secure_headers 5.0.5 → 6.0.0.alpha01

data/lib/secure_headers/headers/public_key_pins.rb

@@ -5,15 +5,14 @@ module SecureHeaders
     HEADER_NAME = "Public-Key-Pins".freeze
     REPORT_ONLY = "Public-Key-Pins-Report-Only".freeze
     HASH_ALGORITHMS = [:sha256].freeze
-    CONFIG_KEY = :hpkp
 
 
     class << self
       # Public: make an hpkp header name, value pair
       #
       # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config)
-        return if config.nil?
+      def make_header(config, user_agent = nil)
+        return if config.nil? || config == OPT_OUT
         header = new(config)
         [header.name, header.value]
       end

data/lib/secure_headers/headers/referrer_policy.rb

@@ -14,14 +14,14 @@ module SecureHeaders
       origin-when-cross-origin
       unsafe-url
     )
-    CONFIG_KEY = :referrer_policy
 
     class << self
       # Public: generate an Referrer Policy header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         config ||= DEFAULT_VALUE
         [HEADER_NAME, Array(config).join(", ")]
       end

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -8,14 +8,14 @@ module SecureHeaders
     DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
     VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
     MESSAGE = "The config value supplied for the HSTS header was invalid. Must match #{VALID_STS_HEADER}"
-    CONFIG_KEY = :hsts
 
     class << self
       # Public: generate an hsts header name, value pair.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -5,14 +5,14 @@ module SecureHeaders
   class XContentTypeOptions
     HEADER_NAME = "X-Content-Type-Options".freeze
     DEFAULT_VALUE = "nosniff"
-    CONFIG_KEY = :x_content_type_options
 
     class << self
       # Public: generate an X-Content-Type-Options header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers/headers/x_download_options.rb

@@ -4,14 +4,14 @@ module SecureHeaders
   class XDownloadOptions
     HEADER_NAME = "X-Download-Options".freeze
     DEFAULT_VALUE = "noopen"
-    CONFIG_KEY = :x_download_options
 
     class << self
       # Public: generate an X-Download-Options header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers/headers/x_frame_options.rb

@@ -3,7 +3,6 @@ module SecureHeaders
   class XFOConfigError < StandardError; end
   class XFrameOptions
     HEADER_NAME = "X-Frame-Options".freeze
-    CONFIG_KEY = :x_frame_options
     SAMEORIGIN = "sameorigin"
     DENY = "deny"
     ALLOW_FROM = "allow-from"
@@ -16,7 +15,7 @@ module SecureHeaders
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
         return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb

@@ -5,14 +5,14 @@ module SecureHeaders
     HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
     DEFAULT_VALUE = "none"
     VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
-    CONFIG_KEY = :x_permitted_cross_domain_policies
 
     class << self
       # Public: generate an X-Permitted-Cross-Domain-Policies header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -4,15 +4,15 @@ module SecureHeaders
   class XXssProtection
     HEADER_NAME = "X-XSS-Protection".freeze
     DEFAULT_VALUE = "1; mode=block"
-    VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
-    CONFIG_KEY = :x_xss_protection
+    VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
 
     class << self
       # Public: generate an X-Xss-Protection header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-require "secure_headers/configuration"
 require "secure_headers/hash_helper"
 require "secure_headers/headers/cookie"
 require "secure_headers/headers/public_key_pins"
@@ -18,6 +17,7 @@ require "secure_headers/railtie"
 require "secure_headers/view_helper"
 require "useragent"
 require "singleton"
+require "secure_headers/configuration"
 
 # All headers (except for hpkp) have a default value. Provide SecureHeaders::OPT_OUT
 # or ":optout_of_protection" as a config value to disable a given header
@@ -52,29 +52,9 @@ module SecureHeaders
   HTTPS = "https".freeze
   CSP = ContentSecurityPolicy
 
-  ALL_HEADER_CLASSES = [
-    ExpectCertificateTransparency,
-    ClearSiteData,
-    ContentSecurityPolicyConfig,
-    ContentSecurityPolicyReportOnlyConfig,
-    StrictTransportSecurity,
-    PublicKeyPins,
-    ReferrerPolicy,
-    XContentTypeOptions,
-    XDownloadOptions,
-    XFrameOptions,
-    XPermittedCrossDomainPolicies,
-    XXssProtection
-  ].freeze
-
-  ALL_HEADERS_BESIDES_CSP = (
-    ALL_HEADER_CLASSES -
-      [ContentSecurityPolicyConfig, ContentSecurityPolicyReportOnlyConfig]
-  ).freeze
-
   # Headers set on http requests (excludes STS and HPKP)
-  HTTP_HEADER_CLASSES =
-    (ALL_HEADER_CLASSES - [StrictTransportSecurity, PublicKeyPins]).freeze
+  HTTPS_HEADER_CLASSES =
+    [StrictTransportSecurity, PublicKeyPins].freeze
 
   class << self
     # Public: override a given set of directives for the current request. If a
@@ -153,7 +133,7 @@ module SecureHeaders
     # Public: opts out of setting all headers by telling secure_headers to use
     # the NOOP configuration.
     def opt_out_of_all_protection(request)
-      use_secure_headers_override(request, Configuration::NOOP_CONFIGURATION)
+      use_secure_headers_override(request, Configuration::NOOP_OVERRIDE)
     end
 
     # Public: Builds the hash of headers that should be applied base on the
@@ -168,27 +148,16 @@ module SecureHeaders
     def header_hash_for(request)
       prevent_dup = true
       config = config_for(request, prevent_dup)
-      headers = config.cached_headers
+      config.validate_config!
       user_agent = UserAgent.parse(request.user_agent)
+      headers = config.generate_headers(user_agent)
 
-      if !config.csp.opt_out? && config.csp.modified?
-        headers = update_cached_csp(config.csp, headers, user_agent)
-      end
-
-      if !config.csp_report_only.opt_out? && config.csp_report_only.modified?
-        headers = update_cached_csp(config.csp_report_only, headers, user_agent)
-      end
-
-      header_classes_for(request).each_with_object({}) do |klass, hash|
-        if header = headers[klass::CONFIG_KEY]
-          header_name, value = if klass == ContentSecurityPolicyConfig || klass == ContentSecurityPolicyReportOnlyConfig
-            csp_header_for_ua(header, user_agent)
-          else
-            header
-          end
-          hash[header_name] = value
+      if request.scheme != HTTPS
+        HTTPS_HEADER_CLASSES.each do |klass|
+          headers.delete(klass::HEADER_NAME)
         end
       end
+      headers
     end
 
     # Public: specify which named override will be used for this request.
@@ -196,11 +165,9 @@ module SecureHeaders
     #
     # name - the name of the previously configured override.
     def use_secure_headers_override(request, name)
-      if config = Configuration.get(name, internal: true)
-        override_secure_headers_request_config(request, config)
-      else
-        raise ArgumentError.new("no override by the name of #{name} has been configured")
-      end
+      config = config_for(request)
+      config.override(name)
+      override_secure_headers_request_config(request, config)
     end
 
     # Public: gets or creates a nonce for CSP.
@@ -228,7 +195,7 @@ module SecureHeaders
     # Falls back to the global config
     def config_for(request, prevent_dup = false)
       config = request.env[SECURE_HEADERS_CONFIG] ||
-        Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+        Configuration.send(:default_config)
 
 
       # Global configs are frozen, per-request configs are not. When we're not
@@ -285,35 +252,6 @@ module SecureHeaders
     def override_secure_headers_request_config(request, config)
       request.env[SECURE_HEADERS_CONFIG] = config
     end
-
-    # Private: determines which headers are applicable to a given request.
-    #
-    # Returns a list of classes whose corresponding header values are valid for
-    # this request.
-    def header_classes_for(request)
-      if request.scheme == HTTPS
-        ALL_HEADER_CLASSES
-      else
-        HTTP_HEADER_CLASSES
-      end
-    end
-
-    def update_cached_csp(config, headers, user_agent)
-      headers = Configuration.send(:deep_copy, headers)
-      headers[config.class::CONFIG_KEY] = {}
-      variation = ContentSecurityPolicy.ua_to_variation(user_agent)
-      headers[config.class::CONFIG_KEY][variation] = ContentSecurityPolicy.make_header(config, user_agent)
-      headers
-    end
-
-    # Private: chooses the applicable CSP header for the provided user agent.
-    #
-    # headers - a hash of header_config_key => [header_name, header_value]
-    #
-    # Returns a CSP [header, value] array
-    def csp_header_for_ua(headers, user_agent)
-      headers[ContentSecurityPolicy.ua_to_variation(user_agent)]
-    end
   end
 
   # These methods are mixed into controllers and delegate to the class method

data/secure_headers.gemspec

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "5.0.5"
+  gem.version       = "6.0.0.alpha01"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."

data/spec/lib/secure_headers/configuration_spec.rb

@@ -5,88 +5,33 @@ module SecureHeaders
   describe Configuration do
     before(:each) do
       reset_config
-      Configuration.default
     end
 
     it "has a default config" do
-      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)).to_not be_nil
-    end
-
-    it "warns when using deprecated internal-ish #get API" do
-      expect(Kernel).to receive(:warn).once.with(/`#get` is deprecated/)
-      Configuration.get(Configuration::DEFAULT_CONFIG)
-    end
-
-    it "has an 'noop' config" do
-      expect(Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)).to_not be_nil
-    end
-
-    it "precomputes headers upon creation" do
-      default_config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
-      header_hash = default_config.cached_headers.each_with_object({}) do |(key, value), hash|
-        header_name, header_value = if key == :csp
-          value["Chrome"]
-        else
-          value
-        end
-
-        hash[header_name] = header_value
-      end
-      expect_default_values(header_hash)
+      expect(Configuration.default).to_not be_nil
     end
 
-    it "copies config values when duping" do
-      Configuration.override(:test_override, Configuration::NOOP_CONFIGURATION) do
-        # do nothing, just copy it
-      end
-
-      config = Configuration.get(:test_override, internal: true)
-      noop = Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)
-      [:csp, :csp_report_only, :cookies].each do |key|
-        expect(config.send(key)).to eq(noop.send(key))
-      end
+    it "has an 'noop' override" do
+      Configuration.default
+      expect(Configuration.overrides(Configuration::NOOP_OVERRIDE)).to_not be_nil
     end
 
-    it "regenerates cached headers when building an override" do
-      Configuration.override(:test_override) do |config|
-        config.x_content_type_options = OPT_OUT
+    it "dup results in a copy of the default config" do
+      Configuration.default
+      original_configuration = Configuration.send(:default_config)
+      configuration = Configuration.dup
+      expect(original_configuration).not_to be(configuration)
+      Configuration::CONFIG_ATTRIBUTES.each do |attr|
+        expect(original_configuration.send(attr)).to eq(configuration.send(attr))
       end
-
-      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).cached_headers).to_not eq(Configuration.get(:test_override, internal: true).cached_headers)
     end
 
-    it "stores an override of the global config" do
+    it "stores an override" do
       Configuration.override(:test_override) do |config|
         config.x_frame_options = "DENY"
       end
 
-      expect(Configuration.get(:test_override, internal: true)).to_not be_nil
-    end
-
-    it "deep dup's config values when overriding so the original cannot be modified" do
-      Configuration.override(:override) do |config|
-        config.csp[:default_src] << "'self'"
-      end
-
-      default = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
-      override = Configuration.get(:override, internal: true)
-
-      expect(override.csp.directive_value(:default_src)).not_to be(default.csp.directive_value(:default_src))
-    end
-
-    it "allows you to override an override" do
-      Configuration.override(:override) do |config|
-        config.csp = { default_src: %w('self'), script_src: %w('self')}
-      end
-
-      Configuration.override(:second_override, :override) do |config|
-        config.csp = config.csp.merge(script_src: %w(example.org))
-      end
-
-      original_override = Configuration.get(:override, internal: true)
-      expect(original_override.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self'))
-      override_config = Configuration.get(:second_override, internal: true)
-      expect(override_config.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self' example.org))
+      expect(Configuration.overrides(:test_override)).to_not be_nil
     end
 
     it "deprecates the secure_cookies configuration" do
@@ -106,7 +51,7 @@ module SecureHeaders
         config.cookies = OPT_OUT
       end
 
-      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+      config = Configuration.dup
       expect(config.cookies).to eq(OPT_OUT)
     end
 
@@ -115,7 +60,7 @@ module SecureHeaders
         config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
       end
 
-      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+      config = Configuration.dup
       expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
     end
   end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -124,7 +124,7 @@ module SecureHeaders
 
       it "supports strict-dynamic" do
         csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
-        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
+        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
       end
 
       context "browser sniffing" do
@@ -143,44 +143,44 @@ module SecureHeaders
 
         it "does not filter any directives for Chrome" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
         end
 
         it "does not filter any directives for Opera" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
-        it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
+        it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, hash sources, and plugin-types for Edge" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
         end
 
-        it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
+        it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, hash sources, and plugin-types for safari" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
         end
 
-        it "adds 'unsafe-inline', filters  blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
+        it "adds 'unsafe-inline', filters  blocked-all-mixed-content, upgrade-insecure-requests, and hash sources for safari 10 and higher" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
         end
 
         it "falls back to standard Firefox defaults when the useragent version is not present" do
           ua = USER_AGENTS[:firefox].dup
           allow(ua).to receive(:version).and_return(nil)
           policy = ContentSecurityPolicy.new(complex_opts, ua)
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
       end
     end

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -3,6 +3,11 @@ require "spec_helper"
 
 module SecureHeaders
   describe PolicyManagement do
+    before(:each) do
+      reset_config
+      Configuration.default
+    end
+
     let (:default_opts) do
       {
         default_src: %w(https:),
@@ -18,7 +23,7 @@ module SecureHeaders
         # (pulled from README)
         config = {
           # "meta" values. these will shape the header, but the values are not included in the header.
-          report_only:  true,     # default: false
+          report_only:  false,
           preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
 
           # directive values: these values will directly translate into source directives
@@ -142,9 +147,24 @@ module SecureHeaders
           ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["application/pdf"])))
         end.to_not raise_error
       end
+
+      it "doesn't allow report_only to be set in a non-report-only config" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: true)))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "allows report_only to be set in a report-only config" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyReportOnlyConfig.new(default_opts.merge(report_only: true)))
+        end.to_not raise_error
+      end
     end
 
     describe "#combine_policies" do
+      before(:each) do
+        reset_config
+      end
       it "combines the default-src value with the override if the directive was unconfigured" do
         Configuration.default do |config|
           config.csp = {
@@ -152,7 +172,8 @@ module SecureHeaders
             script_src: %w('self'),
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, style_src: %w(anothercdn.com))
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, style_src: %w(anothercdn.com))
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
         expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
@@ -167,7 +188,8 @@ module SecureHeaders
           }.freeze
         end
         report_uri = "https://report-uri.io/asdf"
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, report_uri: [report_uri])
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_uri: [report_uri])
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.value).to include("report-uri #{report_uri}")
       end
@@ -183,7 +205,8 @@ module SecureHeaders
         non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
           hash[directive] = %w("http://example.org)
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, non_default_source_additions)
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, non_default_source_additions)
 
         ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
           expect(combined_config[directive]).to eq(%w("http://example.org))
@@ -198,7 +221,8 @@ module SecureHeaders
             report_only: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, report_only: true)
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_only: true)
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
@@ -211,7 +235,8 @@ module SecureHeaders
             block_all_mixed_content: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, block_all_mixed_content: true)
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, block_all_mixed_content: true)
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
       end
@@ -220,8 +245,9 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = OPT_OUT
         end
+        default_policy = Configuration.dup
         expect do
-          ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, script_src: %w(anothercdn.com))
+          ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, script_src: %w(anothercdn.com))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end

data/spec/lib/secure_headers/middleware_spec.rb

@@ -16,6 +16,7 @@ module SecureHeaders
 
     it "warns if the hpkp report-uri host is the same as the current host" do
       report_host = "report-uri.io"
+      reset_config
       Configuration.default do |config|
         config.hpkp = {
           max_age: 10000000,
@@ -50,12 +51,14 @@ module SecureHeaders
       end
       request = Rack::Request.new({})
       SecureHeaders.use_secure_headers_override(request, "my_custom_config")
-      expect(request.env[SECURE_HEADERS_CONFIG]).to be(Configuration.get("my_custom_config", internal: true))
       _, env = middleware.call request.env
       expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match("example.org")
     end
 
     context "cookies" do
+      before(:each) do
+        reset_config
+      end
       context "cookies should be flagged" do
         it "flags cookies as secure" do
           Configuration.default { |config| config.cookies = {secure: true, httponly: OPT_OUT, samesite: OPT_OUT} }
@@ -87,6 +90,9 @@ module SecureHeaders
     end
 
     context "cookies" do
+      before(:each) do
+        reset_config
+      end
       it "flags cookies from configuration" do
         Configuration.default { |config| config.cookies = { secure: true, httponly: true, samesite: { lax: true} } }
         request = Rack::Request.new("HTTPS" => "on")

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -105,6 +105,7 @@ module SecureHeaders
     let(:filename) { "app/views/asdfs/index.html.erb" }
 
     before(:all) do
+      reset_config
       Configuration.default do |config|
         config.csp = {
           default_src: %w('self'),