secure_headers 3.4.1 → 3.5.0.pre

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -40,70 +40,75 @@ module SecureHeaders
           report_uri: %w(https://example.com/uri-directive)
         }
 
-        CSP.validate_config!(config)
+        ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(config))
       end
 
       it "requires a :default_src value" do
         expect do
-          CSP.validate_config!(script_src: %('self'))
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(script_src: %('self')))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
       it "requires :report_only to be a truthy value" do
         expect do
-          CSP.validate_config!(default_opts.merge(report_only: "steve"))
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
       it "requires :preserve_schemes to be a truthy value" do
         expect do
-          CSP.validate_config!(default_opts.merge(preserve_schemes: "steve"))
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(preserve_schemes: "steve")))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
       it "requires :block_all_mixed_content to be a boolean value" do
         expect do
-          CSP.validate_config!(default_opts.merge(block_all_mixed_content: "steve"))
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(block_all_mixed_content: "steve")))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
       it "requires :upgrade_insecure_requests to be a boolean value" do
         expect do
-          CSP.validate_config!(default_opts.merge(upgrade_insecure_requests: "steve"))
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
       it "requires all source lists to be an array of strings" do
         expect do
-          CSP.validate_config!(default_src: "steve")
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: "steve"))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
       it "allows nil values" do
         expect do
-          CSP.validate_config!(default_src: %w('self'), script_src: ["https:", nil])
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: ["https:", nil]))
         end.to_not raise_error
       end
 
       it "rejects unknown directives / config" do
         expect do
-          CSP.validate_config!(default_src: %w('self'), default_src_totally_mispelled: "steve")
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), default_src_totally_mispelled: "steve"))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
       # this is mostly to ensure people don't use the antiquated shorthands common in other configs
       it "performs light validation on source lists" do
         expect do
-          CSP.validate_config!(default_src: %w(self none inline eval))
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w(self none inline eval)))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end
 
     describe "#combine_policies" do
       it "combines the default-src value with the override if the directive was unconfigured" do
-        combined_config = CSP.combine_policies(Configuration.default.csp, script_src: %w(anothercdn.com))
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w(https:)
+          }
+        end
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, script_src: %w(anothercdn.com))
         csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.name).to eq(CSP::HEADER_NAME)
+        expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
         expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
       end
 
@@ -115,7 +120,7 @@ module SecureHeaders
           }.freeze
         end
         report_uri = "https://report-uri.io/asdf"
-        combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: [report_uri])
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_uri: [report_uri])
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.value).to include("report-uri #{report_uri}")
       end
@@ -127,12 +132,12 @@ module SecureHeaders
             report_only: false
           }.freeze
         end
-        non_default_source_additions = CSP::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
+        non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
           hash[directive] = %w("http://example.org)
         end
-        combined_config = CSP.combine_policies(Configuration.get.csp, non_default_source_additions)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, non_default_source_additions)
 
-        CSP::NON_FETCH_SOURCES.each do |directive|
+        ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
           expect(combined_config[directive]).to eq(%w("http://example.org))
         end
 
@@ -146,9 +151,9 @@ module SecureHeaders
             report_only: false
           }
         end
-        combined_config = CSP.combine_policies(Configuration.get.csp, report_only: true)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_only: true)
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
-        expect(csp.name).to eq(CSP::REPORT_ONLY)
+        expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
 
       it "overrides the :block_all_mixed_content flag" do
@@ -158,7 +163,7 @@ module SecureHeaders
             block_all_mixed_content: false
           }
         end
-        combined_config = CSP.combine_policies(Configuration.get.csp, block_all_mixed_content: true)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, block_all_mixed_content: true)
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to eq("default-src https:; block-all-mixed-content")
       end
@@ -168,23 +173,9 @@ module SecureHeaders
           config.csp = OPT_OUT
         end
         expect do
-          CSP.combine_policies(Configuration.get.csp, script_src: %w(anothercdn.com))
+          ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, script_src: %w(anothercdn.com))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end
-
-    describe "#idempotent_additions?" do
-      specify { expect(ContentSecurityPolicy.idempotent_additions?(OPT_OUT, script_src: %w(b.com))).to be false }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(c.com))).to be false }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: %w(b.com))).to be false }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(a.com b.com c.com))).to be false }
-
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com))).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com a.com))).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w())).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: [nil])).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: [nil])).to be true }
-      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: nil)).to be true }
-    end
   end
 end

data/spec/lib/secure_headers/middleware_spec.rb

@@ -51,7 +51,7 @@ module SecureHeaders
       SecureHeaders.use_secure_headers_override(request, "my_custom_config")
       expect(request.env[SECURE_HEADERS_CONFIG]).to be(Configuration.get("my_custom_config"))
       _, env = middleware.call request.env
-      expect(env[CSP::HEADER_NAME]).to match("example.org")
+      expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match("example.org")
     end
 
     context "secure_cookies" do

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -72,8 +72,11 @@ module SecureHeaders
 
     before(:all) do
       Configuration.default do |config|
-        config.csp[:script_src] = %w('self')
-        config.csp[:style_src] = %w('self')
+        config.csp = {
+          :default_src => %w('self'),
+          :script_src => %w('self'),
+          :style_src => %w('self')
+        }
       end
     end
 
@@ -115,10 +118,10 @@ module SecureHeaders
         Message.new(request).result
         _, env = middleware.call request.env
 
-        expect(env[CSP::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
-        expect(env[CSP::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
-        expect(env[CSP::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
-        expect(env[CSP::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
       end
     end
   end

data/spec/lib/secure_headers_spec.rb

@@ -16,7 +16,7 @@ module SecureHeaders
 
     it "raises a NotYetConfiguredError if trying to opt-out of unconfigured headers" do
       expect do
-        SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
+        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyConfig::CONFIG_KEY)
       end.to raise_error(Configuration::NotYetConfiguredError)
     end
 
@@ -29,8 +29,12 @@ module SecureHeaders
 
     describe "#header_hash_for" do
       it "allows you to opt out of individual headers via API" do
-        Configuration.default
-        SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
+        Configuration.default do |config|
+          config.csp = { default_src: %w('self')}
+          config.csp_report_only = config.csp
+        end
+        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyConfig::CONFIG_KEY)
+        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyReportOnlyConfig::CONFIG_KEY)
         SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
         hash = SecureHeaders.header_hash_for(request)
         expect(hash['Content-Security-Policy-Report-Only']).to be_nil
@@ -56,7 +60,21 @@ module SecureHeaders
       end
 
       it "allows you to opt out entirely" do
-        Configuration.default
+        # configure the disabled-by-default headers to ensure they also do not get set
+        Configuration.default do |config|
+          config.csp = { :default_src => ["example.com"] }
+          config.csp_report_only = config.csp
+          config.hpkp = {
+            report_only: false,
+            max_age: 10000000,
+            include_subdomains: true,
+            report_uri: "https://report-uri.io/example-hpkp",
+            pins: [
+              {sha256: "abc"},
+              {sha256: "123"}
+            ]
+          }
+        end
         SecureHeaders.opt_out_of_all_protection(request)
         hash = SecureHeaders.header_hash_for(request)
         ALL_HEADER_CLASSES.each do |klass|
@@ -82,7 +100,7 @@ module SecureHeaders
         SecureHeaders.override_content_security_policy_directives(request, default_src: %w(https:), script_src: %w('self'))
 
         hash = SecureHeaders.header_hash_for(request)
-        expect(hash[CSP::HEADER_NAME]).to eq("default-src https:; script-src 'self'")
+        expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src https:; script-src 'self'")
         expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::SAMEORIGIN)
       end
 
@@ -96,14 +114,14 @@ module SecureHeaders
         firefox_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:firefox]))
 
         # append an unsupported directive
-        SecureHeaders.override_content_security_policy_directives(firefox_request, plugin_types: %w(flash))
+        SecureHeaders.override_content_security_policy_directives(firefox_request, {plugin_types: %w(flash)})
         # append a supported directive
-        SecureHeaders.override_content_security_policy_directives(firefox_request, script_src: %w('self'))
+        SecureHeaders.override_content_security_policy_directives(firefox_request, {script_src: %w('self')})
 
         hash = SecureHeaders.header_hash_for(firefox_request)
 
         # child-src is translated to frame-src
-        expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; frame-src 'self'; script-src 'self'")
+        expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src 'self'; script-src 'self'")
       end
 
       it "produces a hash of headers with default config" do
@@ -152,7 +170,7 @@ module SecureHeaders
 
           SecureHeaders.append_content_security_policy_directives(request, script_src: %w(anothercdn.com))
           hash = SecureHeaders.header_hash_for(request)
-          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
 
         it "supports named appends" do
@@ -174,7 +192,7 @@ module SecureHeaders
           SecureHeaders.use_content_security_policy_named_append(request, :how_about_a_script_src_too)
           hash = SecureHeaders.header_hash_for(request)
 
-          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self' https:; script-src 'self' https: 'unsafe-inline'")
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self' https:; script-src 'self' https: 'unsafe-inline'")
         end
 
         it "appends a nonce to a missing script-src value" do
@@ -186,7 +204,7 @@ module SecureHeaders
 
           SecureHeaders.content_security_policy_script_nonce(request) # should add the value to the header
           hash = SecureHeaders.header_hash_for(chrome_request)
-          expect(hash[CSP::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/
         end
 
         it "appends a hash to a missing script-src value" do
@@ -198,48 +216,7 @@ module SecureHeaders
 
           SecureHeaders.append_content_security_policy_directives(request, script_src: %w('sha256-abc123'))
           hash = SecureHeaders.header_hash_for(chrome_request)
-          expect(hash[CSP::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/
-        end
-
-        it "dups global configuration just once when overriding n times and only calls idempotent_additions? once" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self')
-            }
-          end
-
-          expect(CSP).to receive(:idempotent_additions?).once
-
-          # before an override occurs, the env is empty
-          expect(request.env[SECURE_HEADERS_CONFIG]).to be_nil
-
-          SecureHeaders.append_content_security_policy_directives(request, script_src: %w(anothercdn.com))
-          new_config = SecureHeaders.config_for(request)
-          expect(new_config).to_not be(Configuration.get)
-
-          SecureHeaders.override_content_security_policy_directives(request, script_src: %w(yet.anothercdn.com))
-          current_config = SecureHeaders.config_for(request)
-          expect(current_config).to be(new_config)
-
-          SecureHeaders.header_hash_for(request)
-        end
-
-        it "doesn't allow you to muck with csp configs when a dynamic policy is in use" do
-          default_config = Configuration.default
-          expect { default_config.csp = {} }.to raise_error(NoMethodError)
-
-          # config is frozen
-          expect { default_config.send(:csp=, {}) }.to raise_error(RuntimeError)
-
-          SecureHeaders.append_content_security_policy_directives(request, script_src: %w(anothercdn.com))
-          new_config = SecureHeaders.config_for(request)
-          expect { new_config.send(:csp=, {}) }.to raise_error(Configuration::IllegalPolicyModificationError)
-
-          expect do
-            new_config.instance_eval do
-              new_config.csp = {}
-            end
-          end.to raise_error(Configuration::IllegalPolicyModificationError)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/
         end
 
         it "overrides individual directives" do
@@ -250,14 +227,19 @@ module SecureHeaders
           end
           SecureHeaders.override_content_security_policy_directives(request, default_src: %w('none'))
           hash = SecureHeaders.header_hash_for(request)
-          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'none'")
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'none'")
         end
 
         it "overrides non-existant directives" do
-          Configuration.default
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w(https:)
+            }
+          end
           SecureHeaders.override_content_security_policy_directives(request, img_src: [ContentSecurityPolicy::DATA_PROTOCOL])
           hash = SecureHeaders.header_hash_for(request)
-          expect(hash[CSP::HEADER_NAME]).to eq("default-src https:; img-src data:")
+          expect(hash[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to be_nil
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src https:; img-src data:")
         end
 
         it "does not append a nonce when the browser does not support it" do
@@ -272,7 +254,7 @@ module SecureHeaders
           safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
           nonce = SecureHeaders.content_security_policy_script_nonce(safari_request)
           hash = SecureHeaders.header_hash_for(safari_request)
-          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
         end
 
         it "appends a nonce to the script-src when used" do
@@ -294,6 +276,202 @@ module SecureHeaders
           hash = SecureHeaders.header_hash_for(chrome_request)
           expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
         end
+
+        it "supports the deprecated `report_only: true` format" do
+          expect(Kernel).to receive(:warn).once
+
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              report_only: true
+            }
+          end
+
+          expect(Configuration.get.csp).to eq(OPT_OUT)
+          expect(Configuration.get.csp_report_only).to be_a(ContentSecurityPolicyReportOnlyConfig)
+
+          hash = SecureHeaders.header_hash_for(request)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to be_nil
+          expect(hash[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to eq("default-src 'self'")
+        end
+
+        it "Raises an error if csp_report_only is used with `report_only: false`" do
+          expect do
+            Configuration.default do |config|
+              config.csp_report_only = {
+                default_src: %w('self'),
+                report_only: false
+              }
+            end
+          end.to raise_error(ContentSecurityPolicyConfigError)
+        end
+
+        context "setting two headers" do
+          before(:each) do
+            Configuration.default do |config|
+              config.csp = {
+                default_src: %w('self')
+              }
+              config.csp_report_only = config.csp
+            end
+          end
+
+          it "sets identical values when the configs are the same" do
+            Configuration.default do |config|
+              config.csp = {
+                default_src: %w('self')
+              }
+              config.csp_report_only = {
+                default_src: %w('self')
+              }
+            end
+
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+          end
+
+          it "sets different headers when the configs are different" do
+            Configuration.default do |config|
+              config.csp = {
+                default_src: %w('self')
+              }
+              config.csp_report_only = config.csp.merge({script_src: %w('self')})
+            end
+
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src 'self'")
+          end
+
+          it "allows you to opt-out of enforced CSP" do
+            Configuration.default do |config|
+              config.csp = SecureHeaders::OPT_OUT
+              config.csp_report_only = {
+                default_src: %w('self')
+              }
+            end
+
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to be_nil
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+          end
+
+          it "opts-out of enforced CSP when only csp_report_only is set" do
+            expect(Kernel).to receive(:warn).once
+            Configuration.default do |config|
+              config.csp_report_only = {
+                default_src: %w('self')
+              }
+            end
+
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to be_nil
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+          end
+
+          it "allows you to set csp_report_only before csp" do
+            expect(Kernel).to receive(:warn).once
+            Configuration.default do |config|
+              config.csp_report_only = {
+                default_src: %w('self')
+              }
+              config.csp = config.csp_report_only.merge({script_src: %w('unsafe-inline')})
+            end
+
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src 'self' 'unsafe-inline'")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+          end
+
+          it "allows appending to the enforced policy" do
+            SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :enforced)
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+          end
+
+          it "allows appending to the report only policy" do
+            SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :report_only)
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+          end
+
+          it "allows appending to both policies" do
+            SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :both)
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+          end
+
+          it "allows overriding the enforced policy" do
+            SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :enforced)
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src anothercdn.com")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+          end
+
+          it "allows overriding the report only policy" do
+            SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :report_only)
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src anothercdn.com")
+          end
+
+          it "allows overriding both policies" do
+            SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :both)
+            hash = SecureHeaders.header_hash_for(request)
+            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src anothercdn.com")
+            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src anothercdn.com")
+          end
+
+          context "when inferring which config to modify" do
+            it "updates the enforced header when configured" do
+              Configuration.default do |config|
+                config.csp = {
+                  default_src: %w('self')
+                }
+              end
+              SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
+
+              hash = SecureHeaders.header_hash_for(request)
+              expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+              expect(hash['Content-Security-Policy-Report-Only']).to be_nil
+            end
+
+            it "updates the report only header when configured" do
+              Configuration.default do |config|
+                config.csp = OPT_OUT
+                config.csp_report_only = {
+                  default_src: %w('self')
+                }
+              end
+              SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
+
+              hash = SecureHeaders.header_hash_for(request)
+              expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+              expect(hash['Content-Security-Policy']).to be_nil
+            end
+
+            it "updates both headers if both are configured" do
+              Configuration.default do |config|
+                config.csp = {
+                  default_src: %w(enforced.com)
+                }
+                config.csp_report_only = {
+                  default_src: %w(reportonly.com)
+                }
+              end
+              SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
+
+              hash = SecureHeaders.header_hash_for(request)
+              expect(hash['Content-Security-Policy']).to eq("default-src enforced.com; script-src enforced.com anothercdn.com")
+              expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src reportonly.com; script-src reportonly.com anothercdn.com")
+            end
+
+          end
+        end
       end
     end
 
@@ -309,7 +487,7 @@ module SecureHeaders
       it "validates your csp config upon configuration" do
         expect do
           Configuration.default do |config|
-            config.csp = { CSP::DEFAULT_SRC => '123456' }
+            config.csp = { ContentSecurityPolicy::DEFAULT_SRC => '123456' }
           end
         end.to raise_error(ContentSecurityPolicyConfigError)
       end