secure_headers 5.2.0 → 6.0.0.alpha01

data/lib/secure_headers/headers/clear_site_data.rb

@@ -11,13 +11,11 @@ module SecureHeaders
     EXECUTION_CONTEXTS = "executionContexts".freeze
     ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
-    CONFIG_KEY = :clear_site_data
-
     class << self
       # Public: make an Clear-Site-Data header name, value pair
       #
       # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
         case config
         when nil, OPT_OUT, []
           # noop

data/lib/secure_headers/headers/content_security_policy.rb

@@ -13,6 +13,7 @@ module SecureHeaders
     FALLBACK_VERSION = ::UserAgent::Version.new("0")
 
     def initialize(config = nil, user_agent = OTHER)
+      user_agent ||= OTHER
       @config = if config.is_a?(Hash)
         if config[:report_only]
           ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
@@ -138,14 +139,8 @@ module SecureHeaders
       end
 
       if source_list != OPT_OUT && source_list && source_list.any?
-        minified_source_list = minify_source_list(directive, source_list).join(" ")
-
-        if minified_source_list =~ /(\n|;)/
-          Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
-        end
-
-        escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
-        [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
+        normalized_source_list = minify_source_list(directive, source_list)
+        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
       end
     end
 
@@ -218,11 +213,7 @@ module SecureHeaders
     # unsafe-inline, this is more concise.
     def append_nonce(source_list, nonce)
       if nonce
-        if nonces_supported?
-          source_list << "'nonce-#{nonce}'"
-        else
-          source_list << UNSAFE_INLINE
-        end
+        source_list.push("'nonce-#{nonce}'", UNSAFE_INLINE)
       end
 
       source_list
@@ -262,10 +253,6 @@ module SecureHeaders
       end
     end
 
-    def nonces_supported?
-      @nonces_supported ||= self.class.nonces_supported?(@parsed_ua)
-    end
-
     def symbol_to_hyphen_case(sym)
       sym.to_s.tr("_", "-")
     end

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -2,7 +2,6 @@
 module SecureHeaders
   module DynamicConfig
     def self.included(base)
-      base.send(:attr_writer, :modified)
       base.send(:attr_reader, *base.attrs)
       base.attrs.each do |attr|
         base.send(:define_method, "#{attr}=") do |value|
@@ -42,7 +41,6 @@ module SecureHeaders
       @upgrade_insecure_requests = nil
 
       from_hash(hash)
-      @modified = false
     end
 
     def update_directive(directive, value)
@@ -55,12 +53,10 @@ module SecureHeaders
       end
     end
 
-    def modified?
-      @modified
-    end
-
     def merge(new_hash)
-      ContentSecurityPolicy.combine_policies(self.to_h, new_hash)
+      new_config = self.dup
+      new_config.send(:from_hash, new_hash)
+      new_config
     end
 
     def merge!(new_hash)
@@ -109,17 +105,12 @@ module SecureHeaders
     def write_attribute(attr, value)
       value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
       attr_variable = "@#{attr}"
-      prev_value = self.instance_variable_get(attr_variable)
       self.instance_variable_set(attr_variable, value)
-      if prev_value != value
-        @modified = true
-      end
     end
   end
 
   class ContentSecurityPolicyConfigError < StandardError; end
   class ContentSecurityPolicyConfig
-    CONFIG_KEY = :csp
     HEADER_NAME = "Content-Security-Policy".freeze
 
     ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
@@ -149,7 +140,6 @@ module SecureHeaders
   end
 
   class ContentSecurityPolicyReportOnlyConfig < ContentSecurityPolicyConfig
-    CONFIG_KEY = :csp_report_only
     HEADER_NAME = "Content-Security-Policy-Report-Only".freeze
 
     def report_only?

data/lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -4,7 +4,6 @@ module SecureHeaders
 
   class ExpectCertificateTransparency
     HEADER_NAME = "Expect-CT".freeze
-    CONFIG_KEY  = :expect_certificate_transparency
     INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
     INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
     REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
@@ -15,8 +14,8 @@ module SecureHeaders
       #
       # Returns nil if not configured, returns header name and value if
       # configured.
-      def make_header(config)
-        return if config.nil?
+      def make_header(config, use_agent = nil)
+        return if config.nil? || config == OPT_OUT
 
         header = new(config)
         [HEADER_NAME, header.value]

data/lib/secure_headers/headers/policy_management.rb

@@ -5,7 +5,6 @@ module SecureHeaders
       base.extend(ClassMethods)
     end
 
-    MODERN_BROWSERS = %w(Chrome Opera Firefox)
     DEFAULT_CONFIG = {
       default_src: %w(https:),
       img_src: %w(https: data: 'self'),
@@ -200,7 +199,8 @@ module SecureHeaders
       #
       # Returns a default policy if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config, user_agent)
+      def make_header(config, user_agent = nil)
+        return if config.nil? || config == OPT_OUT
         header = new(config, user_agent)
         [header.name, header.value]
       end
@@ -215,27 +215,28 @@ module SecureHeaders
         if config.directive_value(:script_src).nil?
           raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous. Use `script_src: OPT_OUT` to override")
         end
+        if !config.report_only? && config.directive_value(:report_only)
+          raise ContentSecurityPolicyConfigError.new("Only the csp_report_only config should set :report_only to true")
+        end
+
+        if config.report_only? && config.directive_value(:report_only) == false
+          raise ContentSecurityPolicyConfigError.new("csp_report_only config must have :report_only set to true")
+        end
 
         ContentSecurityPolicyConfig.attrs.each do |key|
           value = config.directive_value(key)
           next unless value
+
           if META_CONFIGS.include?(key)
             raise ContentSecurityPolicyConfigError.new("#{key} must be a boolean value") unless boolean?(value) || value.nil?
+          elsif NONCES.include?(key)
+            raise ContentSecurityPolicyConfigError.new("#{key} must be a non-nil value") if value.nil?
           else
             validate_directive!(key, value)
           end
         end
       end
 
-      # Public: check if a user agent supports CSP nonces
-      #
-      # user_agent - a String or a UserAgent object
-      def nonces_supported?(user_agent)
-        user_agent = UserAgent.parse(user_agent) if user_agent.is_a?(String)
-        MODERN_BROWSERS.include?(user_agent.browser) ||
-          user_agent.browser == "Safari" && (user_agent.version || CSP::FALLBACK_VERSION) >= CSP::VERSION_10
-      end
-
       # Public: combine the values from two different configs.
       #
       # original - the main config

data/lib/secure_headers/headers/public_key_pins.rb

@@ -5,15 +5,14 @@ module SecureHeaders
     HEADER_NAME = "Public-Key-Pins".freeze
     REPORT_ONLY = "Public-Key-Pins-Report-Only".freeze
     HASH_ALGORITHMS = [:sha256].freeze
-    CONFIG_KEY = :hpkp
 
 
     class << self
       # Public: make an hpkp header name, value pair
       #
       # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config)
-        return if config.nil?
+      def make_header(config, user_agent = nil)
+        return if config.nil? || config == OPT_OUT
         header = new(config)
         [header.name, header.value]
       end

data/lib/secure_headers/headers/referrer_policy.rb

@@ -14,14 +14,14 @@ module SecureHeaders
       origin-when-cross-origin
       unsafe-url
     )
-    CONFIG_KEY = :referrer_policy
 
     class << self
       # Public: generate an Referrer Policy header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         config ||= DEFAULT_VALUE
         [HEADER_NAME, Array(config).join(", ")]
       end

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -8,14 +8,14 @@ module SecureHeaders
     DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
     VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
     MESSAGE = "The config value supplied for the HSTS header was invalid. Must match #{VALID_STS_HEADER}"
-    CONFIG_KEY = :hsts
 
     class << self
       # Public: generate an hsts header name, value pair.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -5,14 +5,14 @@ module SecureHeaders
   class XContentTypeOptions
     HEADER_NAME = "X-Content-Type-Options".freeze
     DEFAULT_VALUE = "nosniff"
-    CONFIG_KEY = :x_content_type_options
 
     class << self
       # Public: generate an X-Content-Type-Options header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers/headers/x_download_options.rb

@@ -4,14 +4,14 @@ module SecureHeaders
   class XDownloadOptions
     HEADER_NAME = "X-Download-Options".freeze
     DEFAULT_VALUE = "noopen"
-    CONFIG_KEY = :x_download_options
 
     class << self
       # Public: generate an X-Download-Options header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers/headers/x_frame_options.rb

@@ -3,7 +3,6 @@ module SecureHeaders
   class XFOConfigError < StandardError; end
   class XFrameOptions
     HEADER_NAME = "X-Frame-Options".freeze
-    CONFIG_KEY = :x_frame_options
     SAMEORIGIN = "sameorigin"
     DENY = "deny"
     ALLOW_FROM = "allow-from"
@@ -16,7 +15,7 @@ module SecureHeaders
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
         return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb

@@ -5,14 +5,14 @@ module SecureHeaders
     HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
     DEFAULT_VALUE = "none"
     VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
-    CONFIG_KEY = :x_permitted_cross_domain_policies
 
     class << self
       # Public: generate an X-Permitted-Cross-Domain-Policies header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -4,15 +4,15 @@ module SecureHeaders
   class XXssProtection
     HEADER_NAME = "X-XSS-Protection".freeze
     DEFAULT_VALUE = "1; mode=block"
-    VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
-    CONFIG_KEY = :x_xss_protection
+    VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
 
     class << self
       # Public: generate an X-Xss-Protection header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
+        return if config == OPT_OUT
         [HEADER_NAME, config || DEFAULT_VALUE]
       end
 

data/secure_headers.gemspec

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "5.2.0"
+  gem.version       = "6.0.0.alpha01"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."

data/spec/lib/secure_headers/configuration_spec.rb

@@ -5,88 +5,33 @@ module SecureHeaders
   describe Configuration do
     before(:each) do
       reset_config
-      Configuration.default
     end
 
     it "has a default config" do
-      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)).to_not be_nil
-    end
-
-    it "warns when using deprecated internal-ish #get API" do
-      expect(Kernel).to receive(:warn).once.with(/`#get` is deprecated/)
-      Configuration.get(Configuration::DEFAULT_CONFIG)
-    end
-
-    it "has an 'noop' config" do
-      expect(Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)).to_not be_nil
-    end
-
-    it "precomputes headers upon creation" do
-      default_config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
-      header_hash = default_config.cached_headers.each_with_object({}) do |(key, value), hash|
-        header_name, header_value = if key == :csp
-          value["Chrome"]
-        else
-          value
-        end
-
-        hash[header_name] = header_value
-      end
-      expect_default_values(header_hash)
+      expect(Configuration.default).to_not be_nil
     end
 
-    it "copies config values when duping" do
-      Configuration.override(:test_override, Configuration::NOOP_CONFIGURATION) do
-        # do nothing, just copy it
-      end
-
-      config = Configuration.get(:test_override, internal: true)
-      noop = Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)
-      [:csp, :csp_report_only, :cookies].each do |key|
-        expect(config.send(key)).to eq(noop.send(key))
-      end
+    it "has an 'noop' override" do
+      Configuration.default
+      expect(Configuration.overrides(Configuration::NOOP_OVERRIDE)).to_not be_nil
     end
 
-    it "regenerates cached headers when building an override" do
-      Configuration.override(:test_override) do |config|
-        config.x_content_type_options = OPT_OUT
+    it "dup results in a copy of the default config" do
+      Configuration.default
+      original_configuration = Configuration.send(:default_config)
+      configuration = Configuration.dup
+      expect(original_configuration).not_to be(configuration)
+      Configuration::CONFIG_ATTRIBUTES.each do |attr|
+        expect(original_configuration.send(attr)).to eq(configuration.send(attr))
       end
-
-      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).cached_headers).to_not eq(Configuration.get(:test_override, internal: true).cached_headers)
     end
 
-    it "stores an override of the global config" do
+    it "stores an override" do
       Configuration.override(:test_override) do |config|
         config.x_frame_options = "DENY"
       end
 
-      expect(Configuration.get(:test_override, internal: true)).to_not be_nil
-    end
-
-    it "deep dup's config values when overriding so the original cannot be modified" do
-      Configuration.override(:override) do |config|
-        config.csp[:default_src] << "'self'"
-      end
-
-      default = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
-      override = Configuration.get(:override, internal: true)
-
-      expect(override.csp.directive_value(:default_src)).not_to be(default.csp.directive_value(:default_src))
-    end
-
-    it "allows you to override an override" do
-      Configuration.override(:override) do |config|
-        config.csp = { default_src: %w('self'), script_src: %w('self')}
-      end
-
-      Configuration.override(:second_override, :override) do |config|
-        config.csp = config.csp.merge(script_src: %w(example.org))
-      end
-
-      original_override = Configuration.get(:override, internal: true)
-      expect(original_override.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self'))
-      override_config = Configuration.get(:second_override, internal: true)
-      expect(override_config.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self' example.org))
+      expect(Configuration.overrides(:test_override)).to_not be_nil
     end
 
     it "deprecates the secure_cookies configuration" do
@@ -106,7 +51,7 @@ module SecureHeaders
         config.cookies = OPT_OUT
       end
 
-      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+      config = Configuration.dup
       expect(config.cookies).to eq(OPT_OUT)
     end
 
@@ -115,7 +60,7 @@ module SecureHeaders
         config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
       end
 
-      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+      config = Configuration.dup
       expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
     end
   end