secure_headers 5.2.0 → 6.0.0

data/spec/lib/secure_headers_spec.rb

@@ -17,10 +17,17 @@ module SecureHeaders
 
     it "raises a NotYetConfiguredError if trying to opt-out of unconfigured headers" do
       expect do
-        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyConfig::CONFIG_KEY)
+        SecureHeaders.opt_out_of_header(request, :csp)
       end.to raise_error(Configuration::NotYetConfiguredError)
     end
 
+    it "raises a AlreadyConfiguredError if trying to configure and default has already been set " do
+      Configuration.default
+      expect do
+        Configuration.default
+      end.to raise_error(Configuration::AlreadyConfiguredError)
+    end
+
     it "raises and ArgumentError when referencing an override that has not been set" do
       expect do
         Configuration.default
@@ -34,9 +41,9 @@ module SecureHeaders
           config.csp = { default_src: %w('self'), script_src: %w('self')}
           config.csp_report_only = config.csp
         end
-        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyConfig::CONFIG_KEY)
-        SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyReportOnlyConfig::CONFIG_KEY)
-        SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
+        SecureHeaders.opt_out_of_header(request, :csp)
+        SecureHeaders.opt_out_of_header(request, :csp_report_only)
+        SecureHeaders.opt_out_of_header(request, :x_content_type_options)
         hash = SecureHeaders.header_hash_for(request)
         expect(hash["Content-Security-Policy-Report-Only"]).to be_nil
         expect(hash["Content-Security-Policy"]).to be_nil
@@ -60,6 +67,24 @@ module SecureHeaders
         expect(hash["X-Frame-Options"]).to be_nil
       end
 
+      it "Overrides the current default config if default config changes during request" do
+        Configuration.default do |config|
+          config.x_frame_options = OPT_OUT
+        end
+
+        # Dynamically update the default config for this request
+        SecureHeaders.override_x_frame_options(request, "DENY")
+
+        Configuration.override(:dynamic_override) do |config|
+          config.x_content_type_options = "nosniff"
+        end
+
+        SecureHeaders.use_secure_headers_override(request, :dynamic_override)
+        hash = SecureHeaders.header_hash_for(request)
+        expect(hash["X-Content-Type-Options"]).to eq("nosniff")
+        expect(hash["X-Frame-Options"]).to eq("DENY")
+      end
+
       it "allows you to opt out entirely" do
         # configure the disabled-by-default headers to ensure they also do not get set
         Configuration.default do |config|
@@ -78,9 +103,6 @@ module SecureHeaders
         end
         SecureHeaders.opt_out_of_all_protection(request)
         hash = SecureHeaders.header_hash_for(request)
-        ALL_HEADER_CLASSES.each do |klass|
-          expect(hash[klass::CONFIG_KEY]).to be_nil
-        end
         expect(hash.count).to eq(0)
       end
 
@@ -105,27 +127,6 @@ module SecureHeaders
         expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::SAMEORIGIN)
       end
 
-      it "produces a UA-specific CSP when overriding (and busting the cache)" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            script_src: %w('self'),
-            child_src: %w('self')
-          }
-        end
-        firefox_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:firefox]))
-
-        # append an unsupported directive
-        SecureHeaders.override_content_security_policy_directives(firefox_request, {plugin_types: %w(flash)})
-        # append a supported directive
-        SecureHeaders.override_content_security_policy_directives(firefox_request, {script_src: %w('self')})
-
-        hash = SecureHeaders.header_hash_for(firefox_request)
-
-        # child-src is translated to frame-src
-        expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src 'self'; script-src 'self'")
-      end
-
       it "produces a hash of headers with default config" do
         Configuration.default
         hash = SecureHeaders.header_hash_for(request)
@@ -175,22 +176,6 @@ module SecureHeaders
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
 
-        it "child-src and frame-src must match" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              frame_src: %w(frame_src.com),
-              script_src: %w('self')
-            }
-          end
-
-          SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
-
-          expect {
-            SecureHeaders.header_hash_for(chrome_request)
-          }.to raise_error(ArgumentError)
-        end
-
         it "supports named appends" do
           Configuration.default do |config|
             config.csp = {
@@ -265,21 +250,6 @@ module SecureHeaders
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src https:; img-src data:; script-src 'self'")
         end
 
-        it "does not append a nonce when the browser does not support it" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              script_src: %w(mycdn.com 'unsafe-inline'),
-              style_src: %w('self')
-            }
-          end
-
-          safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
-          SecureHeaders.content_security_policy_script_nonce(safari_request)
-          hash = SecureHeaders.header_hash_for(safari_request)
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
-        end
-
         it "appends a nonce to the script-src when used" do
           Configuration.default do |config|
             config.csp = {
@@ -297,21 +267,7 @@ module SecureHeaders
           SecureHeaders.content_security_policy_script_nonce(chrome_request)
 
           hash = SecureHeaders.header_hash_for(chrome_request)
-          expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
-        end
-
-        it "uses a nonce for safari 10+" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              script_src: %w(mycdn.com)
-            }
-          end
-
-          safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari10]))
-          nonce = SecureHeaders.content_security_policy_script_nonce(safari_request)
-          hash = SecureHeaders.header_hash_for(safari_request)
-          expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'")
+          expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}' 'unsafe-inline'; style-src 'self'")
         end
 
         it "does not support the deprecated `report_only: true` format" do
@@ -322,7 +278,7 @@ module SecureHeaders
                 report_only: true
               }
             end
-          }.to raise_error(ArgumentError)
+          }.to raise_error(ContentSecurityPolicyConfigError)
         end
 
         it "Raises an error if csp_report_only is used with `report_only: false`" do
@@ -349,6 +305,7 @@ module SecureHeaders
           end
 
           it "sets identical values when the configs are the same" do
+            reset_config
             Configuration.default do |config|
               config.csp = {
                 default_src: %w('self'),
@@ -366,6 +323,7 @@ module SecureHeaders
           end
 
           it "sets different headers when the configs are different" do
+            reset_config
             Configuration.default do |config|
               config.csp = {
                 default_src: %w('self'),
@@ -376,10 +334,11 @@ module SecureHeaders
 
             hash = SecureHeaders.header_hash_for(request)
             expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self'")
-            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self' foo.com")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src foo.com")
           end
 
           it "allows you to opt-out of enforced CSP" do
+            reset_config
             Configuration.default do |config|
               config.csp = SecureHeaders::OPT_OUT
               config.csp_report_only = {
@@ -437,6 +396,7 @@ module SecureHeaders
 
           context "when inferring which config to modify" do
             it "updates the enforced header when configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = {
                   default_src: %w('self'),
@@ -451,6 +411,7 @@ module SecureHeaders
             end
 
             it "updates the report only header when configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = OPT_OUT
                 config.csp_report_only = {
@@ -466,6 +427,7 @@ module SecureHeaders
             end
 
             it "updates both headers if both are configured" do
+              reset_config
               Configuration.default do |config|
                 config.csp = {
                   default_src: %w(enforced.com),

data/spec/spec_helper.rb

@@ -26,6 +26,7 @@ USER_AGENTS = {
 
 def expect_default_values(hash)
   expect(hash[SecureHeaders::ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'")
+  expect(hash[SecureHeaders::ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::XFrameOptions::HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XDownloadOptions::HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::StrictTransportSecurity::HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::DEFAULT_VALUE)
@@ -34,18 +35,21 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
   expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
+  expect(hash[SecureHeaders::ClearSiteData::HEADER_NAME]).to be_nil
+  expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
+  expect(hash[SecureHeaders::PublicKeyPins::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders
   class Configuration
     class << self
-      def clear_configurations
-        @configurations = nil
+      def clear_default_config
+        remove_instance_variable(:@default_config) if defined?(@default_config)
       end
     end
   end
 end
 
 def reset_config
-  SecureHeaders::Configuration.clear_configurations
+  SecureHeaders::Configuration.clear_default_config
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 5.2.0
+  version: 6.0.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-21 00:00:00.000000000 Z
+date: 2018-05-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: useragent
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.15.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.15.0
 description: Manages application of security headers with many safe defaults.
 email:
 - neil.matatall@gmail.com
@@ -69,6 +55,7 @@ files:
 - docs/upgrading-to-3-0.md
 - docs/upgrading-to-4-0.md
 - docs/upgrading-to-5-0.md
+- docs/upgrading-to-6-0.md
 - lib/secure_headers.rb
 - lib/secure_headers/configuration.rb
 - lib/secure_headers/hash_helper.rb