secure_headers 3.4.0 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (62) hide show
  1. checksums.yaml +4 -4
  2. data/.rspec +2 -0
  3. data/.rubocop.yml +3 -0
  4. data/.ruby-version +1 -1
  5. data/.travis.yml +8 -4
  6. data/CHANGELOG.md +113 -1
  7. data/CODE_OF_CONDUCT.md +46 -0
  8. data/CONTRIBUTING.md +41 -0
  9. data/Gemfile +8 -4
  10. data/Guardfile +1 -0
  11. data/LICENSE +4 -199
  12. data/README.md +63 -333
  13. data/Rakefile +22 -18
  14. data/docs/HPKP.md +17 -0
  15. data/docs/cookies.md +64 -0
  16. data/docs/hashes.md +64 -0
  17. data/docs/named_overrides_and_appends.md +107 -0
  18. data/docs/per_action_configuration.md +133 -0
  19. data/docs/sinatra.md +25 -0
  20. data/lib/secure_headers/configuration.rb +91 -44
  21. data/lib/secure_headers/hash_helper.rb +2 -1
  22. data/lib/secure_headers/headers/clear_site_data.rb +55 -0
  23. data/lib/secure_headers/headers/content_security_policy.rb +110 -51
  24. data/lib/secure_headers/headers/content_security_policy_config.rb +162 -0
  25. data/lib/secure_headers/headers/cookie.rb +21 -3
  26. data/lib/secure_headers/headers/expect_certificate_transparency.rb +70 -0
  27. data/lib/secure_headers/headers/policy_management.rb +143 -69
  28. data/lib/secure_headers/headers/public_key_pins.rb +5 -4
  29. data/lib/secure_headers/headers/referrer_policy.rb +5 -1
  30. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  31. data/lib/secure_headers/headers/x_content_type_options.rb +2 -1
  32. data/lib/secure_headers/headers/x_download_options.rb +3 -2
  33. data/lib/secure_headers/headers/x_frame_options.rb +2 -1
  34. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +3 -2
  35. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  36. data/lib/secure_headers/middleware.rb +10 -9
  37. data/lib/secure_headers/railtie.rb +7 -6
  38. data/lib/secure_headers/utils/cookies_config.rb +13 -12
  39. data/lib/secure_headers/view_helper.rb +12 -3
  40. data/lib/secure_headers.rb +137 -55
  41. data/lib/tasks/tasks.rake +2 -1
  42. data/secure_headers.gemspec +13 -3
  43. data/spec/lib/secure_headers/configuration_spec.rb +13 -12
  44. data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +87 -0
  45. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +59 -26
  46. data/spec/lib/secure_headers/headers/cookie_spec.rb +38 -20
  47. data/spec/lib/secure_headers/headers/expect_certificate_spec.rb +42 -0
  48. data/spec/lib/secure_headers/headers/policy_management_spec.rb +78 -40
  49. data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +7 -6
  50. data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +22 -3
  51. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -4
  52. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -1
  53. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +3 -2
  54. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +2 -1
  55. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +4 -3
  56. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +4 -3
  57. data/spec/lib/secure_headers/middleware_spec.rb +39 -19
  58. data/spec/lib/secure_headers/view_helpers_spec.rb +21 -8
  59. data/spec/lib/secure_headers_spec.rb +304 -56
  60. data/spec/spec_helper.rb +13 -24
  61. data/upgrading-to-4-0.md +55 -0
  62. metadata +29 -7
@@ -1,4 +1,5 @@
1
- require 'spec_helper'
1
+ # frozen_string_literal: true
2
+ require "spec_helper"
2
3
 
3
4
  module SecureHeaders
4
5
  describe ContentSecurityPolicy do
@@ -14,15 +15,19 @@ module SecureHeaders
14
15
 
15
16
  describe "#name" do
16
17
  context "when in report-only mode" do
17
- specify { expect(ContentSecurityPolicy.new(default_opts.merge(report_only: true)).name).to eq(ContentSecurityPolicy::HEADER_NAME + "-Report-Only") }
18
+ specify { expect(ContentSecurityPolicy.new(default_opts.merge(report_only: true)).name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME) }
18
19
  end
19
20
 
20
21
  context "when in enforce mode" do
21
- specify { expect(ContentSecurityPolicy.new(default_opts).name).to eq(ContentSecurityPolicy::HEADER_NAME) }
22
+ specify { expect(ContentSecurityPolicy.new(default_opts).name).to eq(ContentSecurityPolicyConfig::HEADER_NAME) }
22
23
  end
23
24
  end
24
25
 
25
26
  describe "#value" do
27
+ it "uses a safe but non-breaking default value" do
28
+ expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
29
+ end
30
+
26
31
  it "discards 'none' values if any other source expressions are present" do
27
32
  csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
28
33
  expect(csp.value).not_to include("'none'")
@@ -46,13 +51,18 @@ module SecureHeaders
46
51
  expect(csp.value).to eq("default-src example.org")
47
52
  end
48
53
 
54
+ it "does not build directives with a value of OPT_OUT (and bypasses directive requirements)" do
55
+ csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), script_src: OPT_OUT)
56
+ expect(csp.value).to eq("default-src example.org")
57
+ end
58
+
49
59
  it "does not remove schemes from report-uri values" do
50
60
  csp = ContentSecurityPolicy.new(default_src: %w(https:), report_uri: %w(https://example.org))
51
61
  expect(csp.value).to eq("default-src https:; report-uri https://example.org")
52
62
  end
53
63
 
54
64
  it "does not remove schemes when :preserve_schemes is true" do
55
- csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), :preserve_schemes => true)
65
+ csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), preserve_schemes: true)
56
66
  expect(csp.value).to eq("default-src https://example.org")
57
67
  end
58
68
 
@@ -86,25 +96,35 @@ module SecureHeaders
86
96
  expect(csp.value).to eq("default-src example.org")
87
97
  end
88
98
 
89
- it "emits a warning when using frame-src" do
90
- expect(Kernel).to receive(:warn).with(/:frame_src is deprecated, use :child_src instead./)
99
+ it "creates maximally strict sandbox policy when passed no sandbox token values" do
100
+ csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
101
+ expect(csp.value).to eq("default-src example.org; sandbox")
102
+ end
103
+
104
+ it "creates maximally strict sandbox policy when passed true" do
105
+ csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: true)
106
+ expect(csp.value).to eq("default-src example.org; sandbox")
107
+ end
108
+
109
+ it "creates sandbox policy when passed valid sandbox token values" do
110
+ csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: %w(allow-forms allow-scripts))
111
+ expect(csp.value).to eq("default-src example.org; sandbox allow-forms allow-scripts")
112
+ end
113
+
114
+ it "does not emit a warning when using frame-src" do
115
+ expect(Kernel).to_not receive(:warn)
91
116
  ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
92
117
  end
93
118
 
94
- it "emits a warning when child-src and frame-src are supplied but are not equal" do
95
- expect(Kernel).to receive(:warn).with(/both :child_src and :frame_src supplied and do not match./)
96
- ContentSecurityPolicy.new(default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)).value
119
+ it "raises an error when child-src and frame-src are supplied but are not equal" do
120
+ expect {
121
+ ContentSecurityPolicy.new(default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)).value
122
+ }.to raise_error(ArgumentError)
97
123
  end
98
124
 
99
- it "will still set inconsistent child/frame-src values to be less surprising" do
100
- expect(Kernel).to receive(:warn).at_least(:once)
101
- firefox = ContentSecurityPolicy.new({default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)}, USER_AGENTS[:firefox]).value
102
- firefox_transitional = ContentSecurityPolicy.new({default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)}, USER_AGENTS[:firefox46]).value
103
- expect(firefox).not_to eq(firefox_transitional)
104
- expect(firefox).to match(/frame-src/)
105
- expect(firefox).not_to match(/child-src/)
106
- expect(firefox_transitional).to match(/child-src/)
107
- expect(firefox_transitional).not_to match(/frame-src/)
125
+ it "supports strict-dynamic" do
126
+ csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
127
+ expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
108
128
  end
109
129
 
110
130
  context "browser sniffing" do
@@ -114,40 +134,53 @@ module SecureHeaders
114
134
  end.merge({
115
135
  block_all_mixed_content: true,
116
136
  upgrade_insecure_requests: true,
117
- reflected_xss: "block",
118
137
  script_src: %w(script-src.com),
119
- script_nonce: 123456
138
+ script_nonce: 123456,
139
+ sandbox: %w(allow-forms),
140
+ plugin_types: %w(application/pdf)
120
141
  })
121
142
  end
122
143
 
123
144
  it "does not filter any directives for Chrome" do
124
145
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
125
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
146
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
126
147
  end
127
148
 
128
149
  it "does not filter any directives for Opera" do
129
150
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
130
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
151
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
131
152
  end
132
153
 
133
154
  it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
134
155
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
135
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
156
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
136
157
  end
137
158
 
138
159
  it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
139
160
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
140
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
161
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
141
162
  end
142
163
 
143
164
  it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
144
165
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
145
- expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
166
+ expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
146
167
  end
147
168
 
148
169
  it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
149
170
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
150
- expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
171
+ expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
172
+ end
173
+
174
+ it "adds 'unsafe-inline', filters blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
175
+ policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
176
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
177
+ end
178
+
179
+ it "falls back to standard Firefox defaults when the useragent version is not present" do
180
+ ua = USER_AGENTS[:firefox].dup
181
+ allow(ua).to receive(:version).and_return(nil)
182
+ policy = ContentSecurityPolicy.new(complex_opts, ua)
183
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
151
184
  end
152
185
  end
153
186
  end
@@ -1,40 +1,46 @@
1
- require 'spec_helper'
1
+ # frozen_string_literal: true
2
+ require "spec_helper"
2
3
 
3
4
  module SecureHeaders
4
5
  describe Cookie do
5
6
  let(:raw_cookie) { "_session=thisisatest" }
6
7
 
7
- it "does not tamper with cookies when unconfigured" do
8
- cookie = Cookie.new(raw_cookie, {})
8
+ it "does not tamper with cookies when using OPT_OUT is used" do
9
+ cookie = Cookie.new(raw_cookie, OPT_OUT)
9
10
  expect(cookie.to_s).to eq(raw_cookie)
10
11
  end
11
12
 
13
+ it "applies httponly, secure, and samesite by default" do
14
+ cookie = Cookie.new(raw_cookie, nil)
15
+ expect(cookie.to_s).to eq("_session=thisisatest; secure; HttpOnly; SameSite=Lax")
16
+ end
17
+
12
18
  it "preserves existing attributes" do
13
- cookie = Cookie.new("_session=thisisatest; secure", secure: true)
19
+ cookie = Cookie.new("_session=thisisatest; secure", secure: true, httponly: OPT_OUT, samesite: OPT_OUT)
14
20
  expect(cookie.to_s).to eq("_session=thisisatest; secure")
15
21
  end
16
22
 
17
23
  it "prevents duplicate flagging of attributes" do
18
- cookie = Cookie.new("_session=thisisatest; secure", secure: true)
24
+ cookie = Cookie.new("_session=thisisatest; secure", secure: true, httponly: OPT_OUT)
19
25
  expect(cookie.to_s.scan(/secure/i).count).to eq(1)
20
26
  end
21
27
 
22
28
  context "Secure cookies" do
23
29
  context "when configured with a boolean" do
24
30
  it "flags cookies as Secure" do
25
- cookie = Cookie.new(raw_cookie, secure: true)
31
+ cookie = Cookie.new(raw_cookie, secure: true, httponly: OPT_OUT, samesite: OPT_OUT)
26
32
  expect(cookie.to_s).to eq("_session=thisisatest; secure")
27
33
  end
28
34
  end
29
35
 
30
36
  context "when configured with a Hash" do
31
37
  it "flags cookies as Secure when whitelisted" do
32
- cookie = Cookie.new(raw_cookie, secure: { only: ["_session"]})
38
+ cookie = Cookie.new(raw_cookie, secure: { only: ["_session"]}, httponly: OPT_OUT, samesite: OPT_OUT)
33
39
  expect(cookie.to_s).to eq("_session=thisisatest; secure")
34
40
  end
35
41
 
36
42
  it "does not flag cookies as Secure when excluded" do
37
- cookie = Cookie.new(raw_cookie, secure: { except: ["_session"] })
43
+ cookie = Cookie.new(raw_cookie, secure: { except: ["_session"] }, httponly: OPT_OUT, samesite: OPT_OUT)
38
44
  expect(cookie.to_s).to eq("_session=thisisatest")
39
45
  end
40
46
  end
@@ -43,19 +49,19 @@ module SecureHeaders
43
49
  context "HttpOnly cookies" do
44
50
  context "when configured with a boolean" do
45
51
  it "flags cookies as HttpOnly" do
46
- cookie = Cookie.new(raw_cookie, httponly: true)
52
+ cookie = Cookie.new(raw_cookie, httponly: true, secure: OPT_OUT, samesite: OPT_OUT)
47
53
  expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
48
54
  end
49
55
  end
50
56
 
51
57
  context "when configured with a Hash" do
52
58
  it "flags cookies as HttpOnly when whitelisted" do
53
- cookie = Cookie.new(raw_cookie, httponly: { only: ["_session"]})
59
+ cookie = Cookie.new(raw_cookie, httponly: { only: ["_session"]}, secure: OPT_OUT, samesite: OPT_OUT)
54
60
  expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
55
61
  end
56
62
 
57
63
  it "does not flag cookies as HttpOnly when excluded" do
58
- cookie = Cookie.new(raw_cookie, httponly: { except: ["_session"] })
64
+ cookie = Cookie.new(raw_cookie, httponly: { except: ["_session"] }, secure: OPT_OUT, samesite: OPT_OUT)
59
65
  expect(cookie.to_s).to eq("_session=thisisatest")
60
66
  end
61
67
  end
@@ -63,46 +69,52 @@ module SecureHeaders
63
69
 
64
70
  context "SameSite cookies" do
65
71
  it "flags SameSite=Lax" do
66
- cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } })
72
+ cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
67
73
  expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
68
74
  end
69
75
 
70
76
  it "flags SameSite=Lax when configured with a boolean" do
71
- cookie = Cookie.new(raw_cookie, samesite: { lax: true})
77
+ cookie = Cookie.new(raw_cookie, samesite: { lax: true}, secure: OPT_OUT, httponly: OPT_OUT)
72
78
  expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
73
79
  end
74
80
 
75
81
  it "does not flag cookies as SameSite=Lax when excluded" do
76
- cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } })
82
+ cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
77
83
  expect(cookie.to_s).to eq("_session=thisisatest")
78
84
  end
79
85
 
80
86
  it "flags SameSite=Strict" do
81
- cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } })
87
+ cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
82
88
  expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
83
89
  end
84
90
 
85
91
  it "does not flag cookies as SameSite=Strict when excluded" do
86
- cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] } })
92
+ cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] }}, secure: OPT_OUT, httponly: OPT_OUT)
87
93
  expect(cookie.to_s).to eq("_session=thisisatest")
88
94
  end
89
95
 
90
96
  it "flags SameSite=Strict when configured with a boolean" do
91
- cookie = Cookie.new(raw_cookie, samesite: { strict: true})
97
+ cookie = Cookie.new(raw_cookie, {samesite: { strict: true}, secure: OPT_OUT, httponly: OPT_OUT})
92
98
  expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
93
99
  end
94
100
 
95
101
  it "flags properly when both lax and strict are configured" do
96
102
  raw_cookie = "_session=thisisatest"
97
- cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } })
103
+ cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
98
104
  expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
99
105
  end
100
106
 
101
107
  it "ignores configuration if the cookie is already flagged" do
102
108
  raw_cookie = "_session=thisisatest; SameSite=Strict"
103
- cookie = Cookie.new(raw_cookie, samesite: { lax: true })
109
+ cookie = Cookie.new(raw_cookie, samesite: { lax: true }, secure: OPT_OUT, httponly: OPT_OUT)
104
110
  expect(cookie.to_s).to eq(raw_cookie)
105
111
  end
112
+
113
+ it "samesite: true sets all cookies to samesite=lax" do
114
+ raw_cookie = "_session=thisisatest"
115
+ cookie = Cookie.new(raw_cookie, samesite: true, secure: OPT_OUT, httponly: OPT_OUT)
116
+ expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
117
+ end
106
118
  end
107
119
  end
108
120
 
@@ -113,12 +125,18 @@ module SecureHeaders
113
125
  end.to raise_error(CookiesConfigError)
114
126
  end
115
127
 
116
- it "raises an exception when configured without a boolean/Hash" do
128
+ it "raises an exception when configured without a boolean(true or OPT_OUT)/Hash" do
117
129
  expect do
118
130
  Cookie.validate_config!(secure: "true")
119
131
  end.to raise_error(CookiesConfigError)
120
132
  end
121
133
 
134
+ it "raises an exception when configured with false" do
135
+ expect do
136
+ Cookie.validate_config!(secure: false)
137
+ end.to raise_error(CookiesConfigError)
138
+ end
139
+
122
140
  it "raises an exception when both only and except filters are provided" do
123
141
  expect do
124
142
  Cookie.validate_config!(secure: { only: [], except: [] })
@@ -0,0 +1,42 @@
1
+ # frozen_string_literal: true
2
+ require "spec_helper"
3
+
4
+ module SecureHeaders
5
+ describe ExpectCertificateTransparency do
6
+ specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce; max-age=1234") }
7
+ specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: false).value).to eq("max-age=1234") }
8
+ specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: "yolocopter").value).to eq("max-age=1234") }
9
+ specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234; report-uri=\"https://report-uri.io/expect-ct\"") }
10
+ specify do
11
+ config = { enforce: true, max_age: 1234, report_uri: "https://report-uri.io/expect-ct" }
12
+ header_value = "enforce; max-age=1234; report-uri=\"https://report-uri.io/expect-ct\""
13
+ expect(ExpectCertificateTransparency.new(config).value).to eq(header_value)
14
+ end
15
+
16
+ context "with an invalid configuration" do
17
+ it "raises an exception when configuration isn't a hash" do
18
+ expect do
19
+ ExpectCertificateTransparency.validate_config!(%w(a))
20
+ end.to raise_error(ExpectCertificateTransparencyConfigError)
21
+ end
22
+
23
+ it "raises an exception when max-age is not provided" do
24
+ expect do
25
+ ExpectCertificateTransparency.validate_config!(foo: "bar")
26
+ end.to raise_error(ExpectCertificateTransparencyConfigError)
27
+ end
28
+
29
+ it "raises an exception with an invalid max-age" do
30
+ expect do
31
+ ExpectCertificateTransparency.validate_config!(max_age: "abc123")
32
+ end.to raise_error(ExpectCertificateTransparencyConfigError)
33
+ end
34
+
35
+ it "raises an exception with an invalid enforce value" do
36
+ expect do
37
+ ExpectCertificateTransparency.validate_config!(enforce: "brokenstring")
38
+ end.to raise_error(ExpectCertificateTransparencyConfigError)
39
+ end
40
+ end
41
+ end
42
+ end
@@ -1,4 +1,5 @@
1
- require 'spec_helper'
1
+ # frozen_string_literal: true
2
+ require "spec_helper"
2
3
 
3
4
  module SecureHeaders
4
5
  describe PolicyManagement do
@@ -16,7 +17,7 @@ module SecureHeaders
16
17
  it "accepts all keys" do
17
18
  # (pulled from README)
18
19
  config = {
19
- # "meta" values. these will shaped the header, but the values are not included in the header.
20
+ # "meta" values. these will shape the header, but the values are not included in the header.
20
21
  report_only: true, # default: false
21
22
  preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
22
23
 
@@ -27,6 +28,7 @@ module SecureHeaders
27
28
  connect_src: %w(wss:),
28
29
  font_src: %w('self' data:),
29
30
  img_src: %w(mycdn.com data:),
31
+ manifest_src: %w(manifest.com),
30
32
  media_src: %w(utoob.com),
31
33
  object_src: %w('self'),
32
34
  script_src: %w('self'),
@@ -40,82 +42,131 @@ module SecureHeaders
40
42
  report_uri: %w(https://example.com/uri-directive)
41
43
  }
42
44
 
43
- CSP.validate_config!(config)
45
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(config))
44
46
  end
45
47
 
46
48
  it "requires a :default_src value" do
47
49
  expect do
48
- CSP.validate_config!(script_src: %('self'))
50
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(script_src: %w('self')))
49
51
  end.to raise_error(ContentSecurityPolicyConfigError)
50
52
  end
51
53
 
54
+ it "requires a :script_src value" do
55
+ expect do
56
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self')))
57
+ end.to raise_error(ContentSecurityPolicyConfigError)
58
+ end
59
+
60
+ it "accepts OPT_OUT as a script-src value" do
61
+ expect do
62
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: OPT_OUT))
63
+ end.to_not raise_error
64
+ end
65
+
52
66
  it "requires :report_only to be a truthy value" do
53
67
  expect do
54
- CSP.validate_config!(default_opts.merge(report_only: "steve"))
68
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))
55
69
  end.to raise_error(ContentSecurityPolicyConfigError)
56
70
  end
57
71
 
58
72
  it "requires :preserve_schemes to be a truthy value" do
59
73
  expect do
60
- CSP.validate_config!(default_opts.merge(preserve_schemes: "steve"))
74
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(preserve_schemes: "steve")))
61
75
  end.to raise_error(ContentSecurityPolicyConfigError)
62
76
  end
63
77
 
64
78
  it "requires :block_all_mixed_content to be a boolean value" do
65
79
  expect do
66
- CSP.validate_config!(default_opts.merge(block_all_mixed_content: "steve"))
80
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(block_all_mixed_content: "steve")))
67
81
  end.to raise_error(ContentSecurityPolicyConfigError)
68
82
  end
69
83
 
70
84
  it "requires :upgrade_insecure_requests to be a boolean value" do
71
85
  expect do
72
- CSP.validate_config!(default_opts.merge(upgrade_insecure_requests: "steve"))
86
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
73
87
  end.to raise_error(ContentSecurityPolicyConfigError)
74
88
  end
75
89
 
76
90
  it "requires all source lists to be an array of strings" do
77
91
  expect do
78
- CSP.validate_config!(default_src: "steve")
92
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: "steve"))
79
93
  end.to raise_error(ContentSecurityPolicyConfigError)
80
94
  end
81
95
 
82
96
  it "allows nil values" do
83
97
  expect do
84
- CSP.validate_config!(default_src: %w('self'), script_src: ["https:", nil])
98
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: ["https:", nil]))
85
99
  end.to_not raise_error
86
100
  end
87
101
 
88
102
  it "rejects unknown directives / config" do
89
103
  expect do
90
- CSP.validate_config!(default_src: %w('self'), default_src_totally_mispelled: "steve")
104
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), default_src_totally_mispelled: "steve"))
91
105
  end.to raise_error(ContentSecurityPolicyConfigError)
92
106
  end
93
107
 
94
108
  # this is mostly to ensure people don't use the antiquated shorthands common in other configs
95
109
  it "performs light validation on source lists" do
96
110
  expect do
97
- CSP.validate_config!(default_src: %w(self none inline eval))
111
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w(self none inline eval), script_src: %w('self')))
112
+ end.to raise_error(ContentSecurityPolicyConfigError)
113
+ end
114
+
115
+ it "rejects anything not of the form allow-* as a sandbox value" do
116
+ expect do
117
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["steve"])))
118
+ end.to raise_error(ContentSecurityPolicyConfigError)
119
+ end
120
+
121
+ it "accepts anything of the form allow-* as a sandbox value " do
122
+ expect do
123
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["allow-foo"])))
124
+ end.to_not raise_error
125
+ end
126
+
127
+ it "accepts true as a sandbox policy" do
128
+ expect do
129
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: true)))
130
+ end.to_not raise_error
131
+ end
132
+
133
+ it "rejects anything not of the form type/subtype as a plugin-type value" do
134
+ expect do
135
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["steve"])))
98
136
  end.to raise_error(ContentSecurityPolicyConfigError)
99
137
  end
138
+
139
+ it "accepts anything of the form type/subtype as a plugin-type value " do
140
+ expect do
141
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["application/pdf"])))
142
+ end.to_not raise_error
143
+ end
100
144
  end
101
145
 
102
146
  describe "#combine_policies" do
103
147
  it "combines the default-src value with the override if the directive was unconfigured" do
104
- combined_config = CSP.combine_policies(Configuration.default.csp, script_src: %w(anothercdn.com))
148
+ Configuration.default do |config|
149
+ config.csp = {
150
+ default_src: %w(https:),
151
+ script_src: %w('self'),
152
+ }
153
+ end
154
+ combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, style_src: %w(anothercdn.com))
105
155
  csp = ContentSecurityPolicy.new(combined_config)
106
- expect(csp.name).to eq(CSP::HEADER_NAME)
107
- expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
156
+ expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
157
+ expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
108
158
  end
109
159
 
110
160
  it "combines directives where the original value is nil and the hash is frozen" do
111
161
  Configuration.default do |config|
112
162
  config.csp = {
113
163
  default_src: %w('self'),
164
+ script_src: %w('self'),
114
165
  report_only: false
115
166
  }.freeze
116
167
  end
117
168
  report_uri = "https://report-uri.io/asdf"
118
- combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: [report_uri])
169
+ combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_uri: [report_uri])
119
170
  csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
120
171
  expect(csp.value).to include("report-uri #{report_uri}")
121
172
  end
@@ -124,43 +175,44 @@ module SecureHeaders
124
175
  Configuration.default do |config|
125
176
  config.csp = {
126
177
  default_src: %w('self'),
178
+ script_src: %w('self'),
127
179
  report_only: false
128
180
  }.freeze
129
181
  end
130
- non_default_source_additions = CSP::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
182
+ non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
131
183
  hash[directive] = %w("http://example.org)
132
184
  end
133
- combined_config = CSP.combine_policies(Configuration.get.csp, non_default_source_additions)
185
+ combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, non_default_source_additions)
134
186
 
135
- CSP::NON_FETCH_SOURCES.each do |directive|
187
+ ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
136
188
  expect(combined_config[directive]).to eq(%w("http://example.org))
137
189
  end
138
-
139
- ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox]).value
140
190
  end
141
191
 
142
192
  it "overrides the report_only flag" do
143
193
  Configuration.default do |config|
144
194
  config.csp = {
145
195
  default_src: %w('self'),
196
+ script_src: %w('self'),
146
197
  report_only: false
147
198
  }
148
199
  end
149
- combined_config = CSP.combine_policies(Configuration.get.csp, report_only: true)
200
+ combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_only: true)
150
201
  csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
151
- expect(csp.name).to eq(CSP::REPORT_ONLY)
202
+ expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
152
203
  end
153
204
 
154
205
  it "overrides the :block_all_mixed_content flag" do
155
206
  Configuration.default do |config|
156
207
  config.csp = {
157
208
  default_src: %w(https:),
209
+ script_src: %w('self'),
158
210
  block_all_mixed_content: false
159
211
  }
160
212
  end
161
- combined_config = CSP.combine_policies(Configuration.get.csp, block_all_mixed_content: true)
213
+ combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, block_all_mixed_content: true)
162
214
  csp = ContentSecurityPolicy.new(combined_config)
163
- expect(csp.value).to eq("default-src https:; block-all-mixed-content")
215
+ expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
164
216
  end
165
217
 
166
218
  it "raises an error if appending to a OPT_OUT policy" do
@@ -168,23 +220,9 @@ module SecureHeaders
168
220
  config.csp = OPT_OUT
169
221
  end
170
222
  expect do
171
- CSP.combine_policies(Configuration.get.csp, script_src: %w(anothercdn.com))
223
+ ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, script_src: %w(anothercdn.com))
172
224
  end.to raise_error(ContentSecurityPolicyConfigError)
173
225
  end
174
226
  end
175
-
176
- describe "#idempotent_additions?" do
177
- specify { expect(ContentSecurityPolicy.idempotent_additions?(OPT_OUT, script_src: %w(b.com))).to be false }
178
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(c.com))).to be false }
179
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: %w(b.com))).to be false }
180
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(a.com b.com c.com))).to be false }
181
-
182
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com))).to be true }
183
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com a.com))).to be true }
184
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w())).to be true }
185
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: [nil])).to be true }
186
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: [nil])).to be true }
187
- specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: nil)).to be true }
188
- end
189
227
  end
190
228
  end