secure_headers 3.4.0 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rspec +2 -0
- data/.rubocop.yml +3 -0
- data/.ruby-version +1 -1
- data/.travis.yml +8 -4
- data/CHANGELOG.md +113 -1
- data/CODE_OF_CONDUCT.md +46 -0
- data/CONTRIBUTING.md +41 -0
- data/Gemfile +8 -4
- data/Guardfile +1 -0
- data/LICENSE +4 -199
- data/README.md +63 -333
- data/Rakefile +22 -18
- data/docs/HPKP.md +17 -0
- data/docs/cookies.md +64 -0
- data/docs/hashes.md +64 -0
- data/docs/named_overrides_and_appends.md +107 -0
- data/docs/per_action_configuration.md +133 -0
- data/docs/sinatra.md +25 -0
- data/lib/secure_headers/configuration.rb +91 -44
- data/lib/secure_headers/hash_helper.rb +2 -1
- data/lib/secure_headers/headers/clear_site_data.rb +55 -0
- data/lib/secure_headers/headers/content_security_policy.rb +110 -51
- data/lib/secure_headers/headers/content_security_policy_config.rb +162 -0
- data/lib/secure_headers/headers/cookie.rb +21 -3
- data/lib/secure_headers/headers/expect_certificate_transparency.rb +70 -0
- data/lib/secure_headers/headers/policy_management.rb +143 -69
- data/lib/secure_headers/headers/public_key_pins.rb +5 -4
- data/lib/secure_headers/headers/referrer_policy.rb +5 -1
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +3 -2
- data/lib/secure_headers/headers/x_frame_options.rb +2 -1
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +3 -2
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/middleware.rb +10 -9
- data/lib/secure_headers/railtie.rb +7 -6
- data/lib/secure_headers/utils/cookies_config.rb +13 -12
- data/lib/secure_headers/view_helper.rb +12 -3
- data/lib/secure_headers.rb +137 -55
- data/lib/tasks/tasks.rake +2 -1
- data/secure_headers.gemspec +13 -3
- data/spec/lib/secure_headers/configuration_spec.rb +13 -12
- data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +87 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +59 -26
- data/spec/lib/secure_headers/headers/cookie_spec.rb +38 -20
- data/spec/lib/secure_headers/headers/expect_certificate_spec.rb +42 -0
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +78 -40
- data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +7 -6
- data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +22 -3
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -4
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +3 -2
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +4 -3
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +4 -3
- data/spec/lib/secure_headers/middleware_spec.rb +39 -19
- data/spec/lib/secure_headers/view_helpers_spec.rb +21 -8
- data/spec/lib/secure_headers_spec.rb +304 -56
- data/spec/spec_helper.rb +13 -24
- data/upgrading-to-4-0.md +55 -0
- metadata +29 -7
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
require "spec_helper"
|
|
2
3
|
|
|
3
4
|
module SecureHeaders
|
|
4
5
|
describe ContentSecurityPolicy do
|
|
@@ -14,15 +15,19 @@ module SecureHeaders
|
|
|
14
15
|
|
|
15
16
|
describe "#name" do
|
|
16
17
|
context "when in report-only mode" do
|
|
17
|
-
specify { expect(ContentSecurityPolicy.new(default_opts.merge(report_only: true)).name).to eq(
|
|
18
|
+
specify { expect(ContentSecurityPolicy.new(default_opts.merge(report_only: true)).name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME) }
|
|
18
19
|
end
|
|
19
20
|
|
|
20
21
|
context "when in enforce mode" do
|
|
21
|
-
specify { expect(ContentSecurityPolicy.new(default_opts).name).to eq(
|
|
22
|
+
specify { expect(ContentSecurityPolicy.new(default_opts).name).to eq(ContentSecurityPolicyConfig::HEADER_NAME) }
|
|
22
23
|
end
|
|
23
24
|
end
|
|
24
25
|
|
|
25
26
|
describe "#value" do
|
|
27
|
+
it "uses a safe but non-breaking default value" do
|
|
28
|
+
expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
|
|
29
|
+
end
|
|
30
|
+
|
|
26
31
|
it "discards 'none' values if any other source expressions are present" do
|
|
27
32
|
csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
|
|
28
33
|
expect(csp.value).not_to include("'none'")
|
|
@@ -46,13 +51,18 @@ module SecureHeaders
|
|
|
46
51
|
expect(csp.value).to eq("default-src example.org")
|
|
47
52
|
end
|
|
48
53
|
|
|
54
|
+
it "does not build directives with a value of OPT_OUT (and bypasses directive requirements)" do
|
|
55
|
+
csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), script_src: OPT_OUT)
|
|
56
|
+
expect(csp.value).to eq("default-src example.org")
|
|
57
|
+
end
|
|
58
|
+
|
|
49
59
|
it "does not remove schemes from report-uri values" do
|
|
50
60
|
csp = ContentSecurityPolicy.new(default_src: %w(https:), report_uri: %w(https://example.org))
|
|
51
61
|
expect(csp.value).to eq("default-src https:; report-uri https://example.org")
|
|
52
62
|
end
|
|
53
63
|
|
|
54
64
|
it "does not remove schemes when :preserve_schemes is true" do
|
|
55
|
-
csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), :
|
|
65
|
+
csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), preserve_schemes: true)
|
|
56
66
|
expect(csp.value).to eq("default-src https://example.org")
|
|
57
67
|
end
|
|
58
68
|
|
|
@@ -86,25 +96,35 @@ module SecureHeaders
|
|
|
86
96
|
expect(csp.value).to eq("default-src example.org")
|
|
87
97
|
end
|
|
88
98
|
|
|
89
|
-
it "
|
|
90
|
-
|
|
99
|
+
it "creates maximally strict sandbox policy when passed no sandbox token values" do
|
|
100
|
+
csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
|
|
101
|
+
expect(csp.value).to eq("default-src example.org; sandbox")
|
|
102
|
+
end
|
|
103
|
+
|
|
104
|
+
it "creates maximally strict sandbox policy when passed true" do
|
|
105
|
+
csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: true)
|
|
106
|
+
expect(csp.value).to eq("default-src example.org; sandbox")
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
it "creates sandbox policy when passed valid sandbox token values" do
|
|
110
|
+
csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: %w(allow-forms allow-scripts))
|
|
111
|
+
expect(csp.value).to eq("default-src example.org; sandbox allow-forms allow-scripts")
|
|
112
|
+
end
|
|
113
|
+
|
|
114
|
+
it "does not emit a warning when using frame-src" do
|
|
115
|
+
expect(Kernel).to_not receive(:warn)
|
|
91
116
|
ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
|
|
92
117
|
end
|
|
93
118
|
|
|
94
|
-
it "
|
|
95
|
-
expect
|
|
96
|
-
|
|
119
|
+
it "raises an error when child-src and frame-src are supplied but are not equal" do
|
|
120
|
+
expect {
|
|
121
|
+
ContentSecurityPolicy.new(default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)).value
|
|
122
|
+
}.to raise_error(ArgumentError)
|
|
97
123
|
end
|
|
98
124
|
|
|
99
|
-
it "
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
firefox_transitional = ContentSecurityPolicy.new({default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)}, USER_AGENTS[:firefox46]).value
|
|
103
|
-
expect(firefox).not_to eq(firefox_transitional)
|
|
104
|
-
expect(firefox).to match(/frame-src/)
|
|
105
|
-
expect(firefox).not_to match(/child-src/)
|
|
106
|
-
expect(firefox_transitional).to match(/child-src/)
|
|
107
|
-
expect(firefox_transitional).not_to match(/frame-src/)
|
|
125
|
+
it "supports strict-dynamic" do
|
|
126
|
+
csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
|
|
127
|
+
expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
|
|
108
128
|
end
|
|
109
129
|
|
|
110
130
|
context "browser sniffing" do
|
|
@@ -114,40 +134,53 @@ module SecureHeaders
|
|
|
114
134
|
end.merge({
|
|
115
135
|
block_all_mixed_content: true,
|
|
116
136
|
upgrade_insecure_requests: true,
|
|
117
|
-
reflected_xss: "block",
|
|
118
137
|
script_src: %w(script-src.com),
|
|
119
|
-
script_nonce: 123456
|
|
138
|
+
script_nonce: 123456,
|
|
139
|
+
sandbox: %w(allow-forms),
|
|
140
|
+
plugin_types: %w(application/pdf)
|
|
120
141
|
})
|
|
121
142
|
end
|
|
122
143
|
|
|
123
144
|
it "does not filter any directives for Chrome" do
|
|
124
145
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
|
|
125
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types
|
|
146
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
126
147
|
end
|
|
127
148
|
|
|
128
149
|
it "does not filter any directives for Opera" do
|
|
129
150
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
|
|
130
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types
|
|
151
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
131
152
|
end
|
|
132
153
|
|
|
133
154
|
it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
|
|
134
155
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
|
|
135
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox
|
|
156
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
136
157
|
end
|
|
137
158
|
|
|
138
159
|
it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
|
|
139
160
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
|
|
140
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox
|
|
161
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
141
162
|
end
|
|
142
163
|
|
|
143
164
|
it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
|
|
144
165
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
|
|
145
|
-
expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox
|
|
166
|
+
expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
|
|
146
167
|
end
|
|
147
168
|
|
|
148
169
|
it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
|
|
149
170
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
|
|
150
|
-
expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox
|
|
171
|
+
expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
|
|
172
|
+
end
|
|
173
|
+
|
|
174
|
+
it "adds 'unsafe-inline', filters blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
|
|
175
|
+
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
|
|
176
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
|
|
177
|
+
end
|
|
178
|
+
|
|
179
|
+
it "falls back to standard Firefox defaults when the useragent version is not present" do
|
|
180
|
+
ua = USER_AGENTS[:firefox].dup
|
|
181
|
+
allow(ua).to receive(:version).and_return(nil)
|
|
182
|
+
policy = ContentSecurityPolicy.new(complex_opts, ua)
|
|
183
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
151
184
|
end
|
|
152
185
|
end
|
|
153
186
|
end
|
|
@@ -1,40 +1,46 @@
|
|
|
1
|
-
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
require "spec_helper"
|
|
2
3
|
|
|
3
4
|
module SecureHeaders
|
|
4
5
|
describe Cookie do
|
|
5
6
|
let(:raw_cookie) { "_session=thisisatest" }
|
|
6
7
|
|
|
7
|
-
it "does not tamper with cookies when
|
|
8
|
-
cookie = Cookie.new(raw_cookie,
|
|
8
|
+
it "does not tamper with cookies when using OPT_OUT is used" do
|
|
9
|
+
cookie = Cookie.new(raw_cookie, OPT_OUT)
|
|
9
10
|
expect(cookie.to_s).to eq(raw_cookie)
|
|
10
11
|
end
|
|
11
12
|
|
|
13
|
+
it "applies httponly, secure, and samesite by default" do
|
|
14
|
+
cookie = Cookie.new(raw_cookie, nil)
|
|
15
|
+
expect(cookie.to_s).to eq("_session=thisisatest; secure; HttpOnly; SameSite=Lax")
|
|
16
|
+
end
|
|
17
|
+
|
|
12
18
|
it "preserves existing attributes" do
|
|
13
|
-
cookie = Cookie.new("_session=thisisatest; secure", secure: true)
|
|
19
|
+
cookie = Cookie.new("_session=thisisatest; secure", secure: true, httponly: OPT_OUT, samesite: OPT_OUT)
|
|
14
20
|
expect(cookie.to_s).to eq("_session=thisisatest; secure")
|
|
15
21
|
end
|
|
16
22
|
|
|
17
23
|
it "prevents duplicate flagging of attributes" do
|
|
18
|
-
cookie = Cookie.new("_session=thisisatest; secure", secure: true)
|
|
24
|
+
cookie = Cookie.new("_session=thisisatest; secure", secure: true, httponly: OPT_OUT)
|
|
19
25
|
expect(cookie.to_s.scan(/secure/i).count).to eq(1)
|
|
20
26
|
end
|
|
21
27
|
|
|
22
28
|
context "Secure cookies" do
|
|
23
29
|
context "when configured with a boolean" do
|
|
24
30
|
it "flags cookies as Secure" do
|
|
25
|
-
cookie = Cookie.new(raw_cookie, secure: true)
|
|
31
|
+
cookie = Cookie.new(raw_cookie, secure: true, httponly: OPT_OUT, samesite: OPT_OUT)
|
|
26
32
|
expect(cookie.to_s).to eq("_session=thisisatest; secure")
|
|
27
33
|
end
|
|
28
34
|
end
|
|
29
35
|
|
|
30
36
|
context "when configured with a Hash" do
|
|
31
37
|
it "flags cookies as Secure when whitelisted" do
|
|
32
|
-
cookie = Cookie.new(raw_cookie, secure: { only: ["_session"]})
|
|
38
|
+
cookie = Cookie.new(raw_cookie, secure: { only: ["_session"]}, httponly: OPT_OUT, samesite: OPT_OUT)
|
|
33
39
|
expect(cookie.to_s).to eq("_session=thisisatest; secure")
|
|
34
40
|
end
|
|
35
41
|
|
|
36
42
|
it "does not flag cookies as Secure when excluded" do
|
|
37
|
-
cookie = Cookie.new(raw_cookie, secure: { except: ["_session"] })
|
|
43
|
+
cookie = Cookie.new(raw_cookie, secure: { except: ["_session"] }, httponly: OPT_OUT, samesite: OPT_OUT)
|
|
38
44
|
expect(cookie.to_s).to eq("_session=thisisatest")
|
|
39
45
|
end
|
|
40
46
|
end
|
|
@@ -43,19 +49,19 @@ module SecureHeaders
|
|
|
43
49
|
context "HttpOnly cookies" do
|
|
44
50
|
context "when configured with a boolean" do
|
|
45
51
|
it "flags cookies as HttpOnly" do
|
|
46
|
-
cookie = Cookie.new(raw_cookie, httponly: true)
|
|
52
|
+
cookie = Cookie.new(raw_cookie, httponly: true, secure: OPT_OUT, samesite: OPT_OUT)
|
|
47
53
|
expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
|
|
48
54
|
end
|
|
49
55
|
end
|
|
50
56
|
|
|
51
57
|
context "when configured with a Hash" do
|
|
52
58
|
it "flags cookies as HttpOnly when whitelisted" do
|
|
53
|
-
cookie = Cookie.new(raw_cookie, httponly: { only: ["_session"]})
|
|
59
|
+
cookie = Cookie.new(raw_cookie, httponly: { only: ["_session"]}, secure: OPT_OUT, samesite: OPT_OUT)
|
|
54
60
|
expect(cookie.to_s).to eq("_session=thisisatest; HttpOnly")
|
|
55
61
|
end
|
|
56
62
|
|
|
57
63
|
it "does not flag cookies as HttpOnly when excluded" do
|
|
58
|
-
cookie = Cookie.new(raw_cookie, httponly: { except: ["_session"] })
|
|
64
|
+
cookie = Cookie.new(raw_cookie, httponly: { except: ["_session"] }, secure: OPT_OUT, samesite: OPT_OUT)
|
|
59
65
|
expect(cookie.to_s).to eq("_session=thisisatest")
|
|
60
66
|
end
|
|
61
67
|
end
|
|
@@ -63,46 +69,52 @@ module SecureHeaders
|
|
|
63
69
|
|
|
64
70
|
context "SameSite cookies" do
|
|
65
71
|
it "flags SameSite=Lax" do
|
|
66
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } })
|
|
72
|
+
cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
|
|
67
73
|
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
|
|
68
74
|
end
|
|
69
75
|
|
|
70
76
|
it "flags SameSite=Lax when configured with a boolean" do
|
|
71
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: true})
|
|
77
|
+
cookie = Cookie.new(raw_cookie, samesite: { lax: true}, secure: OPT_OUT, httponly: OPT_OUT)
|
|
72
78
|
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
|
|
73
79
|
end
|
|
74
80
|
|
|
75
81
|
it "does not flag cookies as SameSite=Lax when excluded" do
|
|
76
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } })
|
|
82
|
+
cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
|
|
77
83
|
expect(cookie.to_s).to eq("_session=thisisatest")
|
|
78
84
|
end
|
|
79
85
|
|
|
80
86
|
it "flags SameSite=Strict" do
|
|
81
|
-
cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } })
|
|
87
|
+
cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
|
|
82
88
|
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
|
|
83
89
|
end
|
|
84
90
|
|
|
85
91
|
it "does not flag cookies as SameSite=Strict when excluded" do
|
|
86
|
-
cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] }
|
|
92
|
+
cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] }}, secure: OPT_OUT, httponly: OPT_OUT)
|
|
87
93
|
expect(cookie.to_s).to eq("_session=thisisatest")
|
|
88
94
|
end
|
|
89
95
|
|
|
90
96
|
it "flags SameSite=Strict when configured with a boolean" do
|
|
91
|
-
cookie = Cookie.new(raw_cookie, samesite: { strict: true})
|
|
97
|
+
cookie = Cookie.new(raw_cookie, {samesite: { strict: true}, secure: OPT_OUT, httponly: OPT_OUT})
|
|
92
98
|
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
|
|
93
99
|
end
|
|
94
100
|
|
|
95
101
|
it "flags properly when both lax and strict are configured" do
|
|
96
102
|
raw_cookie = "_session=thisisatest"
|
|
97
|
-
cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } })
|
|
103
|
+
cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] }, lax: { only: ["_additional_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
|
|
98
104
|
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
|
|
99
105
|
end
|
|
100
106
|
|
|
101
107
|
it "ignores configuration if the cookie is already flagged" do
|
|
102
108
|
raw_cookie = "_session=thisisatest; SameSite=Strict"
|
|
103
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: true })
|
|
109
|
+
cookie = Cookie.new(raw_cookie, samesite: { lax: true }, secure: OPT_OUT, httponly: OPT_OUT)
|
|
104
110
|
expect(cookie.to_s).to eq(raw_cookie)
|
|
105
111
|
end
|
|
112
|
+
|
|
113
|
+
it "samesite: true sets all cookies to samesite=lax" do
|
|
114
|
+
raw_cookie = "_session=thisisatest"
|
|
115
|
+
cookie = Cookie.new(raw_cookie, samesite: true, secure: OPT_OUT, httponly: OPT_OUT)
|
|
116
|
+
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
|
|
117
|
+
end
|
|
106
118
|
end
|
|
107
119
|
end
|
|
108
120
|
|
|
@@ -113,12 +125,18 @@ module SecureHeaders
|
|
|
113
125
|
end.to raise_error(CookiesConfigError)
|
|
114
126
|
end
|
|
115
127
|
|
|
116
|
-
it "raises an exception when configured without a boolean/Hash" do
|
|
128
|
+
it "raises an exception when configured without a boolean(true or OPT_OUT)/Hash" do
|
|
117
129
|
expect do
|
|
118
130
|
Cookie.validate_config!(secure: "true")
|
|
119
131
|
end.to raise_error(CookiesConfigError)
|
|
120
132
|
end
|
|
121
133
|
|
|
134
|
+
it "raises an exception when configured with false" do
|
|
135
|
+
expect do
|
|
136
|
+
Cookie.validate_config!(secure: false)
|
|
137
|
+
end.to raise_error(CookiesConfigError)
|
|
138
|
+
end
|
|
139
|
+
|
|
122
140
|
it "raises an exception when both only and except filters are provided" do
|
|
123
141
|
expect do
|
|
124
142
|
Cookie.validate_config!(secure: { only: [], except: [] })
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
require "spec_helper"
|
|
3
|
+
|
|
4
|
+
module SecureHeaders
|
|
5
|
+
describe ExpectCertificateTransparency do
|
|
6
|
+
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce; max-age=1234") }
|
|
7
|
+
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: false).value).to eq("max-age=1234") }
|
|
8
|
+
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: "yolocopter").value).to eq("max-age=1234") }
|
|
9
|
+
specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234; report-uri=\"https://report-uri.io/expect-ct\"") }
|
|
10
|
+
specify do
|
|
11
|
+
config = { enforce: true, max_age: 1234, report_uri: "https://report-uri.io/expect-ct" }
|
|
12
|
+
header_value = "enforce; max-age=1234; report-uri=\"https://report-uri.io/expect-ct\""
|
|
13
|
+
expect(ExpectCertificateTransparency.new(config).value).to eq(header_value)
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
context "with an invalid configuration" do
|
|
17
|
+
it "raises an exception when configuration isn't a hash" do
|
|
18
|
+
expect do
|
|
19
|
+
ExpectCertificateTransparency.validate_config!(%w(a))
|
|
20
|
+
end.to raise_error(ExpectCertificateTransparencyConfigError)
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
it "raises an exception when max-age is not provided" do
|
|
24
|
+
expect do
|
|
25
|
+
ExpectCertificateTransparency.validate_config!(foo: "bar")
|
|
26
|
+
end.to raise_error(ExpectCertificateTransparencyConfigError)
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it "raises an exception with an invalid max-age" do
|
|
30
|
+
expect do
|
|
31
|
+
ExpectCertificateTransparency.validate_config!(max_age: "abc123")
|
|
32
|
+
end.to raise_error(ExpectCertificateTransparencyConfigError)
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
it "raises an exception with an invalid enforce value" do
|
|
36
|
+
expect do
|
|
37
|
+
ExpectCertificateTransparency.validate_config!(enforce: "brokenstring")
|
|
38
|
+
end.to raise_error(ExpectCertificateTransparencyConfigError)
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
require "spec_helper"
|
|
2
3
|
|
|
3
4
|
module SecureHeaders
|
|
4
5
|
describe PolicyManagement do
|
|
@@ -16,7 +17,7 @@ module SecureHeaders
|
|
|
16
17
|
it "accepts all keys" do
|
|
17
18
|
# (pulled from README)
|
|
18
19
|
config = {
|
|
19
|
-
# "meta" values. these will
|
|
20
|
+
# "meta" values. these will shape the header, but the values are not included in the header.
|
|
20
21
|
report_only: true, # default: false
|
|
21
22
|
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
|
22
23
|
|
|
@@ -27,6 +28,7 @@ module SecureHeaders
|
|
|
27
28
|
connect_src: %w(wss:),
|
|
28
29
|
font_src: %w('self' data:),
|
|
29
30
|
img_src: %w(mycdn.com data:),
|
|
31
|
+
manifest_src: %w(manifest.com),
|
|
30
32
|
media_src: %w(utoob.com),
|
|
31
33
|
object_src: %w('self'),
|
|
32
34
|
script_src: %w('self'),
|
|
@@ -40,82 +42,131 @@ module SecureHeaders
|
|
|
40
42
|
report_uri: %w(https://example.com/uri-directive)
|
|
41
43
|
}
|
|
42
44
|
|
|
43
|
-
|
|
45
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(config))
|
|
44
46
|
end
|
|
45
47
|
|
|
46
48
|
it "requires a :default_src value" do
|
|
47
49
|
expect do
|
|
48
|
-
|
|
50
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(script_src: %w('self')))
|
|
49
51
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
50
52
|
end
|
|
51
53
|
|
|
54
|
+
it "requires a :script_src value" do
|
|
55
|
+
expect do
|
|
56
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self')))
|
|
57
|
+
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
it "accepts OPT_OUT as a script-src value" do
|
|
61
|
+
expect do
|
|
62
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: OPT_OUT))
|
|
63
|
+
end.to_not raise_error
|
|
64
|
+
end
|
|
65
|
+
|
|
52
66
|
it "requires :report_only to be a truthy value" do
|
|
53
67
|
expect do
|
|
54
|
-
|
|
68
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))
|
|
55
69
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
56
70
|
end
|
|
57
71
|
|
|
58
72
|
it "requires :preserve_schemes to be a truthy value" do
|
|
59
73
|
expect do
|
|
60
|
-
|
|
74
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(preserve_schemes: "steve")))
|
|
61
75
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
62
76
|
end
|
|
63
77
|
|
|
64
78
|
it "requires :block_all_mixed_content to be a boolean value" do
|
|
65
79
|
expect do
|
|
66
|
-
|
|
80
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(block_all_mixed_content: "steve")))
|
|
67
81
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
68
82
|
end
|
|
69
83
|
|
|
70
84
|
it "requires :upgrade_insecure_requests to be a boolean value" do
|
|
71
85
|
expect do
|
|
72
|
-
|
|
86
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
|
|
73
87
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
74
88
|
end
|
|
75
89
|
|
|
76
90
|
it "requires all source lists to be an array of strings" do
|
|
77
91
|
expect do
|
|
78
|
-
|
|
92
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: "steve"))
|
|
79
93
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
80
94
|
end
|
|
81
95
|
|
|
82
96
|
it "allows nil values" do
|
|
83
97
|
expect do
|
|
84
|
-
|
|
98
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: ["https:", nil]))
|
|
85
99
|
end.to_not raise_error
|
|
86
100
|
end
|
|
87
101
|
|
|
88
102
|
it "rejects unknown directives / config" do
|
|
89
103
|
expect do
|
|
90
|
-
|
|
104
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), default_src_totally_mispelled: "steve"))
|
|
91
105
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
92
106
|
end
|
|
93
107
|
|
|
94
108
|
# this is mostly to ensure people don't use the antiquated shorthands common in other configs
|
|
95
109
|
it "performs light validation on source lists" do
|
|
96
110
|
expect do
|
|
97
|
-
|
|
111
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w(self none inline eval), script_src: %w('self')))
|
|
112
|
+
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
113
|
+
end
|
|
114
|
+
|
|
115
|
+
it "rejects anything not of the form allow-* as a sandbox value" do
|
|
116
|
+
expect do
|
|
117
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["steve"])))
|
|
118
|
+
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
it "accepts anything of the form allow-* as a sandbox value " do
|
|
122
|
+
expect do
|
|
123
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["allow-foo"])))
|
|
124
|
+
end.to_not raise_error
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
it "accepts true as a sandbox policy" do
|
|
128
|
+
expect do
|
|
129
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: true)))
|
|
130
|
+
end.to_not raise_error
|
|
131
|
+
end
|
|
132
|
+
|
|
133
|
+
it "rejects anything not of the form type/subtype as a plugin-type value" do
|
|
134
|
+
expect do
|
|
135
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["steve"])))
|
|
98
136
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
99
137
|
end
|
|
138
|
+
|
|
139
|
+
it "accepts anything of the form type/subtype as a plugin-type value " do
|
|
140
|
+
expect do
|
|
141
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["application/pdf"])))
|
|
142
|
+
end.to_not raise_error
|
|
143
|
+
end
|
|
100
144
|
end
|
|
101
145
|
|
|
102
146
|
describe "#combine_policies" do
|
|
103
147
|
it "combines the default-src value with the override if the directive was unconfigured" do
|
|
104
|
-
|
|
148
|
+
Configuration.default do |config|
|
|
149
|
+
config.csp = {
|
|
150
|
+
default_src: %w(https:),
|
|
151
|
+
script_src: %w('self'),
|
|
152
|
+
}
|
|
153
|
+
end
|
|
154
|
+
combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, style_src: %w(anothercdn.com))
|
|
105
155
|
csp = ContentSecurityPolicy.new(combined_config)
|
|
106
|
-
expect(csp.name).to eq(
|
|
107
|
-
expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
|
|
156
|
+
expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
|
|
157
|
+
expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
|
|
108
158
|
end
|
|
109
159
|
|
|
110
160
|
it "combines directives where the original value is nil and the hash is frozen" do
|
|
111
161
|
Configuration.default do |config|
|
|
112
162
|
config.csp = {
|
|
113
163
|
default_src: %w('self'),
|
|
164
|
+
script_src: %w('self'),
|
|
114
165
|
report_only: false
|
|
115
166
|
}.freeze
|
|
116
167
|
end
|
|
117
168
|
report_uri = "https://report-uri.io/asdf"
|
|
118
|
-
combined_config =
|
|
169
|
+
combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_uri: [report_uri])
|
|
119
170
|
csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
|
|
120
171
|
expect(csp.value).to include("report-uri #{report_uri}")
|
|
121
172
|
end
|
|
@@ -124,43 +175,44 @@ module SecureHeaders
|
|
|
124
175
|
Configuration.default do |config|
|
|
125
176
|
config.csp = {
|
|
126
177
|
default_src: %w('self'),
|
|
178
|
+
script_src: %w('self'),
|
|
127
179
|
report_only: false
|
|
128
180
|
}.freeze
|
|
129
181
|
end
|
|
130
|
-
non_default_source_additions =
|
|
182
|
+
non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
|
|
131
183
|
hash[directive] = %w("http://example.org)
|
|
132
184
|
end
|
|
133
|
-
combined_config =
|
|
185
|
+
combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, non_default_source_additions)
|
|
134
186
|
|
|
135
|
-
|
|
187
|
+
ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
|
|
136
188
|
expect(combined_config[directive]).to eq(%w("http://example.org))
|
|
137
189
|
end
|
|
138
|
-
|
|
139
|
-
ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox]).value
|
|
140
190
|
end
|
|
141
191
|
|
|
142
192
|
it "overrides the report_only flag" do
|
|
143
193
|
Configuration.default do |config|
|
|
144
194
|
config.csp = {
|
|
145
195
|
default_src: %w('self'),
|
|
196
|
+
script_src: %w('self'),
|
|
146
197
|
report_only: false
|
|
147
198
|
}
|
|
148
199
|
end
|
|
149
|
-
combined_config =
|
|
200
|
+
combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_only: true)
|
|
150
201
|
csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
|
|
151
|
-
expect(csp.name).to eq(
|
|
202
|
+
expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
|
|
152
203
|
end
|
|
153
204
|
|
|
154
205
|
it "overrides the :block_all_mixed_content flag" do
|
|
155
206
|
Configuration.default do |config|
|
|
156
207
|
config.csp = {
|
|
157
208
|
default_src: %w(https:),
|
|
209
|
+
script_src: %w('self'),
|
|
158
210
|
block_all_mixed_content: false
|
|
159
211
|
}
|
|
160
212
|
end
|
|
161
|
-
combined_config =
|
|
213
|
+
combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, block_all_mixed_content: true)
|
|
162
214
|
csp = ContentSecurityPolicy.new(combined_config)
|
|
163
|
-
expect(csp.value).to eq("default-src https:; block-all-mixed-content")
|
|
215
|
+
expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
|
|
164
216
|
end
|
|
165
217
|
|
|
166
218
|
it "raises an error if appending to a OPT_OUT policy" do
|
|
@@ -168,23 +220,9 @@ module SecureHeaders
|
|
|
168
220
|
config.csp = OPT_OUT
|
|
169
221
|
end
|
|
170
222
|
expect do
|
|
171
|
-
|
|
223
|
+
ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, script_src: %w(anothercdn.com))
|
|
172
224
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
173
225
|
end
|
|
174
226
|
end
|
|
175
|
-
|
|
176
|
-
describe "#idempotent_additions?" do
|
|
177
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?(OPT_OUT, script_src: %w(b.com))).to be false }
|
|
178
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(c.com))).to be false }
|
|
179
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: %w(b.com))).to be false }
|
|
180
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(a.com b.com c.com))).to be false }
|
|
181
|
-
|
|
182
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com))).to be true }
|
|
183
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com a.com))).to be true }
|
|
184
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w())).to be true }
|
|
185
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: [nil])).to be true }
|
|
186
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: [nil])).to be true }
|
|
187
|
-
specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: nil)).to be true }
|
|
188
|
-
end
|
|
189
227
|
end
|
|
190
228
|
end
|