secure_headers 3.4.1 → 3.5.0.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 45e392304147a02bee8cf0709fe52e16f9ad255c
-  data.tar.gz: e07030aa93c84a20e9b22d88af6489d8a71c95e7
+  metadata.gz: a34fab69fada104ff674198e9ee40271bcc86aea
+  data.tar.gz: c95c8b38f37b47dd66cf202c83fd4923b1aa3df9
 SHA512:
-  metadata.gz: 8238f728eb74303b6aac54d40e3eaf1aacdaf7e0c910fe9a05f3dc005daa9eb96876391619eb2cb613a0d2a8ad358a48bc899626be46d201561f05064f47fdf8
-  data.tar.gz: d0d448274a7a4789f668ac59c49903bf50889a2675a82d62d91ca721c5160b50288b5fafcf8b041422f575cc42d31b4a614fbc8036759fb522c149131a472f33
+  metadata.gz: 93d7bc9412154b01231352eb801f9a6a72438d6ce442dc70e8f11a7d013a466ab3fcadfdea6abda7642361e6baa509c1a4087da0630f5263d26c42b5c384a890
+  data.tar.gz: 403ac9a435812bfbbe7ccd4edeb96d646975ab769582680d19c58c48145609cb06ff1095a683e4f6853d74dd4688a7fb99f35f56147a583af6835b2126c957c3

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.5.0.pre
+
+This release adds support for setting two CSP headers (enforced/report-only) and management around them.
+
 ## 3.4.1 Named Appends
 
 ### Small bugfix

data/README.md

@@ -36,7 +36,7 @@ SecureHeaders::Configuration.default do |config|
     secure: true, # mark all cookies as "Secure"
     httponly: true, # mark all cookies as "HttpOnly"
     samesite: {
-      strict: true # mark all cookies as SameSite=Strict
+      lax: true # mark all cookies as SameSite=lax
     }
   }
   config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
@@ -48,7 +48,7 @@ SecureHeaders::Configuration.default do |config|
   config.referrer_policy = "origin-when-cross-origin"
   config.csp = {
     # "meta" values. these will shaped the header, but the values are not included in the header.
-    report_only: true,      # default: false
+    report_only: true,      # default: false [DEPRECATED: instead, configure csp_report_only]
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
 
     # directive values: these values will directly translate into source directives
@@ -69,6 +69,10 @@ SecureHeaders::Configuration.default do |config|
     upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
     report_uri: %w(https://report-uri.io/example-csp)
   }
+  config.csp_report_only = config.csp.merge({
+    img_src: %w(somewhereelse.com),
+    report_uri: %w(https://report-uri.io/example-csp-report-only)
+  })
   config.hpkp = {
     report_only: false,
     max_age: 60.days.to_i,
@@ -92,7 +96,32 @@ use SecureHeaders::Middleware
 
 ## Default values
 
-All headers except for PublicKeyPins have a default value. See the [corresponding classes for their defaults](https://github.com/twitter/secureheaders/tree/master/lib/secure_headers/headers).
+All headers except for PublicKeyPins have a default value. See the [corresponding classes for their defaults](https://github.com/twitter/secureheaders/tree/master/lib/secure_headers/headers). The default set of headers is:
+
+```
+Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
+Strict-Transport-Security: max-age=631138519
+X-Content-Type-Options: nosniff
+X-Download-Options: noopen
+X-Frame-Options: sameorigin
+X-Permitted-Cross-Domain-Policies: none
+X-Xss-Protection: 1; mode=block
+```
+
+### Default CSP
+
+By default, the above CSP will be applied to all requests. If you **only** want to set a Report-Only header, opt-out of the default enforced header for clarity. The configuration will assume that if you only supply `csp_report_only` that you intended to opt-out of `csp` but that's for the sake of backwards compatibility and it will be removed in the future.
+
+```ruby
+Configuration.default do |config|
+  config.csp = SecureHeaders::OPT_OUT # If this line is omitted, we will assume you meant to opt out.
+  config.csp_report_only = {
+    default_src: %w('self')
+  }
+end
+```
+
+If **
 
 ## Named Appends
 

data/lib/secure_headers.rb

@@ -14,18 +14,43 @@ require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
 require "useragent"
+require "singleton"
 
 # All headers (except for hpkp) have a default value. Provide SecureHeaders::OPT_OUT
 # or ":optout_of_protection" as a config value to disable a given header
 module SecureHeaders
-  OPT_OUT = :opt_out_of_protection
+  class NoOpHeaderConfig
+    include Singleton
+
+    def boom(arg = nil)
+      raise "Illegal State: attempted to modify NoOpHeaderConfig. Create a new config instead."
+    end
+
+    def to_h
+      {}
+    end
+
+    def dup
+      self.class.instance
+    end
+
+    def opt_out?
+      true
+    end
+
+    alias_method :[], :boom
+    alias_method :[]=, :boom
+    alias_method :keys, :boom
+  end
+
+  OPT_OUT = NoOpHeaderConfig.instance
   SECURE_HEADERS_CONFIG = "secure_headers_request_config".freeze
   NONCE_KEY = "secure_headers_content_security_policy_nonce".freeze
   HTTPS = "https".freeze
-  CSP = ContentSecurityPolicy
 
   ALL_HEADER_CLASSES = [
-    ContentSecurityPolicy,
+    ContentSecurityPolicyConfig,
+    ContentSecurityPolicyReportOnlyConfig,
     StrictTransportSecurity,
     PublicKeyPins,
     ReferrerPolicy,
@@ -36,7 +61,10 @@ module SecureHeaders
     XXssProtection
   ].freeze
 
-  ALL_HEADERS_BESIDES_CSP = (ALL_HEADER_CLASSES - [CSP]).freeze
+  ALL_HEADERS_BESIDES_CSP = (
+    ALL_HEADER_CLASSES -
+      [ContentSecurityPolicyConfig, ContentSecurityPolicyReportOnlyConfig]
+  ).freeze
 
   # Headers set on http requests (excludes STS and HPKP)
   HTTP_HEADER_CLASSES =
@@ -50,13 +78,25 @@ module SecureHeaders
     #
     # additions - a hash containing directives. e.g.
     #    script_src: %w(another-host.com)
-    def override_content_security_policy_directives(request, additions)
-      config = config_for(request)
-      if config.current_csp == OPT_OUT
-        config.dynamic_csp = {}
+    def override_content_security_policy_directives(request, additions, target = nil)
+      config, target = config_and_target(request, target)
+
+      if [:both, :enforced].include?(target)
+        if config.csp.opt_out?
+          config.csp = ContentSecurityPolicyConfig.new({})
+        end
+
+        config.csp.merge!(additions)
+      end
+
+      if [:both, :report_only].include?(target)
+        if config.csp_report_only.opt_out?
+          config.csp_report_only = ContentSecurityPolicyReportOnlyConfig.new({})
+        end
+
+        config.csp_report_only.merge!(additions)
       end
 
-      config.dynamic_csp = config.current_csp.merge(additions)
       override_secure_headers_request_config(request, config)
     end
 
@@ -66,9 +106,17 @@ module SecureHeaders
     #
     # additions - a hash containing directives. e.g.
     #    script_src: %w(another-host.com)
-    def append_content_security_policy_directives(request, additions)
-      config = config_for(request)
-      config.dynamic_csp = CSP.combine_policies(config.current_csp, additions)
+    def append_content_security_policy_directives(request, additions, target = nil)
+      config, target = config_and_target(request, target)
+
+      if [:both, :enforced].include?(target) && !config.csp.opt_out?
+        config.csp.append(additions)
+      end
+
+      if [:both, :report_only].include?(target) && !config.csp_report_only.opt_out?
+        config.csp_report_only.append(additions)
+      end
+
       override_secure_headers_request_config(request, config)
     end
 
@@ -112,12 +160,28 @@ module SecureHeaders
     # returned is meant to be merged into the header value from `@app.call(env)`
     # in Rack middleware.
     def header_hash_for(request)
-      config = config_for(request)
-      unless ContentSecurityPolicy.idempotent_additions?(config.csp, config.current_csp)
-        config.rebuild_csp_header_cache!(request.user_agent)
+      config = config_for(request, prevent_dup = true)
+      headers = config.cached_headers
+      user_agent = UserAgent.parse(request.user_agent)
+
+      if !config.csp.opt_out? && config.csp.modified?
+        headers = update_cached_csp(config.csp, headers, user_agent)
       end
 
-      use_cached_headers(config.cached_headers, request)
+      if !config.csp_report_only.opt_out? && config.csp_report_only.modified?
+        headers = update_cached_csp(config.csp_report_only, headers, user_agent)
+      end
+
+      header_classes_for(request).each_with_object({}) do |klass, hash|
+        if header = headers[klass::CONFIG_KEY]
+          header_name, value = if [ContentSecurityPolicyConfig, ContentSecurityPolicyReportOnlyConfig].include?(klass)
+            csp_header_for_ua(header, user_agent)
+          else
+            header
+          end
+          hash[header_name] = value
+        end
+      end
     end
 
     # Public: specify which named override will be used for this request.
@@ -138,7 +202,7 @@ module SecureHeaders
     #
     # Returns the nonce
     def content_security_policy_script_nonce(request)
-      content_security_policy_nonce(request, CSP::SCRIPT_SRC)
+      content_security_policy_nonce(request, ContentSecurityPolicy::SCRIPT_SRC)
     end
 
     # Public: gets or creates a nonce for CSP.
@@ -147,7 +211,7 @@ module SecureHeaders
     #
     # Returns the nonce
     def content_security_policy_style_nonce(request)
-      content_security_policy_nonce(request, CSP::STYLE_SRC)
+      content_security_policy_nonce(request, ContentSecurityPolicy::STYLE_SRC)
     end
 
     # Public: Retreives the config for a given header type:
@@ -155,11 +219,15 @@ module SecureHeaders
     # Checks to see if there is an override for this request, then
     # Checks to see if a named override is used for this request, then
     # Falls back to the global config
-    def config_for(request)
+    def config_for(request, prevent_dup = false)
       config = request.env[SECURE_HEADERS_CONFIG] ||
         Configuration.get(Configuration::DEFAULT_CONFIG)
 
-      if config.frozen?
+
+      # Global configs are frozen, per-request configs are not. When we're not
+      # making modifications to the config, prevent_dup ensures we don't dup
+      # the object unnecessarily. It's not necessarily frozen to begin with.
+      if config.frozen? && !prevent_dup
         config.dup
       else
         config
@@ -167,13 +235,38 @@ module SecureHeaders
     end
 
     private
+    TARGETS = [:both, :enforced, :report_only]
+    def raise_on_unknown_target(target)
+      unless TARGETS.include?(target)
+        raise "Unrecognized target: #{target}. Must be [:both, :enforced, :report_only]"
+      end
+    end
+
+    def config_and_target(request, target)
+      config = config_for(request)
+      target = guess_target(config) unless target
+      raise_on_unknown_target(target)
+      [config, target]
+    end
+
+    def guess_target(config)
+      if !config.csp.opt_out? && !config.csp_report_only.opt_out?
+        :both
+      elsif !config.csp.opt_out?
+        :enforced
+      elsif !config.csp_report_only.opt_out?
+        :report_only
+      else
+        :both
+      end
+    end
 
     # Private: gets or creates a nonce for CSP.
     #
     # Returns the nonce
     def content_security_policy_nonce(request, script_or_style)
       request.env[NONCE_KEY] ||= SecureRandom.base64(32).chomp
-      nonce_key = script_or_style == CSP::SCRIPT_SRC ? :script_nonce : :style_nonce
+      nonce_key = script_or_style == ContentSecurityPolicy::SCRIPT_SRC ? :script_nonce : :style_nonce
       append_content_security_policy_directives(request, nonce_key => request.env[NONCE_KEY])
       request.env[NONCE_KEY]
     end
@@ -198,21 +291,12 @@ module SecureHeaders
       end
     end
 
-    # Private: takes a precomputed hash of headers and returns the Headers
-    # customized for the request.
-    #
-    # Returns a hash of header names / values valid for a given request.
-    def use_cached_headers(headers, request)
-      header_classes_for(request).each_with_object({}) do |klass, hash|
-        if header = headers[klass::CONFIG_KEY]
-          header_name, value = if klass == CSP
-            csp_header_for_ua(header, request)
-          else
-            header
-          end
-          hash[header_name] = value
-        end
-      end
+    def update_cached_csp(config, headers, user_agent)
+      headers = Configuration.send(:deep_copy, headers)
+      headers[config.class::CONFIG_KEY] = {}
+      variation = ContentSecurityPolicy.ua_to_variation(user_agent)
+      headers[config.class::CONFIG_KEY][variation] = ContentSecurityPolicy.make_header(config, user_agent)
+      headers
     end
 
     # Private: chooses the applicable CSP header for the provided user agent.
@@ -220,26 +304,8 @@ module SecureHeaders
     # headers - a hash of header_config_key => [header_name, header_value]
     #
     # Returns a CSP [header, value] array
-    def csp_header_for_ua(headers, request)
-      headers[CSP.ua_to_variation(UserAgent.parse(request.user_agent))]
-    end
-
-    # Private: optionally build a header with a given configure
-    #
-    # klass - corresponding Class for a given header
-    # config - A string, symbol, or hash config for the header
-    # user_agent - A string representing the UA  (only used for CSP feature sniffing)
-    #
-    # Returns a 2 element array [header_name, header_value] or nil if config
-    # is OPT_OUT
-    def make_header(klass, header_config, user_agent = nil)
-      unless header_config == OPT_OUT
-        if klass == CSP
-          klass.make_header(header_config, user_agent)
-        else
-          klass.make_header(header_config)
-        end
-      end
+    def csp_header_for_ua(headers, user_agent)
+      headers[ContentSecurityPolicy.ua_to_variation(user_agent)]
     end
   end
 

data/lib/secure_headers/configuration.rb

@@ -85,7 +85,6 @@ module SecureHeaders
           ALL_HEADER_CLASSES.each do |klass|
             config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
           end
-          config.dynamic_csp = OPT_OUT
         end
 
         add_configuration(NOOP_CONFIGURATION, noop_config)
@@ -94,6 +93,7 @@ module SecureHeaders
       # Public: perform a basic deep dup. The shallow copy provided by dup/clone
       # can lead to modifying parent objects.
       def deep_copy(config)
+        return unless config
         config.each_with_object({}) do |(key, value), hash|
           hash[key] = if value.is_a?(Array)
             value.dup
@@ -114,13 +114,11 @@ module SecureHeaders
       end
     end
 
-    attr_accessor :dynamic_csp
-
     attr_writer :hsts, :x_frame_options, :x_content_type_options,
       :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
       :referrer_policy
 
-    attr_reader :cached_headers, :csp, :cookies, :hpkp, :hpkp_report_host
+    attr_reader :cached_headers, :csp, :cookies, :csp_report_only, :hpkp, :hpkp_report_host
 
     HASH_CONFIG_FILE = ENV["secure_headers_generated_hashes_file"] || "config/secure_headers_generated_hashes.yml"
     if File.exists?(HASH_CONFIG_FILE)
@@ -132,7 +130,8 @@ module SecureHeaders
     def initialize(&block)
       self.hpkp = OPT_OUT
       self.referrer_policy = OPT_OUT
-      self.csp = self.class.send(:deep_copy, CSP::DEFAULT_CONFIG)
+      self.csp = ContentSecurityPolicyConfig.new(ContentSecurityPolicyConfig::DEFAULT)
+      self.csp_report_only = OPT_OUT
       instance_eval &block if block_given?
     end
 
@@ -142,8 +141,8 @@ module SecureHeaders
     def dup
       copy = self.class.new
       copy.cookies = @cookies
-      copy.csp = self.class.send(:deep_copy_if_hash, @csp)
-      copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp)
+      copy.csp = @csp.dup if @csp
+      copy.csp_report_only = @csp_report_only.dup if @csp_report_only
       copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
       copy.x_content_type_options = @x_content_type_options
       copy.hsts = @hsts
@@ -159,9 +158,6 @@ module SecureHeaders
 
     def opt_out(header)
       send("#{header}=", OPT_OUT)
-      if header == CSP::CONFIG_KEY
-        dynamic_csp = OPT_OUT
-      end
       self.cached_headers.delete(header)
     end
 
@@ -170,20 +166,6 @@ module SecureHeaders
       self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
     end
 
-    # Public: generated cached headers for a specific user agent.
-    def rebuild_csp_header_cache!(user_agent)
-      self.cached_headers[CSP::CONFIG_KEY] = {}
-      unless current_csp == OPT_OUT
-        user_agent = UserAgent.parse(user_agent)
-        variation = CSP.ua_to_variation(user_agent)
-        self.cached_headers[CSP::CONFIG_KEY][variation] = CSP.make_header(current_csp, user_agent)
-      end
-    end
-
-    def current_csp
-      @dynamic_csp || @csp
-    end
-
     # Public: validates all configurations values.
     #
     # Raises various configuration errors if any invalid config is detected.
@@ -192,6 +174,7 @@ module SecureHeaders
     def validate_config!
       StrictTransportSecurity.validate_config!(@hsts)
       ContentSecurityPolicy.validate_config!(@csp)
+      ContentSecurityPolicy.validate_config!(@csp_report_only)
       ReferrerPolicy.validate_config!(@referrer_policy)
       XFrameOptions.validate_config!(@x_frame_options)
       XContentTypeOptions.validate_config!(@x_content_type_options)
@@ -207,16 +190,50 @@ module SecureHeaders
       @cookies = (@cookies || {}).merge(secure: secure_cookies)
     end
 
-    protected
-
     def csp=(new_csp)
-      if self.dynamic_csp
-        raise IllegalPolicyModificationError, "You are attempting to modify CSP settings directly. Use dynamic_csp= instead."
+      if new_csp.respond_to?(:opt_out?)
+        @csp = new_csp.dup
+      else
+        if new_csp[:report_only]
+          # Deprecated configuration implies that CSPRO should be set, CSP should not - so opt out
+          Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
+          @csp = OPT_OUT
+          self.csp_report_only = new_csp
+        else
+          @csp = ContentSecurityPolicyConfig.new(new_csp)
+        end
+      end
+    end
+
+    # Configures the Content-Security-Policy-Report-Only header. `new_csp` cannot
+    # contain `report_only: false` or an error will be raised.
+    #
+    # NOTE: if csp has not been configured/has the default value when
+    # configuring csp_report_only, the code will assume you mean to only use
+    # report-only mode and you will be opted-out of enforce mode.
+    def csp_report_only=(new_csp)
+      @csp_report_only = begin
+        if new_csp.is_a?(ContentSecurityPolicyConfig)
+          new_csp.make_report_only
+        elsif new_csp.respond_to?(:opt_out?)
+          new_csp.dup
+        else
+          if new_csp[:report_only] == false # nil is a valid value on which we do not want to raise
+            raise ContentSecurityPolicyConfigError, "`#csp_report_only=` was supplied a config with report_only: false. Use #csp="
+          else
+            ContentSecurityPolicyReportOnlyConfig.new(new_csp)
+          end
+        end
       end
 
-      @csp = self.class.send(:deep_copy_if_hash, new_csp)
+      if !@csp_report_only.opt_out? && @csp.to_h == ContentSecurityPolicyConfig::DEFAULT
+        Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp_report_only=` was configured before `#csp=`. It is assumed you intended to opt out of `#csp=` so be sure to add `config.csp = SecureHeaders::OPT_OUT` to your config. Ensure that #csp_report_only is configured after #csp="
+        @csp = OPT_OUT
+      end
     end
 
+    protected
+
     def cookies=(cookies)
       @cookies = cookies
     end
@@ -269,12 +286,16 @@ module SecureHeaders
     #
     # Returns nothing
     def generate_csp_headers(headers)
-      unless @csp == OPT_OUT
-        headers[CSP::CONFIG_KEY] = {}
-        csp_config = self.current_csp
-        CSP::VARIATIONS.each do |name, _|
-          csp = CSP.make_header(csp_config, UserAgent.parse(name))
-          headers[CSP::CONFIG_KEY][name] = csp.freeze
+      generate_csp_headers_for_config(headers, ContentSecurityPolicyConfig::CONFIG_KEY, self.csp)
+      generate_csp_headers_for_config(headers, ContentSecurityPolicyReportOnlyConfig::CONFIG_KEY, self.csp_report_only)
+    end
+
+    def generate_csp_headers_for_config(headers, header_key, csp_config)
+      unless csp_config.opt_out?
+        headers[header_key] = {}
+        ContentSecurityPolicy::VARIATIONS.each do |name, _|
+          csp = ContentSecurityPolicy.make_header(csp_config, UserAgent.parse(name))
+          headers[header_key][name] = csp.freeze
         end
       end
     end