.com))
+        end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end
 
     describe "#value" do
-      it "does not mutate shared state" do
-        opts = default_opts.merge(enforce: true)
-        policy = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
-        expect(policy.name).to eq("Content-Security-Policy")
-        policy = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
-        expect(policy.name).to eq("Content-Security-Policy")
-      end
-
-      context "browser sniffing" do
-        let(:complex_opts) do
-          ALL_DIRECTIVES.inject({}) { |memo, directive| memo[directive] = "'self'"; memo }.merge(:block_all_mixed_content => '')
-        end
-
-        it "does not filter any directives for Chrome" do
-          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(CHROME))
-          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content ; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
-        end
-
-        it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
-          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(FIREFOX))
-          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
-        end
-
-        it "filters base-uri, blocked-all-mixed-content, child-src, form-action, frame-ancestors, and plugin-types for safari" do
-          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(SAFARI))
-          expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
-        end
+      it "discards 'none' values if any other source expressions are present" do
+        csp = ContentSecurityPolicy.new(default_opts.merge(frame_src: %w('self' 'none')))
+        expect(csp.value).not_to include("'none'")
       end
 
-      it "raises an exception when default-src is missing" do
-        csp = ContentSecurityPolicy.new({:script_src => 'anything'}, :request => request_for(CHROME))
-        expect {
-          csp.value
-        }.to raise_error(RuntimeError)
+      it "discards source expressions besides unsafe-* expressions when * is present" do
+        csp = ContentSecurityPolicy.new(default_src: %w(* 'unsafe-inline' 'unsafe-eval' http: https: example.org))
+        expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval'")
       end
 
-      context "auto-whitelists data: uris for img-src" do
-        it "sets the value if no img-src specified" do
-          csp = ContentSecurityPolicy.new({:default_src => "'self'"}, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
-        end
-
-        it "appends the value if img-src is specified" do
-          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self'"}, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
-        end
-
-        it "doesn't add a duplicate data uri if img-src specifies it already" do
-          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self' data:"}, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
-        end
-
-        it "allows the user to disable img-src data: uris auto-whitelisting" do
-          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self'", :disable_img_src_data_uri => true}, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src 'self'; img-src 'self';")
-        end
+      it "minifies source expressions based on overlapping wildcards" do
+        config = {
+          default_src: %w(a.example.org b.example.org *.example.org https://*.example.org)
+        }
+        csp = ContentSecurityPolicy.new(config)
+        expect(csp.value).to eq("default-src *.example.org")
       end
 
-      it "sends the standard csp header if an unknown browser is supplied" do
-        csp = ContentSecurityPolicy.new(default_opts, :request => request_for(IE))
-        expect(csp.value).to match "default-src"
+      it "removes http/s schemes from hosts" do
+        csp = ContentSecurityPolicy.new(default_src: %w(https://example.org))
+        expect(csp.value).to eq("default-src example.org")
       end
 
-      context "Firefox" do
-        it "builds a csp header for firefox" do
-          csp = ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX))
-          expect(csp.value).to eq("default-src https:; img-src https: data:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
-        end
+      it "does not remove schemes from report-uri values" do
+        csp = ContentSecurityPolicy.new(default_src: %w(https:), report_uri: %w(https://example.org))
+        expect(csp.value).to eq("default-src https:; report-uri https://example.org")
       end
 
-      context "Chrome" do
-        it "builds a csp header for chrome" do
-          csp = ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src https:; img-src https: data:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
-        end
+      it "removes nil from source lists" do
+        csp = ContentSecurityPolicy.new(default_src: ["https://example.org", nil])
+        expect(csp.value).to eq("default-src example.org")
       end
 
-      context "when using a nonce" do
-        it "adds a nonce and unsafe-inline to the script-src value when using chrome" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
-          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
-        end
-
-        it "adds a nonce and unsafe-inline to the script-src value when using firefox" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(FIREFOX), :controller => controller)
-          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
-        end
-
-        it "adds a nonce and unsafe-inline to the script-src value when using opera" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(OPERA), :controller => controller)
-          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
-        end
-
-        it "does not add a nonce and unsafe-inline to the script-src value when using Safari" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(SAFARI), :controller => controller)
-          expect(header.value).to include("script-src 'self' 'unsafe-inline'")
-          expect(header.value).not_to include("nonce")
-        end
-
-        it "does not add a nonce and unsafe-inline to the script-src value when using IE" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(IE), :controller => controller)
-          expect(header.value).to include("script-src 'self' 'unsafe-inline'")
-          expect(header.value).not_to include("nonce")
-        end
-
-        it "adds a nonce and unsafe-inline to the style-src value" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
-          expect(header.value).to include("style-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
-        end
-
-        it "adds an identical nonce to the style and script-src directives" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "'self' nonce", :script_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
-          nonce = header.nonce
-          value = header.value
-          expect(value).to include("style-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
-          expect(value).to include("script-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
-        end
-
-        it "does not add 'unsafe-inline' twice" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce 'unsafe-inline'"), :request => request_for(CHROME), :controller => controller)
-          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline';")
-        end
+      it "deduplicates any source expressions" do
+        csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
+        expect(csp.value).to eq("default-src example.org")
       end
 
-      context "when supplying additional http directive values" do
-        let(:options) {
-          default_opts.merge({
-            :http_additions => {
-              :frame_src => "http:",
-              :img_src => "http:"
-            }
-          })
-        }
-
-        it "adds directive values for headers on http" do
-          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src https:; frame-src http:; img-src https: data: http:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
+      context "browser sniffing" do
+        let (:complex_opts) do
+          ContentSecurityPolicy::ALL_DIRECTIVES.each_with_object({}) { |directive, hash| hash[directive] = %w('self') }
+            .merge(block_all_mixed_content: true, reflected_xss: "block")
+            .merge(script_src: %w('self'), script_nonce: 123456)
         end
 
-        it "does not add the directive values if requesting https" do
-          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME, '/', :ssl => true))
-          expect(csp.value).not_to match(/http:/)
+        it "does not filter any directives for Chrome" do
+          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
         end
 
-        it "does not add the directive values if requesting https" do
-          csp = ContentSecurityPolicy.new(options, :ua => "Chrome", :ssl => true)
-          expect(csp.value).not_to match(/http:/)
+        it "does not filter any directives for Opera" do
+          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
         end
-      end
 
-      describe "class methods" do
-        let(:ua) { CHROME }
-        let(:env) do
-          double.tap do |env|
-            allow(env).to receive(:[]).with('HTTP_USER_AGENT').and_return(ua)
-          end
-        end
-        let(:request) do
-          double(
-            :ssl? => true,
-            :url => 'https://example.com',
-            :env => env
-          )
-        end
-
-        describe ".add_to_env" do
-          let(:controller) { double }
-          let(:config) { {:default_src => "'self'"} }
-          let(:options) { {:controller => controller} }
-
-          it "adds metadata to env" do
-            metadata = {
-              :config => config,
-              :options => options
-            }
-            expect(ContentSecurityPolicy).to receive(:options_from_request).and_return(options)
-            expect(env).to receive(:[]=).with(ContentSecurityPolicy::ENV_KEY, metadata)
-            ContentSecurityPolicy.add_to_env(request, controller, config)
-          end
+        it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
+          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
         end
 
-        describe ".options_from_request" do
-          it "extracts options from request" do
-            options = ContentSecurityPolicy.options_from_request(request)
-            expect(options).to eql({
-              :ua => ua,
-              :ssl => true,
-              :request_uri => 'https://example.com'
-            })
-          end
+        it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
+          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
+          expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri 'self'")
         end
       end
     end

data/spec/lib/secure_headers/headers/public_key_pins_spec.rb

@@ -2,35 +2,35 @@ require 'spec_helper'
 
 module SecureHeaders
   describe PublicKeyPins do
-    specify{ expect(PublicKeyPins.new(:max_age => 1234).name).to eq("Public-Key-Pins-Report-Only") }
-    specify{ expect(PublicKeyPins.new(:max_age => 1234, :enforce => true).name).to eq("Public-Key-Pins") }
+    specify { expect(PublicKeyPins.new(max_age: 1234, report_only: true).name).to eq("Public-Key-Pins-Report-Only") }
+    specify { expect(PublicKeyPins.new(max_age: 1234).name).to eq("Public-Key-Pins") }
 
-    specify { expect(PublicKeyPins.new({:max_age => 1234}).value).to eq("max-age=1234")}
-    specify { expect(PublicKeyPins.new(:max_age => 1234).value).to eq("max-age=1234")}
-    specify {
-      config = {:max_age => 1234, :pins => [{:sha256 => 'base64encodedpin1'}, {:sha256 => 'base64encodedpin2'}]}
+    specify { expect(PublicKeyPins.new(max_age: 1234).value).to eq("max-age=1234") }
+    specify { expect(PublicKeyPins.new(max_age: 1234).value).to eq("max-age=1234") }
+    specify do
+      config = { max_age: 1234, pins: [{ sha256: 'base64encodedpin1' }, { sha256: 'base64encodedpin2' }] }
       header_value = "max-age=1234; pin-sha256=\"base64encodedpin1\"; pin-sha256=\"base64encodedpin2\""
       expect(PublicKeyPins.new(config).value).to eq(header_value)
-    }
+    end
 
     context "with an invalid configuration" do
       it "raises an exception when max-age is not provided" do
-        expect {
-          PublicKeyPins.new(:foo => 'bar')
-        }.to raise_error(PublicKeyPinsBuildError)
+        expect do
+          PublicKeyPins.validate_config!(foo: 'bar')
+        end.to raise_error(PublicKeyPinsConfigError)
       end
 
       it "raises an exception with an invalid max-age" do
-        expect {
-          PublicKeyPins.new(:max_age => 'abc123')
-        }.to raise_error(PublicKeyPinsBuildError)
+        expect do
+          PublicKeyPins.validate_config!(max_age: 'abc123')
+        end.to raise_error(PublicKeyPinsConfigError)
       end
 
       it 'raises an exception with less than 2 pins' do
-        expect {
-          config = {:max_age => 1234, :pins => [{:sha256 => 'base64encodedpin'}]}
-          PublicKeyPins.new(config)
-        }.to raise_error(PublicKeyPinsBuildError)
+        expect do
+          config = { max_age: 1234, pins: [{ sha256: 'base64encodedpin' }] }
+          PublicKeyPins.validate_config!(config)
+        end.to raise_error(PublicKeyPinsConfigError)
       end
     end
   end

data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb

@@ -2,60 +2,28 @@ require 'spec_helper'
 
 module SecureHeaders
   describe StrictTransportSecurity do
-    specify{ expect(StrictTransportSecurity.new.name).to eq("Strict-Transport-Security") }
-
     describe "#value" do
-      specify { expect(StrictTransportSecurity.new.value).to eq(StrictTransportSecurity::Constants::DEFAULT_VALUE)}
-      specify { expect(StrictTransportSecurity.new("max-age=1234").value).to eq("max-age=1234")}
-      specify { expect(StrictTransportSecurity.new(:max_age => '1234').value).to eq("max-age=1234")}
-      specify { expect(StrictTransportSecurity.new(:max_age => 1234).value).to eq("max-age=1234")}
-      specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains")}
-      specify { expect(StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true).value).to eq("max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")}
+      specify { expect(StrictTransportSecurity.make_header).to eq([StrictTransportSecurity::HEADER_NAME, StrictTransportSecurity::DEFAULT_VALUE]) }
+      specify { expect(StrictTransportSecurity.make_header("max-age=1234")).to eq([StrictTransportSecurity::HEADER_NAME, "max-age=1234"]) }
 
       context "with an invalid configuration" do
-        context "with a hash argument" do
-          it "should allow string values for max-age" do
-            expect {
-              StrictTransportSecurity.new(:max_age => '1234')
-            }.not_to raise_error
-          end
-
-          it "should allow integer values for max-age" do
-            expect {
-              StrictTransportSecurity.new(:max_age => 1234)
-            }.not_to raise_error
-          end
-
-          it "raises an exception with an invalid max-age" do
-            expect {
-              StrictTransportSecurity.new(:max_age => 'abc123')
-            }.to raise_error(STSBuildError)
-          end
-
-          it "raises an exception if max-age is not supplied" do
-            expect {
-              StrictTransportSecurity.new(:includeSubdomains => true)
-            }.to raise_error(STSBuildError)
-          end
-        end
-
         context "with a string argument" do
           it "raises an exception with an invalid max-age" do
-            expect {
-              StrictTransportSecurity.new('max-age=abc123')
-            }.to raise_error(STSBuildError)
+            expect do
+              StrictTransportSecurity.validate_config!('max-age=abc123')
+            end.to raise_error(STSConfigError)
           end
 
           it "raises an exception if max-age is not supplied" do
-            expect {
-              StrictTransportSecurity.new('includeSubdomains')
-            }.to raise_error(STSBuildError)
+            expect do
+              StrictTransportSecurity.validate_config!('includeSubdomains')
+            end.to raise_error(STSConfigError)
           end
 
           it "raises an exception with an invalid format" do
-            expect {
-              StrictTransportSecurity.new('max-age=123includeSubdomains')
-            }.to raise_error(STSBuildError)
+            expect do
+              StrictTransportSecurity.validate_config!('max-age=123includeSubdomains')
+            end.to raise_error(STSConfigError)
           end
         end
       end

data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb

@@ -2,34 +2,27 @@ require 'spec_helper'
 
 module SecureHeaders
   describe XContentTypeOptions do
-    specify{ expect(XContentTypeOptions.new.name).to eq("X-Content-Type-Options") }
-
     describe "#value" do
-      specify { expect(XContentTypeOptions.new.value).to eq(XContentTypeOptions::Constants::DEFAULT_VALUE)}
-      specify { expect(XContentTypeOptions.new("nosniff").value).to eq("nosniff")}
-      specify { expect(XContentTypeOptions.new(:value => 'nosniff').value).to eq("nosniff")}
+      specify { expect(XContentTypeOptions.make_header).to eq([XContentTypeOptions::HEADER_NAME, XContentTypeOptions::DEFAULT_VALUE]) }
+      specify { expect(XContentTypeOptions.make_header("nosniff")).to eq([XContentTypeOptions::HEADER_NAME, "nosniff"]) }
 
       context "invalid configuration values" do
         it "accepts nosniff" do
-          expect {
-            XContentTypeOptions.new("nosniff")
-          }.not_to raise_error
-
-          expect {
-            XContentTypeOptions.new(:value => "nosniff")
-          }.not_to raise_error
+          expect do
+            XContentTypeOptions.validate_config!("nosniff")
+          end.not_to raise_error
         end
 
         it "accepts nil" do
-          expect {
-            XContentTypeOptions.new
-          }.not_to raise_error
+          expect do
+            XContentTypeOptions.validate_config!(nil)
+          end.not_to raise_error
         end
 
         it "doesn't accept anything besides no-sniff" do
-          expect {
-            XContentTypeOptions.new("donkey")
-          }.to raise_error(XContentTypeOptionsBuildError)
+          expect do
+            XContentTypeOptions.validate_config!("donkey")
+          end.to raise_error(XContentTypeOptionsConfigError)
         end
       end
     end