secure_headers 3.7.2 → 4.0.0

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe PolicyManagement do
@@ -16,7 +17,7 @@ module SecureHeaders
       it "accepts all keys" do
         # (pulled from README)
         config = {
-          # "meta" values. these will shaped the header, but the values are not included in the header.
+          # "meta" values. these will shape the header, but the values are not included in the header.
           report_only:  true,     # default: false
           preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
 
@@ -32,7 +33,6 @@ module SecureHeaders
           object_src: %w('self'),
           script_src: %w('self'),
           style_src: %w('unsafe-inline'),
-          worker_src: %w(worker.com),
           base_uri: %w('self'),
           form_action: %w('self' github.com),
           frame_ancestors: %w('none'),
@@ -47,10 +47,22 @@ module SecureHeaders
 
       it "requires a :default_src value" do
         expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(script_src: %('self')))
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(script_src: %w('self')))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
+      it "requires a :script_src value" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self')))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "accepts OPT_OUT as a script-src value" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: OPT_OUT))
+        end.to_not raise_error
+      end
+
       it "requires :report_only to be a truthy value" do
         expect do
           ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))
@@ -96,7 +108,7 @@ module SecureHeaders
       # this is mostly to ensure people don't use the antiquated shorthands common in other configs
       it "performs light validation on source lists" do
         expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w(self none inline eval)))
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w(self none inline eval), script_src: %w('self')))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
@@ -135,19 +147,21 @@ module SecureHeaders
       it "combines the default-src value with the override if the directive was unconfigured" do
         Configuration.default do |config|
           config.csp = {
-            default_src: %w(https:)
+            default_src: %w(https:),
+            script_src: %w('self'),
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, script_src: %w(anothercdn.com))
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, style_src: %w(anothercdn.com))
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
-        expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
+        expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
       end
 
       it "combines directives where the original value is nil and the hash is frozen" do
         Configuration.default do |config|
           config.csp = {
             default_src: %w('self'),
+            script_src: %w('self'),
             report_only: false
           }.freeze
         end
@@ -161,6 +175,7 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = {
             default_src: %w('self'),
+            script_src: %w('self'),
             report_only: false
           }.freeze
         end
@@ -172,14 +187,13 @@ module SecureHeaders
         ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
           expect(combined_config[directive]).to eq(%w("http://example.org))
         end
-
-         ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox]).value
       end
 
       it "overrides the report_only flag" do
         Configuration.default do |config|
           config.csp = {
             default_src: %w('self'),
+            script_src: %w('self'),
             report_only: false
           }
         end
@@ -192,12 +206,13 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = {
             default_src: %w(https:),
+            script_src: %w('self'),
             block_all_mixed_content: false
           }
         end
         combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, block_all_mixed_content: true)
         csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.value).to eq("default-src https:; block-all-mixed-content")
+        expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
       end
 
       it "raises an error if appending to a OPT_OUT policy" do

data/spec/lib/secure_headers/headers/public_key_pins_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe PublicKeyPins do
@@ -8,7 +9,7 @@ module SecureHeaders
     specify { expect(PublicKeyPins.new(max_age: 1234).value).to eq("max-age=1234") }
     specify { expect(PublicKeyPins.new(max_age: 1234).value).to eq("max-age=1234") }
     specify do
-      config = { max_age: 1234, pins: [{ sha256: 'base64encodedpin1' }, { sha256: 'base64encodedpin2' }] }
+      config = { max_age: 1234, pins: [{ sha256: "base64encodedpin1" }, { sha256: "base64encodedpin2" }] }
       header_value = "max-age=1234; pin-sha256=\"base64encodedpin1\"; pin-sha256=\"base64encodedpin2\""
       expect(PublicKeyPins.new(config).value).to eq(header_value)
     end
@@ -16,19 +17,19 @@ module SecureHeaders
     context "with an invalid configuration" do
       it "raises an exception when max-age is not provided" do
         expect do
-          PublicKeyPins.validate_config!(foo: 'bar')
+          PublicKeyPins.validate_config!(foo: "bar")
         end.to raise_error(PublicKeyPinsConfigError)
       end
 
       it "raises an exception with an invalid max-age" do
         expect do
-          PublicKeyPins.validate_config!(max_age: 'abc123')
+          PublicKeyPins.validate_config!(max_age: "abc123")
         end.to raise_error(PublicKeyPinsConfigError)
       end
 
-      it 'raises an exception with less than 2 pins' do
+      it "raises an exception with less than 2 pins" do
         expect do
-          config = { max_age: 1234, pins: [{ sha256: 'base64encodedpin' }] }
+          config = { max_age: 1234, pins: [{ sha256: "base64encodedpin" }] }
           PublicKeyPins.validate_config!(config)
         end.to raise_error(PublicKeyPinsConfigError)
       end

data/spec/lib/secure_headers/headers/referrer_policy_spec.rb

@@ -1,9 +1,10 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe ReferrerPolicy do
     specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
-    specify { expect(ReferrerPolicy.make_header('no-referrer')).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
+    specify { expect(ReferrerPolicy.make_header("no-referrer")).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
 
     context "valid configuration values" do
       it "accepts 'no-referrer'" do
@@ -61,7 +62,7 @@ module SecureHeaders
       end
     end
 
-    context 'invlaid configuration values' do
+    context "invlaid configuration values" do
       it "doesn't accept invalid values" do
         expect do
           ReferrerPolicy.validate_config!("open")

data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe StrictTransportSecurity do
@@ -10,19 +11,19 @@ module SecureHeaders
         context "with a string argument" do
           it "raises an exception with an invalid max-age" do
             expect do
-              StrictTransportSecurity.validate_config!('max-age=abc123')
+              StrictTransportSecurity.validate_config!("max-age=abc123")
             end.to raise_error(STSConfigError)
           end
 
           it "raises an exception if max-age is not supplied" do
             expect do
-              StrictTransportSecurity.validate_config!('includeSubdomains')
+              StrictTransportSecurity.validate_config!("includeSubdomains")
             end.to raise_error(STSConfigError)
           end
 
           it "raises an exception with an invalid format" do
             expect do
-              StrictTransportSecurity.validate_config!('max-age=123includeSubdomains')
+              StrictTransportSecurity.validate_config!("max-age=123includeSubdomains")
             end.to raise_error(STSConfigError)
           end
         end

data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe XContentTypeOptions do

data/spec/lib/secure_headers/headers/x_download_options_spec.rb

@@ -1,9 +1,10 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe XDownloadOptions do
     specify { expect(XDownloadOptions.make_header).to eq([XDownloadOptions::HEADER_NAME, XDownloadOptions::DEFAULT_VALUE]) }
-    specify { expect(XDownloadOptions.make_header('noopen')).to eq([XDownloadOptions::HEADER_NAME, 'noopen']) }
+    specify { expect(XDownloadOptions.make_header("noopen")).to eq([XDownloadOptions::HEADER_NAME, "noopen"]) }
 
     context "invalid configuration values" do
       it "accepts noopen" do

data/spec/lib/secure_headers/headers/x_frame_options_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe XFrameOptions do

data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb

@@ -1,9 +1,10 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe XPermittedCrossDomainPolicies do
     specify { expect(XPermittedCrossDomainPolicies.make_header).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, "none"]) }
-    specify { expect(XPermittedCrossDomainPolicies.make_header('master-only')).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, 'master-only']) }
+    specify { expect(XPermittedCrossDomainPolicies.make_header("master-only")).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, "master-only"]) }
 
     context "valid configuration values" do
       it "accepts 'all'" do
@@ -36,7 +37,7 @@ module SecureHeaders
       end
     end
 
-    context 'invlaid configuration values' do
+    context "invlaid configuration values" do
       it "doesn't accept invalid values" do
         expect do
           XPermittedCrossDomainPolicies.validate_config!("open")

data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb

@@ -1,9 +1,10 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe XXssProtection do
     specify { expect(XXssProtection.make_header).to eq([XXssProtection::HEADER_NAME, XXssProtection::DEFAULT_VALUE]) }
-    specify { expect(XXssProtection.make_header("1; mode=block; report=https://www.secure.com/reports")).to eq([XXssProtection::HEADER_NAME, '1; mode=block; report=https://www.secure.com/reports']) }
+    specify { expect(XXssProtection.make_header("1; mode=block; report=https://www.secure.com/reports")).to eq([XXssProtection::HEADER_NAME, "1; mode=block; report=https://www.secure.com/reports"]) }
 
     context "with invalid configuration" do
       it "should raise an error when providing a string that is not valid" do
@@ -19,7 +20,7 @@ module SecureHeaders
       context "when using a hash value" do
         it "should allow string values ('1' or '0' are the only valid strings)" do
           expect do
-            XXssProtection.validate_config!('1')
+            XXssProtection.validate_config!("1")
           end.not_to raise_error
         end
 

data/spec/lib/secure_headers/middleware_spec.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require "spec_helper"
 
 module SecureHeaders
@@ -19,8 +20,8 @@ module SecureHeaders
         config.hpkp = {
           max_age: 10000000,
           pins: [
-            {sha256: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'},
-            {sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
+            {sha256: "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c"},
+            {sha256: "73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f"}
           ],
           report_uri: "https://#{report_host}/example-hpkp"
         }
@@ -54,68 +55,75 @@ module SecureHeaders
       expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match("example.org")
     end
 
-    context "secure_cookies" do
+    context "cookies" do
       context "cookies should be flagged" do
         it "flags cookies as secure" do
-          capture_warning do
-            Configuration.default { |config| config.secure_cookies = true }
-          end
+          Configuration.default { |config| config.cookies = {secure: true, httponly: OPT_OUT, samesite: OPT_OUT} }
           request = Rack::Request.new("HTTPS" => "on")
           _, env = cookie_middleware.call request.env
-          expect(env['Set-Cookie']).to eq("foo=bar; secure")
+          expect(env["Set-Cookie"]).to eq("foo=bar; secure")
         end
       end
 
+      it "allows opting out of cookie protection with OPT_OUT alone" do
+        Configuration.default { |config| config.cookies = OPT_OUT}
+
+        # do NOT make this request https. non-https requests modify a config,
+        # causing an exception when operating on OPT_OUT. This ensures we don't
+        # try to modify the config.
+        request = Rack::Request.new({})
+        _, env = cookie_middleware.call request.env
+        expect(env["Set-Cookie"]).to eq("foo=bar")
+      end
+
       context "cookies should not be flagged" do
         it "does not flags cookies as secure" do
-          capture_warning do
-            Configuration.default { |config| config.secure_cookies = false }
-          end
+          Configuration.default { |config| config.cookies = {secure: OPT_OUT, httponly: OPT_OUT, samesite: OPT_OUT}  }
           request = Rack::Request.new("HTTPS" => "on")
           _, env = cookie_middleware.call request.env
-          expect(env['Set-Cookie']).to eq("foo=bar")
+          expect(env["Set-Cookie"]).to eq("foo=bar")
         end
       end
     end
 
     context "cookies" do
       it "flags cookies from configuration" do
-        Configuration.default { |config| config.cookies = { secure: true, httponly: true } }
+        Configuration.default { |config| config.cookies = { secure: true, httponly: true, samesite: { lax: true} } }
         request = Rack::Request.new("HTTPS" => "on")
         _, env = cookie_middleware.call request.env
 
-        expect(env['Set-Cookie']).to eq("foo=bar; secure; HttpOnly")
+        expect(env["Set-Cookie"]).to eq("foo=bar; secure; HttpOnly; SameSite=Lax")
       end
 
       it "flags cookies with a combination of SameSite configurations" do
         cookie_middleware = Middleware.new(lambda { |env| [200, env.merge("Set-Cookie" => ["_session=foobar", "_guest=true"]), "app"] })
 
-        Configuration.default { |config| config.cookies = { samesite: { lax: { except: ["_session"] }, strict: { only: ["_session"] } } } }
+        Configuration.default { |config| config.cookies = { samesite: { lax: { except: ["_session"] }, strict: { only: ["_session"] } }, httponly: OPT_OUT, secure: OPT_OUT} }
         request = Rack::Request.new("HTTPS" => "on")
         _, env = cookie_middleware.call request.env
 
-        expect(env['Set-Cookie']).to match("_session=foobar; SameSite=Strict")
-        expect(env['Set-Cookie']).to match("_guest=true; SameSite=Lax")
+        expect(env["Set-Cookie"]).to match("_session=foobar; SameSite=Strict")
+        expect(env["Set-Cookie"]).to match("_guest=true; SameSite=Lax")
       end
 
       it "disables secure cookies for non-https requests" do
-        Configuration.default { |config| config.cookies = { secure: true } }
+        Configuration.default { |config| config.cookies = { secure: true, httponly: OPT_OUT, samesite: OPT_OUT } }
 
         request = Rack::Request.new("HTTPS" => "off")
         _, env = cookie_middleware.call request.env
-        expect(env['Set-Cookie']).to eq("foo=bar")
+        expect(env["Set-Cookie"]).to eq("foo=bar")
       end
 
       it "sets the secure cookie flag correctly on interleaved http/https requests" do
-        Configuration.default { |config| config.cookies = { secure: true } }
+        Configuration.default { |config| config.cookies = { secure: true, httponly: OPT_OUT, samesite: OPT_OUT } }
 
         request = Rack::Request.new("HTTPS" => "off")
         _, env = cookie_middleware.call request.env
-        expect(env['Set-Cookie']).to eq("foo=bar")
+        expect(env["Set-Cookie"]).to eq("foo=bar")
 
         request = Rack::Request.new("HTTPS" => "on")
         _, env = cookie_middleware.call request.env
-        expect(env['Set-Cookie']).to eq("foo=bar; secure")
+        expect(env["Set-Cookie"]).to eq("foo=bar; secure")
       end
     end
   end

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require "spec_helper"
 require "erb"
 
@@ -58,7 +59,7 @@ TEMPLATE
     end
 
     if options.is_a?(Hash)
-      options = options.map {|k,v| " #{k}=#{v}"}
+      options = options.map {|k, v| " #{k}=#{v}"}
     end
     "<#{type}#{options}>#{content}</#{type}>"
   end
@@ -82,9 +83,9 @@ module SecureHeaders
     before(:all) do
       Configuration.default do |config|
         config.csp = {
-          :default_src => %w('self'),
-          :script_src => %w('self'),
-          :style_src => %w('self')
+          default_src: %w('self'),
+          script_src: %w('self'),
+          style_src: %w('self')
         }
       end
     end