secure_headers 3.9.0 → 4.0.0.alpha01

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   module DynamicConfig
     def self.included(base)
@@ -37,7 +38,6 @@ module SecureHeaders
       @script_src = nil
       @style_nonce = nil
       @style_src = nil
-      @worker_src = nil
       @upgrade_insecure_requests = nil
 
       from_hash(hash)

data/lib/secure_headers/headers/cookie.rb

@@ -1,5 +1,7 @@
-require 'cgi'
-require 'secure_headers/utils/cookies_config'
+# frozen_string_literal: true
+require "cgi"
+require "secure_headers/utils/cookies_config"
+
 
 module SecureHeaders
   class CookiesConfigError < StandardError; end
@@ -13,8 +15,18 @@ module SecureHeaders
 
     attr_reader :raw_cookie, :config
 
+    COOKIE_DEFAULTS = {
+      httponly: true,
+      secure: true,
+      samesite: { lax: true },
+    }.freeze
+
     def initialize(cookie, config)
       @raw_cookie = cookie
+      unless config == OPT_OUT
+        config ||= {}
+        config = COOKIE_DEFAULTS.merge(config)
+      end
       @config = config
       @attributes = {
         httponly: nil,
@@ -56,6 +68,7 @@ module SecureHeaders
     end
 
     def flag_cookie?(attribute)
+      return false if config == OPT_OUT
       case config[attribute]
       when TrueClass
         true
@@ -81,13 +94,12 @@ module SecureHeaders
         "SameSite=Lax"
       elsif flag_samesite_strict?
         "SameSite=Strict"
-      elsif flag_samesite_none?
-        "SameSite=None"
       end
     end
 
     def flag_samesite?
-      flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
+      return false if config == OPT_OUT || config[:samesite] == OPT_OUT
+      flag_samesite_lax? || flag_samesite_strict?
     end
 
     def flag_samesite_lax?
@@ -98,13 +110,13 @@ module SecureHeaders
       flag_samesite_enforcement?(:strict)
     end
 
-    def flag_samesite_none?
-      flag_samesite_enforcement?(:none)
-    end
-
     def flag_samesite_enforcement?(mode)
       return unless config[:samesite]
 
+      if config[:samesite].is_a?(TrueClass) && mode == :lax
+        return true
+      end
+
       case config[:samesite][mode]
       when Hash
         conditionally_flag?(config[:samesite][mode])
@@ -119,7 +131,7 @@ module SecureHeaders
       return unless cookie
 
       cookie.split(/[;,]\s?/).each do |pairs|
-        name, values = pairs.split('=',2)
+        name, values = pairs.split("=", 2)
         name = CGI.unescape(name)
 
         attribute = name.downcase.to_sym

data/lib/secure_headers/headers/policy_management.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   module PolicyManagement
     def self.included(base)
@@ -5,8 +6,14 @@ module SecureHeaders
     end
 
     MODERN_BROWSERS = %w(Chrome Opera Firefox)
-    DEFAULT_VALUE = "default-src https:".freeze
-    DEFAULT_CONFIG = { default_src: %w(https:) }.freeze
+    DEFAULT_CONFIG = {
+      default_src: %w(https:),
+      img_src: %w(https: data: 'self'),
+      object_src: %w('none'),
+      script_src: %w(https:),
+      style_src: %w('self' 'unsafe-inline' https:),
+      form_action: %w('self')
+    }.freeze
     DATA_PROTOCOL = "data:".freeze
     BLOB_PROTOCOL = "blob:".freeze
     SELF = "'self'".freeze
@@ -65,13 +72,10 @@ module SecureHeaders
     BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
     MANIFEST_SRC = :manifest_src
     UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
-    WORKER_SRC = :worker_src
-
     DIRECTIVES_3_0 = [
       DIRECTIVES_2_0,
       BLOCK_ALL_MIXED_CONTENT,
       MANIFEST_SRC,
-      WORKER_SRC,
       UPGRADE_INSECURE_REQUESTS
     ].flatten.freeze
 
@@ -82,7 +86,6 @@ module SecureHeaders
     FIREFOX_UNSUPPORTED_DIRECTIVES = [
       BLOCK_ALL_MIXED_CONTENT,
       CHILD_SRC,
-      WORKER_SRC,
       PLUGIN_TYPES
     ].freeze
 
@@ -92,7 +95,6 @@ module SecureHeaders
 
     FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
       BLOCK_ALL_MIXED_CONTENT,
-      WORKER_SRC,
       PLUGIN_TYPES
     ].freeze
 
@@ -114,6 +116,18 @@ module SecureHeaders
     # everything else is in between.
     BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
 
+    # These are directives that do not inherit the default-src value. This is
+    # useful when calling #combine_policies.
+    NON_FETCH_SOURCES = [
+      BASE_URI,
+      FORM_ACTION,
+      FRAME_ANCESTORS,
+      PLUGIN_TYPES,
+      REPORT_URI
+    ]
+
+    FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES
+
     VARIATIONS = {
       "Chrome" => CHROME_DIRECTIVES,
       "Opera" => CHROME_DIRECTIVES,
@@ -141,31 +155,14 @@ module SecureHeaders
       MANIFEST_SRC              => :source_list,
       MEDIA_SRC                 => :source_list,
       OBJECT_SRC                => :source_list,
-      PLUGIN_TYPES              => :media_type_list,
+      PLUGIN_TYPES              => :source_list,
       REPORT_URI                => :source_list,
-      SANDBOX                   => :sandbox_list,
+      SANDBOX                   => :source_list,
       SCRIPT_SRC                => :source_list,
       STYLE_SRC                 => :source_list,
-      WORKER_SRC                => :source_list,
       UPGRADE_INSECURE_REQUESTS => :boolean
     }.freeze
 
-    # These are directives that don't have use a source list, and hence do not
-    # inherit the default-src value.
-    NON_SOURCE_LIST_SOURCES = DIRECTIVE_VALUE_TYPES.select do |_, type|
-      type != :source_list
-    end.keys.freeze
-
-    # These are directives that take a source list, but that do not inherit
-    # the default-src value.
-    NON_FETCH_SOURCES = [
-      BASE_URI,
-      FORM_ACTION,
-      FRAME_ANCESTORS,
-      REPORT_URI
-    ]
-
-    FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES - NON_SOURCE_LIST_SOURCES
 
     STAR_REGEXP = Regexp.new(Regexp.escape(STAR))
     HTTP_SCHEME_REGEX = %r{\Ahttps?://}
@@ -205,6 +202,7 @@ module SecureHeaders
       def validate_config!(config)
         return if config.nil? || config.opt_out?
         raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
+        raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous") unless config.directive_value(:script_src)
         ContentSecurityPolicyConfig.attrs.each do |key|
           value = config.directive_value(key)
           next unless value
@@ -263,7 +261,7 @@ module SecureHeaders
       # when each hash contains a value for a given key.
       def merge_policy_additions(original, additions)
         original.merge(additions) do |directive, lhs, rhs|
-          if list_directive?(directive)
+          if source_list?(directive)
             (lhs.to_a + rhs.to_a).compact.uniq
           else
             rhs
@@ -271,27 +269,20 @@ module SecureHeaders
         end.reject { |_, value| value.nil? || value == [] } # this mess prevents us from adding empty directives.
       end
 
-      # Returns True if a directive expects a list of values and False otherwise.
-      def list_directive?(directive)
-        source_list?(directive) ||
-          sandbox_list?(directive) ||
-          media_type_list?(directive)
-      end
-
       # For each directive in additions that does not exist in the original config,
       # copy the default-src value to the original config. This modifies the original hash.
       def populate_fetch_source_with_default!(original, additions)
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.each_key do |directive|
-          directive = if directive.to_s.end_with?("_nonce")
-            directive.to_s.gsub(/_nonce/, "_src").to_sym
-          else
-            directive
-          end
-          # Don't set a default if directive has an existing value
-          next if original[directive]
-          if FETCH_SOURCES.include?(directive)
-            original[directive] = default_for(directive, original)
+          if !original[directive] && ((source_list?(directive) && FETCH_SOURCES.include?(directive)) || nonce_added?(original, additions))
+            if nonce_added?(original, additions)
+              inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
+              unless original[inferred_directive] || NON_FETCH_SOURCES.include?(inferred_directive)
+                original[inferred_directive] = default_for(directive, original)
+              end
+            else
+              original[directive] = default_for(directive, original)
+            end
           end
         end
       end
@@ -302,77 +293,45 @@ module SecureHeaders
         original[DEFAULT_SRC]
       end
 
-      def source_list?(directive)
-        DIRECTIVE_VALUE_TYPES[directive] == :source_list
-      end
-
-      def sandbox_list?(directive)
-        DIRECTIVE_VALUE_TYPES[directive] == :sandbox_list
+      def nonce_added?(original, additions)
+        [:script_nonce, :style_nonce].each do |nonce|
+          if additions[nonce] && !original[nonce]
+            return true
+          end
+        end
       end
 
-      def media_type_list?(directive)
-        DIRECTIVE_VALUE_TYPES[directive] == :media_type_list
+      def source_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :source_list
       end
 
       # Private: Validates that the configuration has a valid type, or that it is a valid
       # source expression.
-      def validate_directive!(directive, value)
-        ensure_valid_directive!(directive)
+      def validate_directive!(directive, source_expression)
         case ContentSecurityPolicy::DIRECTIVE_VALUE_TYPES[directive]
         when :boolean
-          unless boolean?(value)
-            raise ContentSecurityPolicyConfigError.new("#{directive} must be a boolean. Found #{value.class} value")
+          unless boolean?(source_expression)
+            raise ContentSecurityPolicyConfigError.new("#{directive} must be a boolean value")
+          end
+        when :string
+          unless source_expression.is_a?(String)
+            raise ContentSecurityPolicyConfigError.new("#{directive} Must be a string. Found #{config.class}: #{config} value")
           end
-        when :sandbox_list
-          validate_sandbox_expression!(directive, value)
-        when :media_type_list
-          validate_media_type_expression!(directive, value)
-        when :source_list
-          validate_source_expression!(directive, value)
         else
-          raise ContentSecurityPolicyConfigError.new("Unknown directive #{directive}")
-        end
-      end
-
-      # Private: validates that a sandbox token expression:
-      # 1. is an array of strings or optionally `true` (to enable maximal sandboxing)
-      # 2. For arrays, each element is of the form allow-*
-      def validate_sandbox_expression!(directive, sandbox_token_expression)
-        # We support sandbox: true to indicate a maximally secure sandbox.
-        return if boolean?(sandbox_token_expression) && sandbox_token_expression == true
-        ensure_array_of_strings!(directive, sandbox_token_expression)
-        valid = sandbox_token_expression.compact.all? do |v|
-          v.is_a?(String) && v.start_with?("allow-")
-        end
-        if !valid
-          raise ContentSecurityPolicyConfigError.new("#{directive} must be True or an array of zero or more sandbox token strings (ex. allow-forms)")
-        end
-      end
-
-      # Private: validates that a media type expression:
-      # 1. is an array of strings
-      # 2. each element is of the form type/subtype
-      def validate_media_type_expression!(directive, media_type_expression)
-        ensure_array_of_strings!(directive, media_type_expression)
-        valid = media_type_expression.compact.all? do |v|
-          # All media types are of the form: <type from RFC 2045> "/" <subtype from RFC 2045>.
-          v =~ /\A.+\/.+\z/
-        end
-        if !valid
-          raise ContentSecurityPolicyConfigError.new("#{directive} must be an array of valid media types (ex. application/pdf)")
+          validate_source_expression!(directive, source_expression)
         end
       end
 
       # Private: validates that a source expression:
-      # 1. is an array of strings
-      # 2. does not contain any deprecated, now invalid values (inline, eval, self, none)
+      # 1. has a valid name
+      # 2. is an array of strings
+      # 3. does not contain any depreated, now invalid values (inline, eval, self, none)
       #
       # Does not validate the invididual values of the source expression (e.g.
       # script_src => h*t*t*p: will not raise an exception)
       def validate_source_expression!(directive, source_expression)
-        if source_expression != OPT_OUT
-          ensure_array_of_strings!(directive, source_expression)
-        end
+        ensure_valid_directive!(directive)
+        ensure_array_of_strings!(directive, source_expression)
         ensure_valid_sources!(directive, source_expression)
       end
 
@@ -382,8 +341,8 @@ module SecureHeaders
         end
       end
 
-      def ensure_array_of_strings!(directive, value)
-        if (!value.is_a?(Array) || !value.compact.all? { |v| v.is_a?(String) })
+      def ensure_array_of_strings!(directive, source_expression)
+        unless source_expression.is_a?(Array) && source_expression.compact.all? { |v| v.is_a?(String) }
           raise ContentSecurityPolicyConfigError.new("#{directive} must be an array of strings")
         end
       end

data/lib/secure_headers/headers/public_key_pins.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class PublicKeyPinsConfigError < StandardError; end
   class PublicKeyPins
@@ -54,7 +55,7 @@ module SecureHeaders
         pin_directives,
         report_uri_directive,
         subdomain_directive
-      ].compact.join('; ').strip
+      ].compact.join("; ").strip
     end
 
     def pin_directives
@@ -63,7 +64,7 @@ module SecureHeaders
         pin.map do |token, hash|
           "pin-#{token}=\"#{hash}\"" if HASH_ALGORITHMS.include?(token)
         end
-      end.join('; ')
+      end.join("; ")
     end
 
     def max_age_directive
@@ -75,7 +76,7 @@ module SecureHeaders
     end
 
     def subdomain_directive
-      @include_subdomains ? 'includeSubDomains' : nil
+      @include_subdomains ? "includeSubDomains" : nil
     end
   end
 end

data/lib/secure_headers/headers/referrer_policy.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class ReferrerPolicyConfigError < StandardError; end
   class ReferrerPolicy

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
 module SecureHeaders
   class STSConfigError < StandardError; end
 
   class StrictTransportSecurity
-    HEADER_NAME = 'Strict-Transport-Security'.freeze
+    HEADER_NAME = "Strict-Transport-Security".freeze
     HSTS_MAX_AGE = "631138519"
     DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
     VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class XContentTypeOptionsConfigError < StandardError; end
 

data/lib/secure_headers/headers/x_download_options.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
 module SecureHeaders
   class XDOConfigError < StandardError; end
   class XDownloadOptions
     HEADER_NAME = "X-Download-Options".freeze
-    DEFAULT_VALUE = 'noopen'
+    DEFAULT_VALUE = "noopen"
     CONFIG_KEY = :x_download_options
 
     class << self

data/lib/secure_headers/headers/x_frame_options.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class XFOConfigError < StandardError; end
   class XFrameOptions

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
 module SecureHeaders
   class XPCDPConfigError < StandardError; end
   class XPermittedCrossDomainPolicies
     HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
-    DEFAULT_VALUE = 'none'
+    DEFAULT_VALUE = "none"
     VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
     CONFIG_KEY = :x_permitted_cross_domain_policies
 

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -1,7 +1,8 @@
+# frozen_string_literal: true
 module SecureHeaders
   class XXssProtectionConfigError < StandardError; end
   class XXssProtection
-    HEADER_NAME = 'X-XSS-Protection'.freeze
+    HEADER_NAME = "X-XSS-Protection".freeze
     DEFAULT_VALUE = "1; mode=block"
     VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
     CONFIG_KEY = :x_xss_protection