secure_headers 6.0.0.alpha01 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cd74fc8e9c9057255c1e6c75bc78554ec6751459
-  data.tar.gz: 2f72e782c0800b5bf124d841a0d556d321b1cb5f
+  metadata.gz: 6d7392744d486b32bda2b91432d39ddfeee87dfd
+  data.tar.gz: 38328982bf71376b9412ed8c7d0652163741bf16
 SHA512:
-  metadata.gz: 53ff0d4849c3892fbf4e35270c011d9d6c8da3984958fdc17f9669b32f0d9d39542dc4411323fe93bbf21137f0c8cfe26565a5836548061414153a2abd2dd949
-  data.tar.gz: 7472a097ae0926655aace8f5f719a4306920b08e4a1b798a588034d51a1446f51f442deb7c3f298d23481d52f2aa1b210ffb40b629671f449f63b7570a7ec2b0
+  metadata.gz: e08d9df89db6908d0c8419d0086bf8fb6c7e374c53e0bf774bd74d534094c66ef3cdcbac23e97c03b05d4045ba6878c3f6d8a17877146bdb6f2f0c15b57d1784
+  data.tar.gz: 304824374c236d11edc52049732a2ea133bbbdf611f35b2c5309a950125e879fb4016f0f15d7ad6c09310ab4b6080e966fac912147f43ed91989aa15898595a7

data/CHANGELOG.md

@@ -1,10 +1,10 @@
 ## 6.0
 
 - See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
-=======
+
 ## 5.0.5
 
-A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
+- A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
 
 ## 5.0.4
 

data/README.md

@@ -1,6 +1,6 @@
 # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
 
-**master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
+**master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
 
 **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
 
@@ -77,7 +77,7 @@ SecureHeaders::Configuration.default do |config|
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
 
     # directive values: these values will directly translate into source directives
-    default_src: %w(https: 'self'),
+    default_src: %w('none'),
     base_uri: %w('self'),
     block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
     child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.

data/docs/upgrading-to-6-0.md

@@ -43,8 +43,8 @@ Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded
 
 Prior to 6.0.0 you could conceivably, though unlikely, have `Configure#default` called more than once. Because configurations are dynamic, configuring more than once could result in unexpected behavior. So, as of 6.0.0 we raise `AlreadyConfiguredError` if the default configuration is setup more than once.
 
-## Nonce behavior and console warnings
+## All user agent sniffing has been removed
 
-Since the first commit, reducing browser console messages was a goal. It led to overly complicated and error-prone UA sniffing. Nowadays, consoles warn on completely legitimate use of features meant to be backwards compatible. So the goal is impossible and the impact is negative, so eliminating code using sniffing is a goal.
+The policy configured is the policy that is delivered in terms of which directives are sent. We still dedup, strip schemes, and look for other optimizations but we will not e.g. conditionally send `frame-src` / `child-src` or apply `nonce`s / `unsafe-inline`.
 
-The first example: we will now send `'unsafe-inline'` along with nonce source expressions. This will generate warnings in some consoles but is 100% valid use and was a design goal of CSP in the early days. The concept of versioning CSP lost out and so we're left with backward compatibility as our only option.
+The primary reason for these per-browser customization was to reduce console warnings. This has lead to many bugs and results inc confusing behavior. Also, console logs are incredibly noisy today and increasingly warn you about perfectly valid things (like sending `X-Frame-Options` and `frame-ancestors` together).

data/lib/secure_headers/configuration.rb

@@ -194,11 +194,11 @@ module SecureHeaders
       self
     end
 
-    def generate_headers(user_agent)
+    def generate_headers
       headers = {}
       HEADERABLE_ATTRIBUTES.each do |attr|
         klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
-        header_name, value = klass.make_header(instance_variable_get("@#{attr}"), user_agent)
+        header_name, value = klass.make_header(instance_variable_get("@#{attr}"))
         if header_name && value
           headers[header_name] = value
         end

data/lib/secure_headers/headers/content_security_policy.rb

@@ -1,19 +1,12 @@
 # frozen_string_literal: true
 require_relative "policy_management"
 require_relative "content_security_policy_config"
-require "useragent"
 
 module SecureHeaders
   class ContentSecurityPolicy
     include PolicyManagement
 
-    # constants to be used for version-specific UA sniffing
-    VERSION_46 = ::UserAgent::Version.new("46")
-    VERSION_10 = ::UserAgent::Version.new("10")
-    FALLBACK_VERSION = ::UserAgent::Version.new("0")
-
-    def initialize(config = nil, user_agent = OTHER)
-      user_agent ||= OTHER
+    def initialize(config = nil)
       @config = if config.is_a?(Hash)
         if config[:report_only]
           ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
@@ -26,12 +19,6 @@ module SecureHeaders
         config
       end
 
-      @parsed_ua = if user_agent.is_a?(UserAgent::Browsers::Base)
-        user_agent
-      else
-        UserAgent.parse(user_agent)
-      end
-      @frame_src = normalize_child_frame_src
       @preserve_schemes = @config.preserve_schemes
       @script_nonce = @config.script_nonce
       @style_nonce = @config.style_nonce
@@ -56,20 +43,10 @@ module SecureHeaders
 
     private
 
-    def normalize_child_frame_src
-      if @config.frame_src && @config.child_src && @config.frame_src != @config.child_src
-        raise ArgumentError, "#{Kernel.caller.first}: both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers."
-      end
-
-      @config.frame_src || @config.child_src
-    end
-
     # Private: converts the config object into a string representing a policy.
     # Places default-src at the first directive and report-uri as the last. All
     # others are presented in alphabetical order.
     #
-    # Unsupported directives are filtered based on the user agent.
-    #
     # Returns a content security policy header value.
     def build_value
       directives.map do |directive_name|
@@ -125,18 +102,7 @@ module SecureHeaders
     #
     # Returns a string representing a directive.
     def build_source_list_directive(directive)
-      source_list = case directive
-      when :child_src
-        if supported_directives.include?(:child_src)
-          @frame_src
-        end
-      when :frame_src
-        unless supported_directives.include?(:child_src)
-          @frame_src
-        end
-      else
-        @config.directive_value(directive)
-      end
+      source_list = @config.directive_value(directive)
 
       if source_list != OPT_OUT && source_list && source_list.any?
         normalized_source_list = minify_source_list(directive, source_list)
@@ -219,13 +185,13 @@ module SecureHeaders
       source_list
     end
 
-    # Private: return the list of directives that are supported by the user agent,
+    # Private: return the list of directives,
     # starting with default-src and ending with report-uri.
     def directives
       [
         DEFAULT_SRC,
-        BODY_DIRECTIVES.select { |key| supported_directives.include?(key) },
-        REPORT_URI
+        BODY_DIRECTIVES,
+        REPORT_URI,
       ].flatten
     end
 
@@ -234,25 +200,6 @@ module SecureHeaders
       source_list.map { |source_expression| source_expression.sub(HTTP_SCHEME_REGEX, "") }
     end
 
-    # Private: determine which directives are supported for the given user agent.
-    #
-    # Add UA-sniffing special casing here.
-    #
-    # Returns an array of symbols representing the directives.
-    def supported_directives
-      @supported_directives ||= if VARIATIONS[@parsed_ua.browser]
-        if @parsed_ua.browser == "Firefox" && ((@parsed_ua.version || FALLBACK_VERSION) >= VERSION_46)
-          VARIATIONS["FirefoxTransitional"]
-        elsif @parsed_ua.browser == "Safari" && ((@parsed_ua.version || FALLBACK_VERSION) >= VERSION_10)
-          VARIATIONS["SafariTransitional"]
-        else
-          VARIATIONS[@parsed_ua.browser]
-        end
-      else
-        VARIATIONS[OTHER]
-      end
-    end
-
     def symbol_to_hyphen_case(sym)
       sym.to_s.tr("_", "-")
     end

data/lib/secure_headers/headers/policy_management.rb

@@ -81,58 +81,12 @@ module SecureHeaders
       UPGRADE_INSECURE_REQUESTS
     ].flatten.freeze
 
-    EDGE_DIRECTIVES = DIRECTIVES_1_0
-    SAFARI_DIRECTIVES = DIRECTIVES_1_0
-    SAFARI_10_DIRECTIVES = DIRECTIVES_2_0
-
-    FIREFOX_UNSUPPORTED_DIRECTIVES = [
-      BLOCK_ALL_MIXED_CONTENT,
-      CHILD_SRC,
-      WORKER_SRC,
-      PLUGIN_TYPES
-    ].freeze
-
-    FIREFOX_46_DEPRECATED_DIRECTIVES = [
-      FRAME_SRC
-    ].freeze
-
-    FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
-      BLOCK_ALL_MIXED_CONTENT,
-      WORKER_SRC,
-      PLUGIN_TYPES
-    ].freeze
-
-    FIREFOX_DIRECTIVES = (
-      DIRECTIVES_3_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
-    ).freeze
-
-    FIREFOX_46_DIRECTIVES = (
-      DIRECTIVES_3_0 - FIREFOX_46_UNSUPPORTED_DIRECTIVES - FIREFOX_46_DEPRECATED_DIRECTIVES
-    ).freeze
-
-    CHROME_DIRECTIVES = (
-      DIRECTIVES_3_0
-    ).freeze
-
     ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0).uniq.sort
 
     # Think of default-src and report-uri as the beginning and end respectively,
     # everything else is in between.
     BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
 
-    VARIATIONS = {
-      "Chrome" => CHROME_DIRECTIVES,
-      "Opera" => CHROME_DIRECTIVES,
-      "Firefox" => FIREFOX_DIRECTIVES,
-      "FirefoxTransitional" => FIREFOX_46_DIRECTIVES,
-      "Safari" => SAFARI_DIRECTIVES,
-      "SafariTransitional" => SAFARI_10_DIRECTIVES,
-      "Edge" => EDGE_DIRECTIVES,
-      "Other" => CHROME_DIRECTIVES
-    }.freeze
-
-    OTHER = "Other".freeze
-
     DIRECTIVE_VALUE_TYPES = {
       BASE_URI                  => :source_list,
       BLOCK_ALL_MIXED_CONTENT   => :boolean,
@@ -199,9 +153,9 @@ module SecureHeaders
       #
       # Returns a default policy if no configuration is provided, or a
       # header name and value based on the config.
-      def make_header(config, user_agent = nil)
+      def make_header(config)
         return if config.nil? || config == OPT_OUT
-        header = new(config, user_agent)
+        header = new(config)
         [header.name, header.value]
       end
 
@@ -303,17 +257,11 @@ module SecureHeaders
           # Don't set a default if directive has an existing value
           next if original[directive]
           if FETCH_SOURCES.include?(directive)
-            original[directive] = default_for(directive, original)
+            original[directive] = original[DEFAULT_SRC]
           end
         end
       end
 
-      def default_for(directive, original)
-        return original[FRAME_SRC] if directive == CHILD_SRC && original[FRAME_SRC]
-        return original[CHILD_SRC] if directive == FRAME_SRC && original[CHILD_SRC]
-        original[DEFAULT_SRC]
-      end
-
       def source_list?(directive)
         DIRECTIVE_VALUE_TYPES[directive] == :source_list
       end

data/lib/secure_headers/view_helper.rb

@@ -19,7 +19,7 @@ module SecureHeaders
     #
     # Returns an html-safe link tag with the nonce attribute.
     def nonced_stylesheet_link_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
       stylesheet_link_tag(*args, opts, &block)
     end
@@ -37,7 +37,7 @@ module SecureHeaders
     #
     # Returns an html-safe script tag with the nonce attribute.
     def nonced_javascript_include_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
       javascript_include_tag(*args, opts, &block)
     end
@@ -47,7 +47,7 @@ module SecureHeaders
     #
     # Returns an html-safe script tag with the nonce attribute.
     def nonced_javascript_pack_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
       javascript_pack_tag(*args, opts, &block)
     end
@@ -57,7 +57,7 @@ module SecureHeaders
     #
     # Returns an html-safe link tag with the nonce attribute.
     def nonced_stylesheet_pack_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
       stylesheet_pack_tag(*args, opts, &block)
     end
@@ -66,7 +66,7 @@ module SecureHeaders
     # Instructs secure_headers to append a nonce to style/script-src directives.
     #
     # Returns a non-html-safe nonce value.
-    def content_security_policy_nonce(type)
+    def _content_security_policy_nonce(type)
       case type
       when :script
         SecureHeaders.content_security_policy_script_nonce(@_request)
@@ -74,13 +74,14 @@ module SecureHeaders
         SecureHeaders.content_security_policy_style_nonce(@_request)
       end
     end
+    alias_method :content_security_policy_nonce, :_content_security_policy_nonce
 
     def content_security_policy_script_nonce
-      content_security_policy_nonce(:script)
+      _content_security_policy_nonce(:script)
     end
 
     def content_security_policy_style_nonce
-      content_security_policy_nonce(:style)
+      _content_security_policy_nonce(:style)
     end
 
     ##
@@ -152,7 +153,7 @@ module SecureHeaders
       else
         content_or_options.html_safe # :'(
       end
-      content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
+      content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
     end
 
     def extract_options(args)

data/lib/secure_headers.rb

@@ -15,7 +15,6 @@ require "secure_headers/headers/expect_certificate_transparency"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
-require "useragent"
 require "singleton"
 require "secure_headers/configuration"
 
@@ -149,8 +148,7 @@ module SecureHeaders
       prevent_dup = true
       config = config_for(request, prevent_dup)
       config.validate_config!
-      user_agent = UserAgent.parse(request.user_agent)
-      headers = config.generate_headers(user_agent)
+      headers = config.generate_headers
 
       if request.scheme != HTTPS
         HTTPS_HEADER_CLASSES.each do |klass|

data/secure_headers.gemspec

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "6.0.0.alpha01"
+  gem.version       = "6.0.0"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."
@@ -16,5 +16,4 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
-  gem.add_dependency "useragent", ">= 0.15.0"
 end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -116,73 +116,10 @@ module SecureHeaders
         ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
       end
 
-      it "raises an error when child-src and frame-src are supplied but are not equal" do
-        expect {
-          ContentSecurityPolicy.new(default_src: %w('self'), child_src: %w(child-src.com), frame_src: %w(frame-src,com)).value
-        }.to raise_error(ArgumentError)
-      end
-
       it "supports strict-dynamic" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
+        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
       end
-
-      context "browser sniffing" do
-        let (:complex_opts) do
-          (ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
-            hash[directive] = ["#{directive.to_s.gsub("_", "-")}.com"]
-          end.merge({
-            block_all_mixed_content: true,
-            upgrade_insecure_requests: true,
-            script_src: %w(script-src.com),
-            script_nonce: 123456,
-            sandbox: %w(allow-forms),
-            plugin_types: %w(application/pdf)
-          })
-        end
-
-        it "does not filter any directives for Chrome" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
-        end
-
-        it "does not filter any directives for Opera" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
-        end
-
-        it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
-        end
-
-        it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
-        end
-
-        it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, hash sources, and plugin-types for Edge" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
-        end
-
-        it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, hash sources, and plugin-types for safari" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
-        end
-
-        it "adds 'unsafe-inline', filters  blocked-all-mixed-content, upgrade-insecure-requests, and hash sources for safari 10 and higher" do
-          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
-        end
-
-        it "falls back to standard Firefox defaults when the useragent version is not present" do
-          ua = USER_AGENTS[:firefox].dup
-          allow(ua).to receive(:version).and_return(nil)
-          policy = ContentSecurityPolicy.new(complex_opts, ua)
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456' 'unsafe-inline'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
-        end
-      end
     end
   end
 end

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -190,7 +190,7 @@ module SecureHeaders
         report_uri = "https://report-uri.io/asdf"
         default_policy = Configuration.dup
         combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_uri: [report_uri])
-        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to include("report-uri #{report_uri}")
       end
 
@@ -223,7 +223,7 @@ module SecureHeaders
         end
         default_policy = Configuration.dup
         combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_only: true)
-        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
 

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -97,6 +97,12 @@ TEMPLATE
   end
 end
 
+class MessageWithConflictingMethod < Message
+  def content_security_policy_nonce
+    "rails-nonce"
+  end
+end
+
 module SecureHeaders
   describe ViewHelpers do
     let(:app) { lambda { |env| [200, env, "app"] } }
@@ -159,5 +165,27 @@ module SecureHeaders
         expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
       end
     end
+
+    it "avoids calling content_security_policy_nonce internally" do
+      begin
+        allow(SecureRandom).to receive(:base64).and_return("abc123")
+
+        expected_hash = "sha256-3/URElR9+3lvLIouavYD/vhoICSNKilh15CzI/nKqg8="
+        Configuration.instance_variable_set(:@script_hashes, filename => ["'#{expected_hash}'"])
+        expected_style_hash = "sha256-7oYK96jHg36D6BM042er4OfBnyUDTG3pH1L8Zso3aGc="
+        Configuration.instance_variable_set(:@style_hashes, filename => ["'#{expected_style_hash}'"])
+
+        # render erb that calls out to helpers.
+        MessageWithConflictingMethod.new(request).result
+        _, env = middleware.call request.env
+
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
+
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).not_to match(/rails-nonce/)
+      end
+    end
   end
 end

data/spec/lib/secure_headers_spec.rb

@@ -127,27 +127,6 @@ module SecureHeaders
         expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::SAMEORIGIN)
       end
 
-      it "produces a UA-specific CSP when overriding (and busting the cache)" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            script_src: %w('self'),
-            child_src: %w('self')
-          }
-        end
-        firefox_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:firefox]))
-
-        # append an unsupported directive
-        SecureHeaders.override_content_security_policy_directives(firefox_request, {plugin_types: %w(application/pdf)})
-        # append a supported directive
-        SecureHeaders.override_content_security_policy_directives(firefox_request, {script_src: %w('self')})
-
-        hash = SecureHeaders.header_hash_for(firefox_request)
-
-        # child-src is translated to frame-src
-        expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src 'self'; script-src 'self'")
-      end
-
       it "produces a hash of headers with default config" do
         Configuration.default
         hash = SecureHeaders.header_hash_for(request)
@@ -197,22 +176,6 @@ module SecureHeaders
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
 
-        it "child-src and frame-src must match" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              frame_src: %w(frame_src.com),
-              script_src: %w('self')
-            }
-          end
-
-          SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
-
-          expect {
-            SecureHeaders.header_hash_for(chrome_request)
-          }.to raise_error(ArgumentError)
-        end
-
         it "supports named appends" do
           Configuration.default do |config|
             config.csp = {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.0.0.alpha01
+  version: 6.0.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-13 00:00:00.000000000 Z
+date: 2018-05-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: useragent
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.15.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.15.0
 description: Manages application of security headers with many safe defaults.
 email:
 - neil.matatall@gmail.com
@@ -126,9 +112,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.6.13