secure_headers 5.1.0 → 6.0.0

data/spec/lib/secure_headers/configuration_spec.rb

@@ -5,88 +5,33 @@ module SecureHeaders
   describe Configuration do
     before(:each) do
       reset_config
-      Configuration.default
     end
 
     it "has a default config" do
-      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)).to_not be_nil
-    end
-
-    it "warns when using deprecated internal-ish #get API" do
-      expect(Kernel).to receive(:warn).once.with(/`#get` is deprecated/)
-      Configuration.get(Configuration::DEFAULT_CONFIG)
-    end
-
-    it "has an 'noop' config" do
-      expect(Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)).to_not be_nil
-    end
-
-    it "precomputes headers upon creation" do
-      default_config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
-      header_hash = default_config.cached_headers.each_with_object({}) do |(key, value), hash|
-        header_name, header_value = if key == :csp
-          value["Chrome"]
-        else
-          value
-        end
-
-        hash[header_name] = header_value
-      end
-      expect_default_values(header_hash)
+      expect(Configuration.default).to_not be_nil
     end
 
-    it "copies config values when duping" do
-      Configuration.override(:test_override, Configuration::NOOP_CONFIGURATION) do
-        # do nothing, just copy it
-      end
-
-      config = Configuration.get(:test_override, internal: true)
-      noop = Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)
-      [:csp, :csp_report_only, :cookies].each do |key|
-        expect(config.send(key)).to eq(noop.send(key))
-      end
+    it "has an 'noop' override" do
+      Configuration.default
+      expect(Configuration.overrides(Configuration::NOOP_OVERRIDE)).to_not be_nil
     end
 
-    it "regenerates cached headers when building an override" do
-      Configuration.override(:test_override) do |config|
-        config.x_content_type_options = OPT_OUT
+    it "dup results in a copy of the default config" do
+      Configuration.default
+      original_configuration = Configuration.send(:default_config)
+      configuration = Configuration.dup
+      expect(original_configuration).not_to be(configuration)
+      Configuration::CONFIG_ATTRIBUTES.each do |attr|
+        expect(original_configuration.send(attr)).to eq(configuration.send(attr))
       end
-
-      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).cached_headers).to_not eq(Configuration.get(:test_override, internal: true).cached_headers)
     end
 
-    it "stores an override of the global config" do
+    it "stores an override" do
       Configuration.override(:test_override) do |config|
         config.x_frame_options = "DENY"
       end
 
-      expect(Configuration.get(:test_override, internal: true)).to_not be_nil
-    end
-
-    it "deep dup's config values when overriding so the original cannot be modified" do
-      Configuration.override(:override) do |config|
-        config.csp[:default_src] << "'self'"
-      end
-
-      default = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
-      override = Configuration.get(:override, internal: true)
-
-      expect(override.csp.directive_value(:default_src)).not_to be(default.csp.directive_value(:default_src))
-    end
-
-    it "allows you to override an override" do
-      Configuration.override(:override) do |config|
-        config.csp = { default_src: %w('self'), script_src: %w('self')}
-      end
-
-      Configuration.override(:second_override, :override) do |config|
-        config.csp = config.csp.merge(script_src: %w(example.org))
-      end
-
-      original_override = Configuration.get(:override, internal: true)
-      expect(original_override.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self'))
-      override_config = Configuration.get(:second_override, internal: true)
-      expect(override_config.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self' example.org))
+      expect(Configuration.overrides(:test_override)).to_not be_nil
     end
 
     it "deprecates the secure_cookies configuration" do
@@ -106,7 +51,7 @@ module SecureHeaders
         config.cookies = OPT_OUT
       end
 
-      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+      config = Configuration.dup
       expect(config.cookies).to eq(OPT_OUT)
     end
 
@@ -115,7 +60,7 @@ module SecureHeaders
         config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
       end
 
-      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+      config = Configuration.dup
       expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
     end
   end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -28,11 +28,6 @@ module SecureHeaders
         expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
       end
 
-      it "deprecates and escapes semicolons in directive source lists" do
-        expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
-        expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
-      end
-
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
         expect(csp.value).not_to include("'none'")
@@ -121,72 +116,9 @@ module SecureHeaders
         ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
       end
 
-      it "raises an error when child-src and frame-src are supplied but are not equal" do
-        expect {
-          ContentSecurityPolicy.new(default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)).value
-        }.to raise_error(ArgumentError)
-      end
-
       it "supports strict-dynamic" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
-        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
-      end
-
-      context "browser sniffing" do
-        let (:complex_opts) do
-          (ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
-            hash[directive] = ["#{directive.to_s.gsub("_", "-")}.com"]
-          end.merge({
-            block_all_mixed_content: true,
-            upgrade_insecure_requests: true,
-            script_src: %w(script-src.com),
-            script_nonce: 123456,
-            sandbox: %w(allow-forms),
-            plugin_types: %w(application/pdf)
-          })
-        end
-
-        it "does not filter any directives for Chrome" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
-        end
-
-        it "does not filter any directives for Opera" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
-        end
-
-        it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
-        end
-
-        it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
-        end
-
-        it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
-        end
-
-        it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
-        end
-
-        it "adds 'unsafe-inline', filters  blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
-        end
-
-        it "falls back to standard Firefox defaults when the useragent version is not present" do
-          ua = USER_AGENTS[:firefox].dup
-          allow(ua).to receive(:version).and_return(nil)
-          policy = ContentSecurityPolicy.new(complex_opts, ua)
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
-        end
+        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
+        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
       end
     end
   end

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -3,6 +3,11 @@ require "spec_helper"
 
 module SecureHeaders
   describe PolicyManagement do
+    before(:each) do
+      reset_config
+      Configuration.default
+    end
+
     let (:default_opts) do
       {
         default_src: %w(https:),
@@ -18,7 +23,7 @@ module SecureHeaders
         # (pulled from README)
         config = {
           # "meta" values. these will shape the header, but the values are not included in the header.
-          report_only:  true,     # default: false
+          report_only:  false,
           preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
 
           # directive values: these values will directly translate into source directives
@@ -142,9 +147,24 @@ module SecureHeaders
           ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["application/pdf"])))
         end.to_not raise_error
       end
+
+      it "doesn't allow report_only to be set in a non-report-only config" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: true)))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "allows report_only to be set in a report-only config" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyReportOnlyConfig.new(default_opts.merge(report_only: true)))
+        end.to_not raise_error
+      end
     end
 
     describe "#combine_policies" do
+      before(:each) do
+        reset_config
+      end
       it "combines the default-src value with the override if the directive was unconfigured" do
         Configuration.default do |config|
           config.csp = {
@@ -152,7 +172,8 @@ module SecureHeaders
             script_src: %w('self'),
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, style_src: %w(anothercdn.com))
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, style_src: %w(anothercdn.com))
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
         expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
@@ -167,8 +188,9 @@ module SecureHeaders
           }.freeze
         end
         report_uri = "https://report-uri.io/asdf"
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, report_uri: [report_uri])
-        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_uri: [report_uri])
+        csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to include("report-uri #{report_uri}")
       end
 
@@ -183,7 +205,8 @@ module SecureHeaders
         non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
           hash[directive] = %w("http://example.org)
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, non_default_source_additions)
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, non_default_source_additions)
 
         ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
           expect(combined_config[directive]).to eq(%w("http://example.org))
@@ -198,8 +221,9 @@ module SecureHeaders
             report_only: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, report_only: true)
-        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_only: true)
+        csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
 
@@ -211,7 +235,8 @@ module SecureHeaders
             block_all_mixed_content: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, block_all_mixed_content: true)
+        default_policy = Configuration.dup
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, block_all_mixed_content: true)
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
       end
@@ -220,8 +245,9 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = OPT_OUT
         end
+        default_policy = Configuration.dup
         expect do
-          ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, script_src: %w(anothercdn.com))
+          ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, script_src: %w(anothercdn.com))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end

data/spec/lib/secure_headers/middleware_spec.rb

@@ -16,6 +16,7 @@ module SecureHeaders
 
     it "warns if the hpkp report-uri host is the same as the current host" do
       report_host = "report-uri.io"
+      reset_config
       Configuration.default do |config|
         config.hpkp = {
           max_age: 10000000,
@@ -50,12 +51,14 @@ module SecureHeaders
       end
       request = Rack::Request.new({})
       SecureHeaders.use_secure_headers_override(request, "my_custom_config")
-      expect(request.env[SECURE_HEADERS_CONFIG]).to be(Configuration.get("my_custom_config", internal: true))
       _, env = middleware.call request.env
       expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match("example.org")
     end
 
     context "cookies" do
+      before(:each) do
+        reset_config
+      end
       context "cookies should be flagged" do
         it "flags cookies as secure" do
           Configuration.default { |config| config.cookies = {secure: true, httponly: OPT_OUT, samesite: OPT_OUT} }
@@ -87,6 +90,9 @@ module SecureHeaders
     end
 
     context "cookies" do
+      before(:each) do
+        reset_config
+      end
       it "flags cookies from configuration" do
         Configuration.default { |config| config.cookies = { secure: true, httponly: true, samesite: { lax: true} } }
         request = Rack::Request.new("HTTPS" => "on")

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -97,6 +97,12 @@ TEMPLATE
   end
 end
 
+class MessageWithConflictingMethod < Message
+  def content_security_policy_nonce
+    "rails-nonce"
+  end
+end
+
 module SecureHeaders
   describe ViewHelpers do
     let(:app) { lambda { |env| [200, env, "app"] } }
@@ -105,6 +111,7 @@ module SecureHeaders
     let(:filename) { "app/views/asdfs/index.html.erb" }
 
     before(:all) do
+      reset_config
       Configuration.default do |config|
         config.csp = {
           default_src: %w('self'),
@@ -158,5 +165,27 @@ module SecureHeaders
         expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
       end
     end
+
+    it "avoids calling content_security_policy_nonce internally" do
+      begin
+        allow(SecureRandom).to receive(:base64).and_return("abc123")
+
+        expected_hash = "sha256-3/URElR9+3lvLIouavYD/vhoICSNKilh15CzI/nKqg8="
+        Configuration.instance_variable_set(:@script_hashes, filename => ["'#{expected_hash}'"])
+        expected_style_hash = "sha256-7oYK96jHg36D6BM042er4OfBnyUDTG3pH1L8Zso3aGc="
+        Configuration.instance_variable_set(:@style_hashes, filename => ["'#{expected_style_hash}'"])
+
+        # render erb that calls out to helpers.
+        MessageWithConflictingMethod.new(request).result
+        _, env = middleware.call request.env
+
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
+
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).not_to match(/rails-nonce/)
+      end
+    end
   end
 end

data/spec/lib/secure_headers_spec.rb

@@ -17,10 +17,17 @@ module SecureHeaders
 
     it "raises a NotYetConfiguredError if trying to opt-out of unconfigured headers" do
       expect do
-        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyConfig::CONFIG_KEY)
+        SecureHeaders.opt_out_of_header(request, :csp)
       end.to raise_error(Configuration::NotYetConfiguredError)
     end
 
+    it "raises a AlreadyConfiguredError if trying to configure and default has already been set " do
+      Configuration.default
+      expect do
+        Configuration.default
+      end.to raise_error(Configuration::AlreadyConfiguredError)
+    end
+
     it "raises and ArgumentError when referencing an override that has not been set" do
       expect do
         Configuration.default
@@ -34,9 +41,9 @@ module SecureHeaders
           config.csp = { default_src: %w('self'), script_src: %w('self')}
           config.csp_report_only = config.csp
         end
-        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyConfig::CONFIG_KEY)
-        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyReportOnlyConfig::CONFIG_KEY)
-        SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
+        SecureHeaders.opt_out_of_header(request, :csp)
+        SecureHeaders.opt_out_of_header(request, :csp_report_only)
+        SecureHeaders.opt_out_of_header(request, :x_content_type_options)
         hash = SecureHeaders.header_hash_for(request)
         expect(hash["Content-Security-Policy-Report-Only"]).to be_nil
         expect(hash["Content-Security-Policy"]).to be_nil
@@ -60,6 +67,24 @@ module SecureHeaders
         expect(hash["X-Frame-Options"]).to be_nil
       end
 
+      it "Overrides the current default config if default config changes during request" do
+        Configuration.default do |config|
+          config.x_frame_options = OPT_OUT
+        end
+
+        # Dynamically update the default config for this request
+        SecureHeaders.override_x_frame_options(request, "DENY")
+
+        Configuration.override(:dynamic_override) do |config|
+          config.x_content_type_options = "nosniff"
+        end
+
+        SecureHeaders.use_secure_headers_override(request, :dynamic_override)
+        hash = SecureHeaders.header_hash_for(request)
+        expect(hash["X-Content-Type-Options"]).to eq("nosniff")
+        expect(hash["X-Frame-Options"]).to eq("DENY")
+      end
+
       it "allows you to opt out entirely" do
         # configure the disabled-by-default headers to ensure they also do not get set
         Configuration.default do |config|
@@ -78,9 +103,6 @@ module SecureHeaders
         end
         SecureHeaders.opt_out_of_all_protection(request)
         hash = SecureHeaders.header_hash_for(request)
-        ALL_HEADER_CLASSES.each do |klass|
-          expect(hash[klass::CONFIG_KEY]).to be_nil
-        end
         expect(hash.count).to eq(0)
       end
 
@@ -105,27 +127,6 @@ module SecureHeaders
         expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::SAMEORIGIN)
       end
 
-      it "produces a UA-specific CSP when overriding (and busting the cache)" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            script_src: %w('self'),
-            child_src: %w('self')
-          }
-        end
-        firefox_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:firefox]))
-
-        # append an unsupported directive
-        SecureHeaders.override_content_security_policy_directives(firefox_request, {plugin_types: %w(flash)})
-        # append a supported directive
-        SecureHeaders.override_content_security_policy_directives(firefox_request, {script_src: %w('self')})
-
-        hash = SecureHeaders.header_hash_for(firefox_request)
-
-        # child-src is translated to frame-src
-        expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src 'self'; script-src 'self'")
-      end
-
       it "produces a hash of headers with default config" do
         Configuration.default
         hash = SecureHeaders.header_hash_for(request)
@@ -175,22 +176,6 @@ module SecureHeaders
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
 
-        it "child-src and frame-src must match" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              frame_src: %w(frame_src.com),
-              script_src: %w('self')
-            }
-          end
-
-          SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
-
-          expect {
-            SecureHeaders.header_hash_for(chrome_request)
-          }.to raise_error(ArgumentError)
-        end
-
         it "supports named appends" do
           Configuration.default do |config|
             config.csp = {
@@ -265,21 +250,6 @@ module SecureHeaders
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src https:; img-src data:; script-src 'self'")
         end
 
-        it "does not append a nonce when the browser does not support it" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              script_src: %w(mycdn.com 'unsafe-inline'),
-              style_src: %w('self')
-            }
-          end
-
-          safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
-          SecureHeaders.content_security_policy_script_nonce(safari_request)
-          hash = SecureHeaders.header_hash_for(safari_request)
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
-        end
-
         it "appends a nonce to the script-src when used" do
           Configuration.default do |config|
             config.csp = {
@@ -297,21 +267,7 @@ module SecureHeaders
           SecureHeaders.content_security_policy_script_nonce(chrome_request)
 
           hash = SecureHeaders.header_hash_for(chrome_request)
-          expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
-        end
-
-        it "uses a nonce for safari 10+" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              script_src: %w(mycdn.com)
-            }
-          end
-
-          safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari10]))
-          nonce = SecureHeaders.content_security_policy_script_nonce(safari_request)
-          hash = SecureHeaders.header_hash_for(safari_request)
-          expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'")
+          expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}' 'unsafe-inline'; style-src 'self'")
         end
 
         it "does not support the deprecated `report_only: true` format" do
@@ -322,7 +278,7 @@ module SecureHeaders
                 report_only: true
               }
             end
-          }.to raise_error(ArgumentError)
+          }.to raise_error(ContentSecurityPolicyConfigError)
         end
 
         it "Raises an error if csp_report_only is used with `report_only: false`" do
@@ -349,6 +305,7 @@ module SecureHeaders
           end
 
           it "sets identical values when the configs are the same" do
+            reset_config
             Configuration.default do |config|
               config.csp = {
                 default_src: %w('self'),
@@ -366,6 +323,7 @@ module SecureHeaders
           end
 
           it "sets different headers when the configs are different" do
+            reset_config
             Configuration.default do |config|
               config.csp = {
                 default_src: %w('self'),
@@ -376,10 +334,11 @@ module SecureHeaders
 
             hash = SecureHeaders.header_hash_for(request)
             expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self'")
-            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self' foo.com")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src foo.com")
           end
 
           it "allows you to opt-out of enforced CSP" do
+            reset_config
             Configuration.default do |config|
               config.csp = SecureHeaders::OPT_OUT
               config.csp_report_only = {
@@ -437,6 +396,7 @@ module SecureHeaders
 
           context "when inferring which config to modify" do
             it "updates the enforced header when configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = {
                   default_src: %w('self'),
@@ -451,6 +411,7 @@ module SecureHeaders
             end
 
             it "updates the report only header when configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = OPT_OUT
                 config.csp_report_only = {
@@ -466,6 +427,7 @@ module SecureHeaders
             end
 
             it "updates both headers if both are configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = {
                   default_src: %w(enforced.com),

data/spec/spec_helper.rb

@@ -26,6 +26,7 @@ USER_AGENTS = {
 
 def expect_default_values(hash)
   expect(hash[SecureHeaders::ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'")
+  expect(hash[SecureHeaders::ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::XFrameOptions::HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XDownloadOptions::HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::StrictTransportSecurity::HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::DEFAULT_VALUE)
@@ -34,18 +35,21 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
   expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
+  expect(hash[SecureHeaders::ClearSiteData::HEADER_NAME]).to be_nil
+  expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
+  expect(hash[SecureHeaders::PublicKeyPins::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders
   class Configuration
     class << self
-      def clear_configurations
-        @configurations = nil
+      def clear_default_config
+        remove_instance_variable(:@default_config) if defined?(@default_config)
       end
     end
   end
 end
 
 def reset_config
-  SecureHeaders::Configuration.clear_configurations
+  SecureHeaders::Configuration.clear_default_config
 end