secure_headers 6.3.2 → 6.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e68ad14ceec22ceeeabe2f49b47ad9325f43585cbb688f9f6ffe9c9f3536abc
-  data.tar.gz: ffab69d446b3935d4cf01ad21c660d8035ab8ecd4343d682841510509bb8b714
+  metadata.gz: e5372953d5180d45526a777c1b66e7e86a8ccfca08f6b7b613549d8ba1509a6e
+  data.tar.gz: 0d1cc3b012df7b1cfd549bcf09063a390945b05c03009acda31017f859ff7d2d
 SHA512:
-  metadata.gz: 02a79d8c96fd8d64eba216bd8785ae2deee7dceb7ef388f65e100f1597ed1f3005ecbeb069e823beef5fcdf89a6998ea296d954e3d80de0ba61456a13445b6e3
-  data.tar.gz: 645a0f3aac96761574b57e4464b08c83cbf6839fc4a0503e54dedd768aebdb503a080ee368753add3ab0c2a3eeb31bd4f866f0e39ed7691c17587ad7125299eb
+  metadata.gz: 35844f24ecb678a83548492545403bc174a6d0ce74896f7817d93cb30f62d97b415ea876dccd3efbed7cad3e5dd5c9cda4f676f7dc2c858b2f2010f2c33a0f73
+  data.tar.gz: 196a212de355c06a2a3fee6c22302fb1bfd7471dba402124adc7072f90dbd0c4a5b3ee8fa7604d0b164479717bfb65050d3b4802948410b61aba3382d5c8eb39

data/.github/workflows/build.yml

@@ -7,12 +7,12 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ '2.4', '2.5', '2.6', '2.7' ]
+        ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1' ]
 
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby ${{ matrix.ruby }}
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}
     - name: Build and test with Rake

data/.github/workflows/github-release.yml

@@ -0,0 +1,28 @@
+name: GitHub Release
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  Publish:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - name: Calculate release name
+        run: |
+          GITHUB_REF=${{ github.ref }}
+          RELEASE_NAME=${GITHUB_REF#"refs/tags/"}
+          echo "RELEASE_NAME=${RELEASE_NAME}" >> $GITHUB_ENV
+      - name: Publish release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: ${{ env.RELEASE_NAME }}
+          draft: false
+          prerelease: false

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 6.4.0
+
+- CSP: Add support for trusted-types, require-trusted-types-for directive (@JackMc): https://github.com/github/secure_headers/pull/486
+
+## 6.3.4
+
+- CSP: Do not deduplicate alternate schema source expressions (@keithamus): https://github.com/github/secure_headers/pull/478
+
+## 6.3.3
+
+Fix hash generation for indented helper methods (@rahearn)
+
 ## 6.3.2
 
 Add support for style-src-attr, style-src-elem, script-src-attr, and script-src-elem directives (@ggalmazor)

data/Gemfile

@@ -9,7 +9,7 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop", "< 0.68"
+  gem "rubocop"
   gem "rubocop-github"
   gem "rubocop-performance"
   gem "term-ansicolor"

data/README.md

@@ -3,7 +3,7 @@
 **main branch represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
 
 The gem will automatically apply several headers that are related to security.  This includes:
-- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
+- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](https://www.w3.org/TR/CSP2/)
   - https://csp.withgoogle.com
   - https://csp.withgoogle.com/docs/strict-csp.html
   - https://csp-evaluator.withgoogle.com
@@ -62,7 +62,7 @@ SecureHeaders::Configuration.default do |config|
     # directive values: these values will directly translate into source directives
     default_src: %w('none'),
     base_uri: %w('self'),
-    block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
+    block_all_mixed_content: true, # see https://www.w3.org/TR/mixed-content/
     child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
     connect_src: %w(wss:),
     font_src: %w('self' data:),
@@ -170,7 +170,7 @@ If you've made a contribution and see your name missing from the list, make a PR
 * Node.js (express) [helmet](https://github.com/helmetjs/helmet) and [hood](https://github.com/seanmonstar/hood)
 * Node.js (hapi) [blankie](https://github.com/nlf/blankie)
 * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
-* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
+* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security), [secure](https://github.com/TypeError/secure)
 * Go - [secureheader](https://github.com/kr/secureheader)
 * Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
 * Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)

data/docs/per_action_configuration.md

@@ -54,7 +54,7 @@ Code  | Result
 
 #### Nonce
 
-You can use a view helper to automatically add nonces to script tags:
+You can use a view helper to automatically add nonces to script tags. Currently, using a nonce helper or calling `content_security_policy_nonce` will populate all configured CSP headers, including report-only and enforced policies. 
 
 ```erb
 <%= nonced_javascript_tag do %>
@@ -120,9 +120,7 @@ You can clear the browser cache after the logout request by using the following.
 class ApplicationController < ActionController::Base
   # Configuration override to send the Clear-Site-Data header.
   SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
-    config.clear_site_data = [
-      SecureHeaders::ClearSiteData::ALL_TYPES
-    ]
+    config.clear_site_data = SecureHeaders::ClearSiteData::ALL_TYPES
   end
 
 

data/lib/secure_headers/configuration.rb

@@ -84,11 +84,12 @@ module SecureHeaders
       def deep_copy(config)
         return unless config
         config.each_with_object({}) do |(key, value), hash|
-          hash[key] = if value.is_a?(Array)
-            value.dup
-          else
-            value
-          end
+          hash[key] =
+            if value.is_a?(Array)
+              value.dup
+            else
+              value
+            end
         end
       end
 

data/lib/secure_headers/headers/content_security_policy.rb

@@ -7,17 +7,18 @@ module SecureHeaders
     include PolicyManagement
 
     def initialize(config = nil)
-      @config = if config.is_a?(Hash)
-        if config[:report_only]
-          ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
+      @config =
+        if config.is_a?(Hash)
+          if config[:report_only]
+            ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
+          else
+            ContentSecurityPolicyConfig.new(config || DEFAULT_CONFIG)
+          end
+        elsif config.nil?
+          ContentSecurityPolicyConfig.new(DEFAULT_CONFIG)
         else
-          ContentSecurityPolicyConfig.new(config || DEFAULT_CONFIG)
+          config
         end
-      elsif config.nil?
-        ContentSecurityPolicyConfig.new(DEFAULT_CONFIG)
-      else
-        config
-      end
 
       @preserve_schemes = @config.preserve_schemes
       @script_nonce = @config.script_nonce
@@ -34,11 +35,12 @@ module SecureHeaders
     ##
     # Return the value of the CSP header
     def value
-      @value ||= if @config
-        build_value
-      else
-        DEFAULT_VALUE
-      end
+      @value ||=
+        if @config
+          build_value
+        else
+          DEFAULT_VALUE
+        end
     end
 
     private
@@ -51,7 +53,9 @@ module SecureHeaders
     def build_value
       directives.map do |directive_name|
         case DIRECTIVE_VALUE_TYPES[directive_name]
-        when :source_list, :require_sri_for_list # require_sri is a simple set of strings that don't need to deal with symbol casing
+        when :source_list,
+             :require_sri_for_list, # require_sri is a simple set of strings that don't need to deal with symbol casing
+             :require_trusted_types_for_list
           build_source_list_directive(directive_name)
         when :boolean
           symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)
@@ -155,9 +159,10 @@ module SecureHeaders
       wild_sources = sources.select { |source| source =~ STAR_REGEXP }
 
       if wild_sources.any?
+        schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
         sources.reject do |source|
           !wild_sources.include?(source) &&
-            wild_sources.any? { |pattern| File.fnmatch(pattern, source) }
+            wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
         end
       else
         sources

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -35,6 +35,7 @@ module SecureHeaders
       @report_only = nil
       @report_uri = nil
       @require_sri_for = nil
+      @require_trusted_types_for = nil
       @sandbox = nil
       @script_nonce = nil
       @script_src = nil
@@ -44,6 +45,7 @@ module SecureHeaders
       @style_src = nil
       @style_src_elem = nil
       @style_src_attr = nil
+      @trusted_types = nil
       @worker_src = nil
       @upgrade_insecure_requests = nil
       @disable_nonce_backwards_compatibility = nil

data/lib/secure_headers/headers/policy_management.rb

@@ -98,7 +98,19 @@ module SecureHeaders
       STYLE_SRC_ATTR
     ].flatten.freeze
 
-    ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0).uniq.sort
+    # Experimental directives - these vary greatly in support
+    # See MDN for details.
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types
+    TRUSTED_TYPES = :trusted_types
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for
+    REQUIRE_TRUSTED_TYPES_FOR = :require_trusted_types_for
+
+    DIRECTIVES_EXPERIMENTAL = [
+      TRUSTED_TYPES,
+      REQUIRE_TRUSTED_TYPES_FOR,
+    ].flatten.freeze
+
+    ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_EXPERIMENTAL).uniq.sort
 
     # Think of default-src and report-uri as the beginning and end respectively,
     # everything else is in between.
@@ -121,6 +133,7 @@ module SecureHeaders
       OBJECT_SRC                => :source_list,
       PLUGIN_TYPES              => :media_type_list,
       REQUIRE_SRI_FOR           => :require_sri_for_list,
+      REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
       REPORT_URI                => :source_list,
       PREFETCH_SRC              => :source_list,
       SANDBOX                   => :sandbox_list,
@@ -130,6 +143,7 @@ module SecureHeaders
       STYLE_SRC                 => :source_list,
       STYLE_SRC_ELEM            => :source_list,
       STYLE_SRC_ATTR            => :source_list,
+      TRUSTED_TYPES             => :source_list,
       WORKER_SRC                => :source_list,
       UPGRADE_INSECURE_REQUESTS => :boolean,
     }.freeze
@@ -175,6 +189,7 @@ module SecureHeaders
     ].freeze
 
     REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
+    REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w(script))
 
     module ClassMethods
       # Public: generate a header name, value array that is user-agent-aware.
@@ -270,7 +285,8 @@ module SecureHeaders
         source_list?(directive) ||
           sandbox_list?(directive) ||
           media_type_list?(directive) ||
-          require_sri_for_list?(directive)
+          require_sri_for_list?(directive) ||
+          require_trusted_types_for_list?(directive)
       end
 
       # For each directive in additions that does not exist in the original config,
@@ -278,11 +294,12 @@ module SecureHeaders
       def populate_fetch_source_with_default!(original, additions)
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.each_key do |directive|
-          directive = if directive.to_s.end_with?("_nonce")
-            directive.to_s.gsub(/_nonce/, "_src").to_sym
-          else
-            directive
-          end
+          directive =
+            if directive.to_s.end_with?("_nonce")
+              directive.to_s.gsub(/_nonce/, "_src").to_sym
+            else
+              directive
+            end
           # Don't set a default if directive has an existing value
           next if original[directive]
           if FETCH_SOURCES.include?(directive)
@@ -307,6 +324,10 @@ module SecureHeaders
         DIRECTIVE_VALUE_TYPES[directive] == :require_sri_for_list
       end
 
+      def require_trusted_types_for_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :require_trusted_types_for_list
+      end
+
       # Private: Validates that the configuration has a valid type, or that it is a valid
       # source expression.
       def validate_directive!(directive, value)
@@ -324,6 +345,8 @@ module SecureHeaders
           validate_media_type_expression!(directive, value)
         when :require_sri_for_list
           validate_require_sri_source_expression!(directive, value)
+        when :require_trusted_types_for_list
+          validate_require_trusted_types_for_source_expression!(directive, value)
         else
           raise ContentSecurityPolicyConfigError.new("Unknown directive #{directive}")
         end
@@ -368,6 +391,16 @@ module SecureHeaders
         end
       end
 
+      # Private: validates that a require trusted types for expression:
+      # 1. is an array of strings
+      # 2. is a subset of ["script"]
+      def validate_require_trusted_types_for_source_expression!(directive, require_trusted_types_for_expression)
+        ensure_array_of_strings!(directive, require_trusted_types_for_expression)
+        unless require_trusted_types_for_expression.to_set.subset?(REQUIRE_TRUSTED_TYPES_FOR_VALUES)
+          raise ContentSecurityPolicyConfigError.new(%(require-trusted-types-for for must be a subset of #{REQUIRE_TRUSTED_TYPES_FOR_VALUES.to_a} but was #{require_trusted_types_for_expression}))
+        end
+      end
+
       # Private: validates that a source expression:
       # 1. is an array of strings
       # 2. does not contain any deprecated, now invalid values (inline, eval, self, none)

data/lib/secure_headers/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureHeaders
-  VERSION = "6.3.2"
+  VERSION = "6.4.0"
 end

data/lib/secure_headers/view_helper.rb

@@ -147,12 +147,13 @@ module SecureHeaders
 
     def nonced_tag(type, content_or_options, block)
       options = {}
-      content = if block
-        options = content_or_options
-        capture(&block)
-      else
-        content_or_options.html_safe # :'(
-      end
+      content =
+        if block
+          options = content_or_options
+          capture(&block)
+        else
+          content_or_options.html_safe # :'(
+        end
       content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
     end
 

data/lib/tasks/tasks.rake

@@ -20,10 +20,11 @@ namespace :secure_headers do
       (is_erb?(filename) && inline_script =~ /<%.*%>/)
   end
 
-  def find_inline_content(filename, regex, hashes)
+  def find_inline_content(filename, regex, hashes, strip_trailing_whitespace)
     file = File.read(filename)
     file.scan(regex) do # TODO don't use gsub
       inline_script = Regexp.last_match.captures.last
+      inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
       if dynamic_content?(filename, inline_script)
         puts "Looks like there's some dynamic content inside of a tag :-/"
         puts "That pretty much means the hash value will never match."
@@ -38,9 +39,8 @@ namespace :secure_headers do
   def generate_inline_script_hashes(filename)
     hashes = []
 
-    [INLINE_SCRIPT_REGEX, INLINE_HASH_SCRIPT_HELPER_REGEX].each do |regex|
-      find_inline_content(filename, regex, hashes)
-    end
+    find_inline_content(filename, INLINE_SCRIPT_REGEX, hashes, false)
+    find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, hashes, true)
 
     hashes
   end
@@ -48,9 +48,8 @@ namespace :secure_headers do
   def generate_inline_style_hashes(filename)
     hashes = []
 
-    [INLINE_STYLE_REGEX, INLINE_HASH_STYLE_HELPER_REGEX].each do |regex|
-      find_inline_content(filename, regex, hashes)
-    end
+    find_inline_content(filename, INLINE_STYLE_REGEX, hashes, false)
+    find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, hashes, true)
 
     hashes
   end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -106,6 +106,11 @@ module SecureHeaders
         expect(csp.value).to eq("default-src example.org")
       end
 
+      it "does not deduplicate non-matching schema source expressions" do
+        csp = ContentSecurityPolicy.new(default_src: %w(*.example.org wss://example.example.org))
+        expect(csp.value).to eq("default-src *.example.org wss://example.example.org")
+      end
+
       it "creates maximally strict sandbox policy when passed no sandbox token values" do
         csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
         expect(csp.value).to eq("default-src example.org; sandbox")
@@ -141,6 +146,11 @@ module SecureHeaders
         expect(csp.value).to eq("default-src 'self'; require-sri-for script style")
       end
 
+      it "allows style as a require-trusted-types-for source" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_trusted_types_for: %w(script))
+        expect(csp.value).to eq("default-src 'self'; require-trusted-types-for script")
+      end
+
       it "includes prefetch-src" do
         csp = ContentSecurityPolicy.new(default_src: %w('self'), prefetch_src: %w(foo.com))
         expect(csp.value).to eq("default-src 'self'; prefetch-src foo.com")
@@ -180,6 +190,21 @@ module SecureHeaders
         csp = ContentSecurityPolicy.new({style_src: %w('self'), style_src_attr: %w('self')})
         expect(csp.value).to eq("style-src 'self'; style-src-attr 'self'")
       end
+
+      it "supports trusted-types directive" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w(blahblahpolicy)})
+        expect(csp.value).to eq("trusted-types blahblahpolicy")
+      end
+
+      it "supports trusted-types directive with 'none'" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w(none)})
+        expect(csp.value).to eq("trusted-types none")
+      end
+
+      it "allows duplicate policy names in trusted-types directive" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w(blahblahpolicy 'allow-duplicates')})
+        expect(csp.value).to eq("trusted-types blahblahpolicy 'allow-duplicates'")
+      end
     end
   end
 end

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -45,6 +45,7 @@ module SecureHeaders
           plugin_types: %w(application/x-shockwave-flash),
           prefetch_src: %w(fetch.com),
           require_sri_for: %w(script style),
+          require_trusted_types_for: %w(script),
           script_src: %w('self'),
           style_src: %w('unsafe-inline'),
           upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
@@ -53,6 +54,7 @@ module SecureHeaders
           script_src_attr: %w(example.com),
           style_src_elem: %w(example.com),
           style_src_attr: %w(example.com),
+          trusted_types: %w(abcpolicy),
 
           report_uri: %w(https://example.com/uri-directive),
         }
@@ -120,6 +122,12 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
+      it "rejects style for trusted types" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(style_src: %w('self'), require_trusted_types_for: %w(script style), trusted_types: %w(abcpolicy))))
+        end
+      end
+
       # this is mostly to ensure people don't use the antiquated shorthands common in other configs
       it "performs light validation on source lists" do
         expect do

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -6,7 +6,7 @@ class Message < ERB
   include SecureHeaders::ViewHelpers
 
   def self.template
-<<-TEMPLATE
+    <<-TEMPLATE
 <% hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
   console.log(1)
 <% end %>
@@ -62,9 +62,10 @@ TEMPLATE
   end
 
   def content_tag(type, content = nil, options = nil, &block)
-    content = if block_given?
-      capture(block)
-    end
+    content =
+      if block_given?
+        capture(block)
+      end
 
     if options.is_a?(Hash)
       options = options.map { |k, v| " #{k}=#{v}" }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.3.2
+  version: 6.4.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-09 00:00:00.000000000 Z
+date: 2022-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -34,7 +34,7 @@ files:
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
 - ".github/workflows/build.yml"
-- ".github/workflows/sync.yml"
+- ".github/workflows/github-release.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
@@ -116,7 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.2.9
 signing_key: 
 specification_version: 4
 summary: Add easily configured security headers to responses including content-security-policy,

data/.github/workflows/sync.yml

@@ -1,20 +0,0 @@
-# This workflow ensures the "master" branch is always up-to-date with the
-# "main" branch (our default one)
-name: sync_main_branch
-on:
-  push:
-    branches: [ main ]
-jobs:
-  catch_up:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out the repository
-        uses: actions/checkout@v2
-        with:
-         fetch-depth: 0
-      - name: Merge development into master, then push it
-        run: |
-          git pull
-          git checkout master
-          git merge main
-          git push