secure_headers 7.0.0 → 7.1.0

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -1,265 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe PolicyManagement do
-    before(:each) do
-      reset_config
-      Configuration.default
-    end
-
-    let (:default_opts) do
-      {
-        default_src: %w(https:),
-        img_src: %w(https: data:),
-        script_src: %w('unsafe-inline' 'unsafe-eval' https: data:),
-        style_src: %w('unsafe-inline' https: about:),
-        report_uri: %w(/csp_report)
-      }
-    end
-
-    describe "#validate_config!" do
-      it "accepts all keys" do
-        # (pulled from README)
-        config = {
-          # "meta" values. these will shape the header, but the values are not included in the header.
-          report_only:  false,
-          preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
-
-          # directive values: these values will directly translate into source directives
-          default_src: %w(https: 'self'),
-
-          base_uri: %w('self'),
-          connect_src: %w(wss:),
-          child_src: %w('self' *.twimg.com itunes.apple.com),
-          font_src: %w('self' data:),
-          form_action: %w('self' github.com),
-          frame_ancestors: %w('none'),
-          frame_src: %w('self' *.twimg.com itunes.apple.com),
-          img_src: %w(mycdn.com data:),
-          manifest_src: %w(manifest.com),
-          media_src: %w(utoob.com),
-          navigate_to: %w(netscape.com),
-          object_src: %w('self'),
-          plugin_types: %w(application/x-shockwave-flash),
-          prefetch_src: %w(fetch.com),
-          require_sri_for: %w(script style),
-          require_trusted_types_for: %w('script'),
-          script_src: %w('self'),
-          style_src: %w('unsafe-inline'),
-          upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
-          worker_src: %w(worker.com),
-          script_src_elem: %w(example.com),
-          script_src_attr: %w(example.com),
-          style_src_elem: %w(example.com),
-          style_src_attr: %w(example.com),
-          trusted_types: %w(abcpolicy),
-
-          report_uri: %w(https://example.com/uri-directive),
-        }
-
-        ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(config))
-      end
-
-      it "requires a :default_src value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(script_src: %w('self')))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires a :script_src value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self')))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "accepts OPT_OUT as a script-src value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: OPT_OUT))
-        end.to_not raise_error
-      end
-
-      it "requires :report_only to be a truthy value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires :preserve_schemes to be a truthy value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(preserve_schemes: "steve")))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires :upgrade_insecure_requests to be a boolean value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "requires all source lists to be an array of strings" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: "steve"))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "allows nil values" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: ["https:", nil]))
-        end.to_not raise_error
-      end
-
-      it "rejects unknown directives / config" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), default_src_totally_mispelled: "steve"))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "rejects style for trusted types" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(style_src: %w('self'), require_trusted_types_for: %w(script style), trusted_types: %w(abcpolicy))))
-        end
-      end
-
-      # this is mostly to ensure people don't use the antiquated shorthands common in other configs
-      it "performs light validation on source lists" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w(self none inline eval), script_src: %w('self')))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "rejects anything not of the form allow-* as a sandbox value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["steve"])))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "accepts anything of the form allow-* as a sandbox value " do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["allow-foo"])))
-        end.to_not raise_error
-      end
-
-      it "accepts true as a sandbox policy" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: true)))
-        end.to_not raise_error
-      end
-
-      it "rejects anything not of the form type/subtype as a plugin-type value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["steve"])))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "accepts anything of the form type/subtype as a plugin-type value " do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["application/pdf"])))
-        end.to_not raise_error
-      end
-
-      it "doesn't allow report_only to be set in a non-report-only config" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: true)))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
-      it "allows report_only to be set in a report-only config" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyReportOnlyConfig.new(default_opts.merge(report_only: true)))
-        end.to_not raise_error
-      end
-    end
-
-    describe "#combine_policies" do
-      before(:each) do
-        reset_config
-      end
-      it "combines the default-src value with the override if the directive was unconfigured" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w(https:),
-            script_src: %w('self'),
-          }
-        end
-        default_policy = Configuration.dup
-        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, style_src: %w(anothercdn.com))
-        csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
-        expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
-      end
-
-      it "combines directives where the original value is nil and the hash is frozen" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            script_src: %w('self'),
-            report_only: false
-          }.freeze
-        end
-        report_uri = "https://report-uri.io/asdf"
-        default_policy = Configuration.dup
-        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_uri: [report_uri])
-        csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.value).to include("report-uri #{report_uri}")
-      end
-
-      it "does not combine the default-src value for directives that don't fall back to default sources" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            script_src: %w('self'),
-            report_only: false
-          }.freeze
-        end
-        non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
-          hash[directive] = %w("http://example.org)
-        end
-        default_policy = Configuration.dup
-        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, non_default_source_additions)
-
-        ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
-          expect(combined_config[directive]).to eq(%w("http://example.org))
-        end
-      end
-
-      it "overrides the report_only flag" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w('self'),
-            script_src: %w('self'),
-            report_only: false
-          }
-        end
-        default_policy = Configuration.dup
-        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_only: true)
-        csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
-      end
-
-      it "overrides the :upgrade_insecure_requests flag" do
-        Configuration.default do |config|
-          config.csp = {
-            default_src: %w(https:),
-            script_src: %w('self'),
-            upgrade_insecure_requests: false
-          }
-        end
-        default_policy = Configuration.dup
-        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, upgrade_insecure_requests: true)
-        csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.value).to eq("default-src https:; script-src 'self'; upgrade-insecure-requests")
-      end
-
-      it "raises an error if appending to a OPT_OUT policy" do
-        Configuration.default do |config|
-          config.csp = OPT_OUT
-        end
-        default_policy = Configuration.dup
-        expect do
-          ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, script_src: %w(anothercdn.com))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-    end
-  end
-end

data/spec/lib/secure_headers/headers/referrer_policy_spec.rb

@@ -1,91 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe ReferrerPolicy do
-    specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
-    specify { expect(ReferrerPolicy.make_header("no-referrer")).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
-    specify { expect(ReferrerPolicy.make_header(%w(origin-when-cross-origin strict-origin-when-cross-origin))).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin, strict-origin-when-cross-origin"]) }
-
-    context "valid configuration values" do
-      it "accepts 'no-referrer'" do
-        expect do
-          ReferrerPolicy.validate_config!("no-referrer")
-        end.not_to raise_error
-      end
-
-      it "accepts 'no-referrer-when-downgrade'" do
-        expect do
-          ReferrerPolicy.validate_config!("no-referrer-when-downgrade")
-        end.not_to raise_error
-      end
-
-      it "accepts 'same-origin'" do
-        expect do
-          ReferrerPolicy.validate_config!("same-origin")
-        end.not_to raise_error
-      end
-
-      it "accepts 'strict-origin'" do
-        expect do
-          ReferrerPolicy.validate_config!("strict-origin")
-        end.not_to raise_error
-      end
-
-      it "accepts 'strict-origin-when-cross-origin'" do
-        expect do
-          ReferrerPolicy.validate_config!("strict-origin-when-cross-origin")
-        end.not_to raise_error
-      end
-
-      it "accepts 'origin'" do
-        expect do
-          ReferrerPolicy.validate_config!("origin")
-        end.not_to raise_error
-      end
-
-      it "accepts 'origin-when-cross-origin'" do
-        expect do
-          ReferrerPolicy.validate_config!("origin-when-cross-origin")
-        end.not_to raise_error
-      end
-
-      it "accepts 'unsafe-url'" do
-        expect do
-          ReferrerPolicy.validate_config!("unsafe-url")
-        end.not_to raise_error
-      end
-
-      it "accepts nil" do
-        expect do
-          ReferrerPolicy.validate_config!(nil)
-        end.not_to raise_error
-      end
-
-      it "accepts array of policy values" do
-        expect do
-          ReferrerPolicy.validate_config!(
-            %w(
-              origin-when-cross-origin
-              strict-origin-when-cross-origin
-            )
-          )
-        end.not_to raise_error
-      end
-    end
-
-    context "invalid configuration values" do
-      it "doesn't accept invalid values" do
-        expect do
-          ReferrerPolicy.validate_config!("open")
-        end.to raise_error(ReferrerPolicyConfigError)
-      end
-
-      it "doesn't accept invalid types" do
-        expect do
-          ReferrerPolicy.validate_config!({})
-        end.to raise_error(TypeError)
-      end
-    end
-  end
-end

data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe StrictTransportSecurity do
-    describe "#value" do
-      specify { expect(StrictTransportSecurity.make_header).to eq([StrictTransportSecurity::HEADER_NAME, StrictTransportSecurity::DEFAULT_VALUE]) }
-      specify { expect(StrictTransportSecurity.make_header("max-age=1234; includeSubdomains; preload")).to eq([StrictTransportSecurity::HEADER_NAME, "max-age=1234; includeSubdomains; preload"]) }
-
-      context "with an invalid configuration" do
-        context "with a string argument" do
-          it "raises an exception with an invalid max-age" do
-            expect do
-              StrictTransportSecurity.validate_config!("max-age=abc123")
-            end.to raise_error(STSConfigError)
-          end
-
-          it "raises an exception if max-age is not supplied" do
-            expect do
-              StrictTransportSecurity.validate_config!("includeSubdomains")
-            end.to raise_error(STSConfigError)
-          end
-
-          it "raises an exception with an invalid format" do
-            expect do
-              StrictTransportSecurity.validate_config!("max-age=123includeSubdomains")
-            end.to raise_error(STSConfigError)
-          end
-        end
-      end
-    end
-  end
-end

data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb

@@ -1,31 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe XContentTypeOptions do
-    describe "#value" do
-      specify { expect(XContentTypeOptions.make_header).to eq([XContentTypeOptions::HEADER_NAME, XContentTypeOptions::DEFAULT_VALUE]) }
-      specify { expect(XContentTypeOptions.make_header("nosniff")).to eq([XContentTypeOptions::HEADER_NAME, "nosniff"]) }
-
-      context "invalid configuration values" do
-        it "accepts nosniff" do
-          expect do
-            XContentTypeOptions.validate_config!("nosniff")
-          end.not_to raise_error
-        end
-
-        it "accepts nil" do
-          expect do
-            XContentTypeOptions.validate_config!(nil)
-          end.not_to raise_error
-        end
-
-        it "doesn't accept anything besides no-sniff" do
-          expect do
-            XContentTypeOptions.validate_config!("donkey")
-          end.to raise_error(XContentTypeOptionsConfigError)
-        end
-      end
-    end
-  end
-end

data/spec/lib/secure_headers/headers/x_download_options_spec.rb

@@ -1,29 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe XDownloadOptions do
-    specify { expect(XDownloadOptions.make_header).to eq([XDownloadOptions::HEADER_NAME, XDownloadOptions::DEFAULT_VALUE]) }
-    specify { expect(XDownloadOptions.make_header("noopen")).to eq([XDownloadOptions::HEADER_NAME, "noopen"]) }
-
-    context "invalid configuration values" do
-      it "accepts noopen" do
-        expect do
-          XDownloadOptions.validate_config!("noopen")
-        end.not_to raise_error
-      end
-
-      it "accepts nil" do
-        expect do
-          XDownloadOptions.validate_config!(nil)
-        end.not_to raise_error
-      end
-
-      it "doesn't accept anything besides noopen" do
-        expect do
-          XDownloadOptions.validate_config!("open")
-        end.to raise_error(XDOConfigError)
-      end
-    end
-  end
-end

data/spec/lib/secure_headers/headers/x_frame_options_spec.rb

@@ -1,36 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe XFrameOptions do
-    describe "#value" do
-      specify { expect(XFrameOptions.make_header).to eq([XFrameOptions::HEADER_NAME, XFrameOptions::DEFAULT_VALUE]) }
-      specify { expect(XFrameOptions.make_header("DENY")).to eq([XFrameOptions::HEADER_NAME, "DENY"]) }
-
-      context "with invalid configuration" do
-        it "allows SAMEORIGIN" do
-          expect do
-            XFrameOptions.validate_config!("SAMEORIGIN")
-          end.not_to raise_error
-        end
-
-        it "allows DENY" do
-          expect do
-            XFrameOptions.validate_config!("DENY")
-          end.not_to raise_error
-        end
-
-        it "allows ALLOW-FROM*" do
-          expect do
-            XFrameOptions.validate_config!("ALLOW-FROM: example.com")
-          end.not_to raise_error
-        end
-        it "does not allow garbage" do
-          expect do
-            XFrameOptions.validate_config!("I like turtles")
-          end.to raise_error(XFOConfigError)
-        end
-      end
-    end
-  end
-end

data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb

@@ -1,48 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe XPermittedCrossDomainPolicies do
-    specify { expect(XPermittedCrossDomainPolicies.make_header).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, "none"]) }
-    specify { expect(XPermittedCrossDomainPolicies.make_header("master-only")).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, "master-only"]) }
-
-    context "valid configuration values" do
-      it "accepts 'all'" do
-        expect do
-          XPermittedCrossDomainPolicies.validate_config!("all")
-        end.not_to raise_error
-      end
-
-      it "accepts 'by-ftp-filename'" do
-        expect do
-          XPermittedCrossDomainPolicies.validate_config!("by-ftp-filename")
-        end.not_to raise_error
-      end
-
-      it "accepts 'by-content-type'" do
-        expect do
-          XPermittedCrossDomainPolicies.validate_config!("by-content-type")
-        end.not_to raise_error
-      end
-      it "accepts 'master-only'" do
-        expect do
-          XPermittedCrossDomainPolicies.validate_config!("master-only")
-        end.not_to raise_error
-      end
-
-      it "accepts nil" do
-        expect do
-          XPermittedCrossDomainPolicies.validate_config!(nil)
-        end.not_to raise_error
-      end
-    end
-
-    context "invlaid configuration values" do
-      it "doesn't accept invalid values" do
-        expect do
-          XPermittedCrossDomainPolicies.validate_config!("open")
-        end.to raise_error(XPCDPConfigError)
-      end
-    end
-  end
-end

data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe XXssProtection do
-    specify { expect(XXssProtection.make_header).to eq([XXssProtection::HEADER_NAME, XXssProtection::DEFAULT_VALUE]) }
-    specify { expect(XXssProtection.make_header("1; mode=block; report=https://www.secure.com/reports")).to eq([XXssProtection::HEADER_NAME, "1; mode=block; report=https://www.secure.com/reports"]) }
-
-    context "with invalid configuration" do
-      it "should raise an error when providing a string that is not valid" do
-        expect do
-          XXssProtection.validate_config!("asdf")
-        end.to raise_error(XXssProtectionConfigError)
-
-        expect do
-          XXssProtection.validate_config!("asdf; mode=donkey")
-        end.to raise_error(XXssProtectionConfigError)
-      end
-
-      context "when using a hash value" do
-        it "should allow string values ('1' or '0' are the only valid strings)" do
-          expect do
-            XXssProtection.validate_config!("1")
-          end.not_to raise_error
-        end
-
-        it "should raise an error if no value key is supplied" do
-          expect do
-            XXssProtection.validate_config!("mode=block")
-          end.to raise_error(XXssProtectionConfigError)
-        end
-
-        it "should raise an error if an invalid key is supplied" do
-          expect do
-            XXssProtection.validate_config!("123")
-          end.to raise_error(XXssProtectionConfigError)
-        end
-
-        it "should raise an error if mode != block" do
-          expect do
-            XXssProtection.validate_config!("1; mode=donkey")
-          end.to raise_error(XXssProtectionConfigError)
-        end
-      end
-    end
-  end
-end