secure_headers 3.0.3 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8ce791545252f765e19db9b42b88d0dec3c7f14a
-  data.tar.gz: 5a677c30789119f527ea04f940de663a98344339
+  metadata.gz: 7353ab86b76cba9baabc265f6321990163927fa0
+  data.tar.gz: 8081e9d2a284a26191899317d1947cde24d80d9f
 SHA512:
-  metadata.gz: c861e7c69de1e69d4a53090a33b9c2f699900ee728d55694f0e7df7c32f430bebc65a9304cf0a8536c4663ed97c678340065a17a1ce6862c000b1c7984989d29
-  data.tar.gz: cc33e4d244bbd8bdc46960594d5d6de0bae38bcac6b282f5be9a8a32807d6ad2eb737e28553335cc74223a8ede8c6d592207bd5ee168fb05bf91c04118c8ec69
+  metadata.gz: 37fd3a8aca07d1ce46bd7cdaf89ddb057d41b94f2f41625287d9a3118d19300708fd33f9d5f029c341a9c80295848101f01558d3dfd370a7bba34c8862e710d6
+  data.tar.gz: 0d810d24a48f53a45bec5621291475059e521d0d4f640bf1430ad6c86ecf020fea8dd8eb220e600b71c32539d7cfbc1f87567066477deebdf660d8a0161e2f8a

data/.gitignore

@@ -6,17 +6,8 @@
 .yardoc
 *.log
 Gemfile.lock
-InstalledFiles
 _yardoc
 coverage
-doc/
-lib/bundler/man
 pkg
 rdoc
 spec/reports
-test/tmp
-test/version_tmp
-*tmp
-*.sqlite3
-fixtures/rails_3_2_12_no_init/log
-fixtures/rails_3_2_12/log

data/.travis.yml

@@ -1,13 +1,21 @@
 language: ruby
 
 rvm:
-  - "2.2"
-  - "2.1"
-  - "2.0.0"
-  - "1.9.3"
-  - "jruby-19mode"
+  - ruby-head
+  - 2.2
+  - 2.1
+  - 2.0.0
+  - 1.9.3
+  - jruby-19mode
+  - jruby-head
+
+matrix:
+  allow_failures:
+    - rvm: jruby-head
+    - rvm: ruby-head
 
 before_install: gem update bundler
+bundler_args: --without guard -j 3
 
 sudo: false
 cache: bundler

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 3.1.0 Adding secure cookie support
+
+New feature: marking all cookies as secure. Added by @jmera in https://github.com/twitter/secureheaders/pull/231. In the future, we'll probably add the ability to whitelist individual cookies that should not be marked secure. PRs welcome.
+
+Internal refactoring: In https://github.com/twitter/secureheaders/pull/232, we changed the way dynamic CSP is handled internally. The biggest benefit is that highly dynamic policies (which can happen with multiple `append/override` calls per request) are handled better:
+
+1. Only the CSP header cache is busted when using a dynamic policy. All other headers are preserved and don't need to be generated. Dynamic X-Frame-Options changes modify the cache directly.
+1. Idempotency checks for policy modifications are deferred until the end of the request lifecycle and only happen once, instead of per `append/override` call. The idempotency check itself is fairly expensive itself.
+1. CSP header string is produced at most once per request.
+
 ## 3.0.3
 
 Bug fix for handling policy merges where appending a non-default source value (report-uri, plugin-types, frame-ancestors, base-uri, and form-action) would be combined with the default-src value. Appending a directive that doesn't exist in the current policy combines the new value with `default-src` to mimic the actual behavior of the addition. However, this does not make sense for non-default-src values (a.k.a. "fetch directives") and can lead to unexpected behavior like a `report-uri` value of `*`. Previously, this config:
@@ -14,6 +24,7 @@ When appending:
 {
   report_uri => %w(https://report-uri.io/asdf)
 }
+```
 
 Would result in `default-src *; report-uri *` which doesn't make any sense at all.
 

data/Gemfile

@@ -6,9 +6,12 @@ group :test do
   gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
   gem "pry-nav"
   gem "rack"
+  gem "rspec"
+  gem "coveralls"
+end
+
+group :guard do
   gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22]
-  gem "rspec", ">= 3.1"
   gem "growl"
   gem "rb-fsevent"
-  gem "coveralls", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22]
 end

data/README.md

@@ -29,7 +29,7 @@ All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT`
 
 ```ruby
 SecureHeaders::Configuration.default do |config|
-  config.hsts = "max-age=#{20.years.to_i}"
+  config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
   config.x_frame_options = "DENY"
   config.x_content_type_options = "nosniff"
   config.x_xss_protection = "1; mode=block"
@@ -57,13 +57,13 @@ SecureHeaders::Configuration.default do |config|
     plugin_types: %w(application/x-shockwave-flash),
     block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
     upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
-    report_uri: %w(https://example.com/uri-directive)
+    report_uri: %w(https://report-uri.io/example-csp)
   }
   config.hpkp = {
     report_only: false,
     max_age: 60.days.to_i,
     include_subdomains: true,
-    report_uri: "https://example.com/uri-directive",
+    report_uri: "https://report-uri.io/example-hpkp",
     pins: [
       {sha256: "abc"},
       {sha256: "123"}
@@ -175,7 +175,7 @@ When manipulating content security policy, there are a few things to consider. T
 
 #### Append to the policy with a directive other than `default_src`
 
-The value of `default_src` is joined with the addition. Note the `https:` is carried over from the `default-src` config. If you do not want this, use `override_content_security_policy_directives` instead. To illustrate:
+The value of `default_src` is joined with the addition if the it is a [fetch directive](https://w3c.github.io/webappsec-csp/#directives-fetch). Note the `https:` is carried over from the `default-src` config. If you do not want this, use `override_content_security_policy_directives` instead. To illustrate:
 
 ```ruby
 ::SecureHeaders::Configuration.default do |config|
@@ -255,7 +255,7 @@ config.hpkp = {
     {sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
   ],
   report_only: true,            # defaults to false (report-only mode)
-  report_uri: '//example.com/uri-directive',
+  report_uri: 'https://report-uri.io/example-hpkp',
   app_name: 'example',
   tag_report_uri: true
 }
@@ -287,43 +287,6 @@ class Donkey < Sinatra::Application
 end
 ```
 
-### Using with Padrino
-
-You can use SecureHeaders for Padrino applications as well:
-
-In your `Gemfile`:
-
-```ruby
-  gem "secure_headers", require: 'secure_headers'
-```
-
-then in your `app.rb` file you can:
-
-```ruby
-Padrino.use(SecureHeaders::Middleware)
-require 'secure_headers/padrino'
-
-module Web
-  class App < Padrino::Application
-    register SecureHeaders::Padrino
-
-    get '/' do
-      render 'index'
-    end
-  end
-end
-```
-
-and in `config/boot.rb`:
-
-```ruby
-def before_load
-  SecureHeaders::Configuration.default do |config|
-    ...
-  end
-end
-```
-
 ## Similar libraries
 
 * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)
@@ -334,6 +297,8 @@ end
 * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
 * Go - [secureheader](https://github.com/kr/secureheader)
 * Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
+* Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
+* Ember.js [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy/)
 
 ## License
 

data/lib/secure_headers.rb

@@ -48,14 +48,12 @@ module SecureHeaders
     #    script_src: %w(another-host.com)
     def override_content_security_policy_directives(request, additions)
       config = config_for(request)
-      unless CSP.idempotent_additions?(config.csp, additions)
-        config = config.dup
-        if config.csp == OPT_OUT
-          config.csp = {}
-        end
-        config.csp.merge!(additions)
-        override_secure_headers_request_config(request, config)
+      if config.current_csp == OPT_OUT
+        config.dynamic_csp = {}
       end
+
+      config.dynamic_csp = config.current_csp.merge(additions)
+      override_secure_headers_request_config(request, config)
     end
 
     # Public: appends source values to the current configuration. If no value
@@ -66,11 +64,8 @@ module SecureHeaders
     #    script_src: %w(another-host.com)
     def append_content_security_policy_directives(request, additions)
       config = config_for(request)
-      unless CSP.idempotent_additions?(config.csp, additions)
-        config = config.dup
-        config.csp = CSP.combine_policies(config.csp, additions)
-        override_secure_headers_request_config(request, config)
-      end
+      config.dynamic_csp = CSP.combine_policies(config.current_csp, additions)
+      override_secure_headers_request_config(request, config)
     end
 
     # Public: override X-Frame-Options settings for this request.
@@ -79,16 +74,16 @@ module SecureHeaders
     #
     # Returns the current config
     def override_x_frame_options(request, value)
-      default_config = config_for(request).dup
-      default_config.x_frame_options = value
-      override_secure_headers_request_config(request, default_config)
+      config = config_for(request)
+      config.update_x_frame_options(value)
+      override_secure_headers_request_config(request, config)
     end
 
     # Public: opts out of setting a given header by creating a temporary config
     # and setting the given headers config to OPT_OUT.
     def opt_out_of_header(request, header_key)
-      config = config_for(request).dup
-      config.send("#{header_key}=", OPT_OUT)
+      config = config_for(request)
+      config.opt_out(header_key)
       override_secure_headers_request_config(request, config)
     end
 
@@ -109,14 +104,11 @@ module SecureHeaders
     # in Rack middleware.
     def header_hash_for(request)
       config = config_for(request)
-
-      headers = if cached_headers = config.cached_headers
-        use_cached_headers(cached_headers, request)
-      else
-        build_headers(config, request)
+      unless ContentSecurityPolicy.idempotent_additions?(config.csp, config.current_csp)
+        config.rebuild_csp_header_cache!(request.user_agent)
       end
 
-      headers
+      use_cached_headers(config.cached_headers, request)
     end
 
     # Public: specify which named override will be used for this request.
@@ -149,6 +141,22 @@ module SecureHeaders
       content_security_policy_nonce(request, CSP::STYLE_SRC)
     end
 
+    # Public: Retreives the config for a given header type:
+    #
+    # Checks to see if there is an override for this request, then
+    # Checks to see if a named override is used for this request, then
+    # Falls back to the global config
+    def config_for(request)
+      config = request.env[SECURE_HEADERS_CONFIG] ||
+        Configuration.get(Configuration::DEFAULT_CONFIG)
+
+      if config.frozen?
+        config.dup
+      else
+        config
+      end
+    end
+
     private
 
     # Private: gets or creates a nonce for CSP.
@@ -181,64 +189,30 @@ module SecureHeaders
       end
     end
 
-    # Private: do the heavy lifting of converting a configuration object
-    # to a hash of headers valid for this request.
-    #
-    # Returns a hash of header names / values.
-    def build_headers(config, request)
-      header_classes_for(request).each_with_object({}) do |klass, hash|
-        header_config = if config
-          config.fetch(klass::CONFIG_KEY)
-        end
-
-        header_name, value = if klass == CSP
-          make_header(klass, header_config, request.user_agent)
-        else
-          make_header(klass, header_config)
-        end
-        hash[header_name] = value if value
-      end
-    end
-
     # Private: takes a precomputed hash of headers and returns the Headers
     # customized for the request.
     #
     # Returns a hash of header names / values valid for a given request.
-    def use_cached_headers(default_headers, request)
+    def use_cached_headers(headers, request)
       header_classes_for(request).each_with_object({}) do |klass, hash|
-        if default_header = default_headers[klass::CONFIG_KEY]
+        if header = headers[klass::CONFIG_KEY]
           header_name, value = if klass == CSP
-            default_csp_header_for_ua(default_header, request)
+            csp_header_for_ua(header, request)
           else
-            default_header
+            header
           end
           hash[header_name] = value
         end
       end
     end
 
-    # Private: Retreives the config for a given header type:
-    #
-    # Checks to see if there is an override for this request, then
-    # Checks to see if a named override is used for this request, then
-    # Falls back to the global config
-    def config_for(request)
-      request.env[SECURE_HEADERS_CONFIG] ||
-        Configuration.get(Configuration::DEFAULT_CONFIG)
-    end
-
     # Private: chooses the applicable CSP header for the provided user agent.
     #
     # headers - a hash of header_config_key => [header_name, header_value]
     #
     # Returns a CSP [header, value] array
-    def default_csp_header_for_ua(headers, request)
-      family = UserAgent.parse(request.user_agent).browser
-      if CSP::VARIATIONS.key?(family)
-        headers[family]
-      else
-        headers[CSP::OTHER]
-      end
+    def csp_header_for_ua(headers, request)
+      headers[CSP.ua_to_variation(UserAgent.parse(request.user_agent))]
     end
 
     # Private: optionally build a header with a given configure

data/lib/secure_headers/configuration.rb

@@ -3,6 +3,7 @@ module SecureHeaders
     DEFAULT_CONFIG = :default
     NOOP_CONFIGURATION = "secure_headers_noop_config"
     class NotYetConfiguredError < StandardError; end
+    class IllegalPolicyModificationError < StandardError; end
     class << self
       # Public: Set the global default configuration.
       #
@@ -23,12 +24,12 @@ module SecureHeaders
       # if no value is supplied.
       #
       # Returns: the newly created config
-      def override(name, base = DEFAULT_CONFIG)
+      def override(name, base = DEFAULT_CONFIG, &block)
         unless get(base)
           raise NotYetConfiguredError, "#{base} policy not yet supplied"
         end
         override = @configurations[base].dup
-        yield(override)
+        override.instance_eval &block if block_given?
         add_configuration(name, override)
       end
 
@@ -43,18 +44,6 @@ module SecureHeaders
         @configurations[name]
       end
 
-      # Public: perform a basic deep dup. The shallow copy provided by dup/clone
-      # can lead to modifying parent objects.
-      def deep_copy(config)
-        config.each_with_object({}) do |(key, value), hash|
-          hash[key] = if value.is_a?(Array)
-            value.dup
-          else
-            value
-          end
-        end
-      end
-
       private
 
       # Private: add a valid configuration to the global set of named configs.
@@ -86,16 +75,39 @@ module SecureHeaders
 
         add_configuration(NOOP_CONFIGURATION, noop_config)
       end
+
+      # Public: perform a basic deep dup. The shallow copy provided by dup/clone
+      # can lead to modifying parent objects.
+      def deep_copy(config)
+        config.each_with_object({}) do |(key, value), hash|
+          hash[key] = if value.is_a?(Array)
+            value.dup
+          else
+            value
+          end
+        end
+      end
+
+      # Private: convenience method purely DRY things up. The value may not be a
+      # hash (e.g. OPT_OUT, nil)
+      def deep_copy_if_hash(value)
+        if value.is_a?(Hash)
+          deep_copy(value)
+        else
+          value
+        end
+      end
     end
 
-    attr_accessor :hsts, :x_frame_options, :x_content_type_options,
-      :x_xss_protection, :csp, :x_download_options, :x_permitted_cross_domain_policies,
-      :hpkp
-    attr_reader :cached_headers
+    attr_writer :hsts, :x_frame_options, :x_content_type_options,
+      :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
+      :hpkp, :dynamic_csp, :secure_cookies
+
+    attr_reader :cached_headers, :csp, :dynamic_csp, :secure_cookies
 
     def initialize(&block)
       self.hpkp = OPT_OUT
-      self.csp = self.class.deep_copy(CSP::DEFAULT_CONFIG)
+      self.csp = self.class.send(:deep_copy, CSP::DEFAULT_CONFIG)
       instance_eval &block if block_given?
     end
 
@@ -104,33 +116,37 @@ module SecureHeaders
     # Returns a deep-dup'd copy of this configuration.
     def dup
       copy = self.class.new
-      copy.hsts = hsts
-      copy.x_frame_options = x_frame_options
-      copy.x_content_type_options = x_content_type_options
-      copy.x_xss_protection = x_xss_protection
-      copy.x_download_options = x_download_options
-      copy.x_permitted_cross_domain_policies = x_permitted_cross_domain_policies
-      copy.csp = if csp.is_a?(Hash)
-        self.class.deep_copy(csp)
-      else
-        csp
+      copy.secure_cookies = @secure_cookies
+      copy.csp = self.class.send(:deep_copy_if_hash, @csp)
+      copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp)
+      copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
+      copy
+    end
+
+    def opt_out(header)
+      send("#{header}=", OPT_OUT)
+      if header == CSP::CONFIG_KEY
+        dynamic_csp = OPT_OUT
       end
+      self.cached_headers.delete(header)
+    end
+
+    def update_x_frame_options(value)
+      self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
+    end
 
-      copy.hpkp = if hpkp.is_a?(Hash)
-        self.class.deep_copy(hpkp)
-      else
-        hpkp
+    # Public: generated cached headers for a specific user agent.
+    def rebuild_csp_header_cache!(user_agent)
+      self.cached_headers[CSP::CONFIG_KEY] = {}
+      unless current_csp == OPT_OUT
+        user_agent = UserAgent.parse(user_agent)
+        variation = CSP.ua_to_variation(user_agent)
+        self.cached_headers[CSP::CONFIG_KEY][variation] = CSP.make_header(current_csp, user_agent)
       end
-      copy
     end
 
-    # Public: Retrieve a config based on the CONFIG_KEY for a class
-    #
-    # Returns the value if available, and returns a dup of any hash values.
-    def fetch(key)
-      config = send(key)
-      config = self.class.deep_copy(config) if config.is_a?(Hash)
-      config
+    def current_csp
+      @dynamic_csp || @csp
     end
 
     # Public: validates all configurations values.
@@ -139,16 +155,32 @@ module SecureHeaders
     #
     # Returns nothing
     def validate_config!
-      StrictTransportSecurity.validate_config!(hsts)
-      ContentSecurityPolicy.validate_config!(csp)
-      XFrameOptions.validate_config!(x_frame_options)
-      XContentTypeOptions.validate_config!(x_content_type_options)
-      XXssProtection.validate_config!(x_xss_protection)
-      XDownloadOptions.validate_config!(x_download_options)
-      XPermittedCrossDomainPolicies.validate_config!(x_permitted_cross_domain_policies)
-      PublicKeyPins.validate_config!(hpkp)
+      StrictTransportSecurity.validate_config!(@hsts)
+      ContentSecurityPolicy.validate_config!(@csp)
+      XFrameOptions.validate_config!(@x_frame_options)
+      XContentTypeOptions.validate_config!(@x_content_type_options)
+      XXssProtection.validate_config!(@x_xss_protection)
+      XDownloadOptions.validate_config!(@x_download_options)
+      XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
+      PublicKeyPins.validate_config!(@hpkp)
     end
 
+    protected
+
+    def csp=(new_csp)
+      if self.dynamic_csp
+        raise IllegalPolicyModificationError, "You are attempting to modify CSP settings directly. Use dynamic_csp= isntead."
+      end
+
+      @csp = new_csp
+    end
+
+    def cached_headers=(headers)
+      @cached_headers = headers
+    end
+
+    private
+
     # Public: Precompute the header names and values for this configuraiton.
     # Ensures that headers generated at configure time, not on demand.
     #
@@ -156,7 +188,7 @@ module SecureHeaders
     def cache_headers!
       # generate defaults for the "easy" headers
       headers = (ALL_HEADERS_BESIDES_CSP).each_with_object({}) do |klass, hash|
-        config = fetch(klass::CONFIG_KEY)
+        config = instance_variable_get("@#{klass::CONFIG_KEY}")
         unless config == OPT_OUT
           hash[klass::CONFIG_KEY] = klass.make_header(config).freeze
         end
@@ -165,7 +197,7 @@ module SecureHeaders
       generate_csp_headers(headers)
 
       headers.freeze
-      @cached_headers = headers
+      self.cached_headers = headers
     end
 
     # Private: adds CSP headers for each variation of CSP support.
@@ -175,11 +207,10 @@ module SecureHeaders
     #
     # Returns nothing
     def generate_csp_headers(headers)
-      unless csp == OPT_OUT
+      unless @csp == OPT_OUT
         headers[CSP::CONFIG_KEY] = {}
-
+        csp_config = self.current_csp
         CSP::VARIATIONS.each do |name, _|
-          csp_config = fetch(CSP::CONFIG_KEY)
           csp = CSP.make_header(csp_config, UserAgent.parse(name))
           headers[CSP::CONFIG_KEY][name] = csp.freeze
         end