secure_headers 1.0.0 → 1.1.0

data/Gemfile

@@ -7,8 +7,11 @@ group :test do
   gem 'sqlite3', :platform => [:ruby, :mswin, :mingw]
   gem 'jdbc-sqlite3', :platform => :jruby
   gem 'rspec-rails'
-  gem 'guard-spork'
-  gem 'guard-rspec'
+  gem 'spork'
+  gem 'pry'
+  gem 'rspec'
+  gem 'guard-spork', :platform => :ruby_19
+  gem 'guard-rspec', :platform => :ruby_19
   gem 'growl'
   gem 'rb-fsevent'
   gem 'simplecov'

data/HISTORY.md

@@ -1,3 +1,11 @@
+1.1.0
+======
+
+- Remove brwsr dependency (no more runtime dependencies)
+- Stop serving X- prefixed CSP headers
+
+This change means that all requests get all headers, even if the browser doesn't grok it.
+
 1.0.0
 ======
 

data/README.md

@@ -49,13 +49,11 @@ The following methods are going to be called, unless they are provided in a `ski
 * `:set_x_xss_protection_header`
 * `:set_x_content_type_options_header`
 
-### Automagic
+### Bonus Features
 
 This gem makes a few assumptions about how you will use some features.  For example:
 
-* It adds 'chrome-extension:' to your CSP directives by default.  This helps drastically reduce the amount of reports, but you can also disable this feature by supplying `:disable_chrome_extension => true`.
-* It fills any blank directives with the value in `:default_src`  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying `:disable_fill_missing => true`.
-* It copies the connect\-src value to xhr\-src for AJAX requests when using Firefox.
+* It fills any blank directives with the value in `:default_src`  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying `:disable_fill_missing => true`. This is referred to as the "effective-directive" in the spec, but is not well supported as of Nov 5, 2013.
 * Firefox does not support cross\-origin CSP reports.  If we are using Firefox, AND the value for `:report_uri` does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if `:report_uri` only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in `:forward_endpoint` without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
 
 
@@ -65,29 +63,31 @@ This gem makes a few assumptions about how you will use some features.  For exam
 
 ```ruby
 ::SecureHeaders::Configuration.configure do |config|
-  config.hsts = {:max_age => 99, :include_subdomains => true}
+  config.hsts = {:max_age => 20.years.to_i, :include_subdomains => true}
   config.x_frame_options = 'DENY'
   config.x_content_type_options = "nosniff"
-  config.x_xss_protection = {:value => 1, :mode => false}
+  config.x_xss_protection = {:value => 1, :mode => 'block'}
   config.csp = {
-    :default_src => "https://* inline eval",
-    :report_uri => '//example.com/uri-directive',
-    :img_src => "https://* data:",
-    :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
+    :default_src => "https://* self",
+    :frame_src => "https://* http://*.twimg.com http://itunes.apple.com",
+    :img_src => "https://*",
+    :report_uri => '//example.com/uri-directive'
   }
 end
 
-# and then simply include this in application_controller
-ensure_security_headers
+# and then simply include this in application_controller.rb
+class ApplicationController < ActionController::Base
+  ensure_security_headers
+end
 ```
 
-Or simply add it to application controller (not recommended, currently a bug)
+Or simply add it to application controller
 
 ```ruby
-ensure_security_headers
+ensure_security_headers(
   :hsts => {:include_subdomains, :x_frame_options => false},
   :x_frame_options => 'DENY',
-  :csp => false
+  :csp => false)
 ```
 
 ## Options for ensure\_security\_headers
@@ -98,12 +98,15 @@ Each header configuration can take a hash, or a string, or both. If a string
 is provided, that value is inserted verbatim.  If a hash is supplied, a
 header will be constructed using the supplied options.
 
-### Widely supported
+### The Easy Headers
+
+This configuration will likely work for most applications without modification.
 
 ```ruby
-:hsts             => {:max_age => 631138519, :include_subdomains => true}
+:hsts             => {:max_age => 631138519, :include_subdomains => false}
 :x_frame_options  => {:value => 'SAMEORIGIN'}
-:x_xss_protection => {:value => 1, :mode => false}  # set the :mode option to 'block' to enforce the browser's xss filter
+:x_xss_protection => {:value => 1, :mode => 'block'}  # set the :mode option to false to use "warning only" mode
+:x_content_type_options => {:value => 'nosniff'}
 ```
 
 ### Content Security Policy (CSP)
@@ -159,28 +162,18 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
       :img_src => 'http://mycdn.example.com'
     }
   }
-  
+
   # script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
   # you to whitelist inline script blocks. For more information, see
   # https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
-  :script_nonce => { 'abc123' }
-  
-  # you can also use lambdas to use dynamically generated nonces
-  :script_nonce => lambda { @script_nonce] = 'something' } 
+  :script_nonce => lambda { @script_nonce = SecureRandom.hex }
   # which can be used to whitelist a script block:
   # script_tag :nonce = @script_nonce { inline_script_call() }
 }
 ```
 
-### Only applied to IE
-
-```ruby
-:x_content_type_options => {:value => 'nosniff'}
-```
-
 ### Example CSP header config
 
-**Configure the CSP header as if it were the webkit-style header, no need to supply 'options' or 'allow' directives.**
 
 ```ruby
 # most basic example
@@ -188,20 +181,16 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
   :default_src => "https://* inline eval",
   :report_uri => '/uri-directive'
 }
-# Chrome
-> "default-src 'unsafe-inline' 'unsafe-eval' https://* chrome-extension:; report-uri /uri-directive;"
-# Firefox
-> "options inline-script eval-script; allow https://*; report-uri /uri-directive;"
+
+> "default-src 'unsafe-inline' 'unsafe-eval' https://*; report-uri /uri-directive;"
 
 # turn off inline scripting/eval
 :csp => {
   :default_src => 'https://*',
   :report_uri => '/uri-directive'
 }
-# Chrome
+
 > "default-src  https://*; report-uri /uri-directive;"
-# Firefox
-> "allow https://*; report-uri /uri-directive;"
 
 # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
 :csp => {
@@ -211,19 +200,14 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
   # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
   :script_src => 'trustedscripts.example.com'
 }
-# Chrome
 "default-src  'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
-# Firefox
-"allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
 ```
 
 ## Note on Firefox handling of CSP
 
 Currently, Firefox does not support the w3c draft standard.  So there are a few steps taken to make the two interchangeable.
 
-* inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Firefox \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879.
 * CSP reports will not POST cross\-origin.  This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
-* Ffirefox adds port numbers to each /https?/ value which can make local development tricky with mocked services. Add environment specific code to configure this.
 
 ### Adding the Firefox report forwarding endpoint
 
@@ -315,6 +299,13 @@ module Web
 end
 ```
 
+## Similar libraries
+
+* Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
+* J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines)
+* ASP.NET - [NWebsec](http://nwebsec.codeplex.com/)
+* Python - [django-csp](https://github.com/mozilla/django-csp/tree/master/csp) + [commonware](https://github.com/jsocol/commonware/tree/master/commonware/request)
+* Go - [secureheader](https://github.com/kr/secureheader)
 
 ## Authors
 

data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb

@@ -19,7 +19,7 @@ describe OtherThingsController do
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; img-src data:; report-uri somewhere;"
+      response.headers['Content-Security-Policy-Report-Only'].should == "default-src 'self'; img-src data:; report-uri somewhere;"
     end
 
     #mock ssl

data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb

@@ -23,7 +23,7 @@ describe ThingsController do
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      response.headers['X-WebKit-CSP-Report-Only'].should == nil
+      response.headers['Content-Security-Policy-Report-Only'].should == nil
     end
 
     #mock ssl
@@ -47,6 +47,3 @@ describe ThingsController do
     end
   end
 end
-
-
-# response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"

data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb

@@ -19,7 +19,7 @@ describe OtherThingsController do
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; img-src data:;"
+      response.headers['Content-Security-Policy-Report-Only'].should == "default-src 'self'; img-src data:;"
     end
 
     #mock ssl

data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb

@@ -23,7 +23,7 @@ describe ThingsController do
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      response.headers['X-WebKit-CSP-Report-Only'].should == nil
+      response.headers['Content-Security-Policy-Report-Only'].should == nil
     end
 
     #mock ssl

data/lib/secure_headers.rb

@@ -48,8 +48,13 @@ module SecureHeaders
   end
 
   module InstanceMethods
-    def brwsr
-      @secure_headers_brwsr ||= Brwsr::Browser.new(:ua => request.env['HTTP_USER_AGENT'])
+    # Re-added for backwards compat.
+    def set_security_headers(options = self.class.secure_headers_options)
+      set_csp_header(request, options[:csp])
+      set_hsts_header(options[:hsts])
+      set_x_frame_options_header(options[:x_frame_options])
+      set_x_xss_protection_header(options[:x_xss_protection])
+      set_x_content_type_options_header(options[:x_content_type_options])
     end
 
     # backwards compatibility jank, to be removed in 1.0. Old API required a request
@@ -59,12 +64,9 @@ module SecureHeaders
     # set_csp_header(+Hash+) - uses the request accessor and options from parameters
     # set_csp_header(+Rack::Request+, +Hash+)
     def set_csp_header(req = nil, options=nil)
-      return if broken_implementation?(brwsr)
-
+      # hack to help generating headers statically
       if req.is_a?(Hash)
         options = req
-      elsif req
-        @secure_headers_brwsr = Brwsr::Browser.new(:ua => req.env['HTTP_USER_AGENT'])
       end
 
       options = self.class.secure_headers_options[:csp] if options.nil?
@@ -85,7 +87,6 @@ module SecureHeaders
     end
 
     def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
-      return unless brwsr.ie? || brwsr.chrome?
       set_a_header(:x_content_type_options, XContentTypeOptions, options)
     end
 
@@ -116,10 +117,6 @@ module SecureHeaders
         response.headers[name_or_header] = value
       end
     end
-
-    def broken_implementation?(browser)
-      return browser.ios5? || (browser.safari? && browser.version == '5')
-    end
   end
 end
 
@@ -127,13 +124,8 @@ end
 require "secure_headers/version"
 require "secure_headers/header"
 require "secure_headers/headers/content_security_policy"
-require "secure_headers/headers/content_security_policy/browser_strategy"
-require "secure_headers/headers/content_security_policy/firefox_browser_strategy"
-require "secure_headers/headers/content_security_policy/ie_browser_strategy"
-require "secure_headers/headers/content_security_policy/standard_browser_strategy"
 require "secure_headers/headers/x_frame_options"
 require "secure_headers/headers/strict_transport_security"
 require "secure_headers/headers/x_xss_protection"
 require "secure_headers/headers/x_content_type_options"
 require "secure_headers/railtie"
-require "brwsr"

data/lib/secure_headers/headers/content_security_policy.rb

@@ -1,26 +1,19 @@
 require 'uri'
-require 'brwsr'
 
 module SecureHeaders
   class ContentSecurityPolicyBuildError < StandardError; end
   class ContentSecurityPolicy < Header
     module Constants
-      WEBKIT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src chrome-extension:"
-      FIREFOX_CSP_HEADER = "options eval-script inline-script; allow https://* data:; frame-src https://* about: javascript:; img-src chrome-extension:"
-
-      FIREFOX_CSP_HEADER_NAME = 'X-Content-Security-Policy'
-      WEBKIT_CSP_HEADER_NAME = 'X-WebKit-CSP'
+      DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src data:"
       STANDARD_HEADER_NAME = "Content-Security-Policy"
-
       FF_CSP_ENDPOINT = "/content_security_policy/forward_report"
-      WEBKIT_DIRECTIVES = DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
-      FIREFOX_DIRECTIVES = DIRECTIVES + [:xhr_src, :frame_ancestors] - [:connect_src]
+      DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
       META = [:enforce, :http_additions, :disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
     end
     include Constants
 
     attr_accessor *META
-    attr_reader :browser, :ssl_request, :report_uri, :request_uri, :experimental, :config
+    attr_reader :browser, :ssl_request, :report_uri, :request_uri, :experimental
 
     alias :disable_chrome_extension? :disable_chrome_extension
     alias :disable_fill_missing? :disable_fill_missing
@@ -40,7 +33,7 @@ module SecureHeaders
       if options[:request]
         parse_request(options[:request])
       else
-        @browser = Brwsr::Browser.new(:ua => options[:ua])
+        @ua = options[:ua]
         # fails open, assumes http. Bad idea? Will always include http additions.
         # could also fail if not supplied.
         @ssl_request = !!options.delete(:ssl)
@@ -52,8 +45,8 @@ module SecureHeaders
       configure(config) if config
     end
 
-    def configure opts
-      @config = opts.dup
+    def configure(config)
+      @config = config.dup
 
       experimental_config = @config.delete(:experimental)
       if @experimental && experimental_config
@@ -70,40 +63,34 @@ module SecureHeaders
 
       normalize_csp_options
       normalize_reporting_endpoint
-      filter_unsupported_directives
+      fill_directives unless disable_fill_missing?
     end
 
     def name
-      browser_strategy.name
+      base = STANDARD_HEADER_NAME
+      if !enforce || experimental
+        base += "-Report-Only"
+      end
+      base
     end
 
     def value
       return @config if @config.is_a?(String)
-
       if @config
         build_value
       else
-        browser_strategy.csp_header
+        DEFAULT_CSP_HEADER
       end
     end
 
     private
 
-    def browser_strategy
-      @browser_strategy ||= BrowserStrategy.build(self)
-    end
-
-    def directives
-      browser_strategy.directives
-    end
-
     def build_value
-      fill_directives unless disable_fill_missing?
-      browser_strategy.add_missing_extension_values unless disable_chrome_extension?
+      raise "Expected to find default_src directive value" unless @config[:default_src]
       append_http_additions unless ssl_request?
-
       header_value = [
-        build_impl_specific_directives,
+        # ensure default-src is first
+        build_directive(:default_src),
         generic_directives(@config),
         report_uri_directive,
         script_nonce_directive,
@@ -118,9 +105,8 @@ module SecureHeaders
 
     def fill_directives
       return unless @config[:default_src]
-
       default = @config[:default_src]
-      directives.each do |directive|
+      DIRECTIVES.each do |directive|
         unless @config[directive]
           @config[directive] = default
         end
@@ -130,7 +116,6 @@ module SecureHeaders
 
     def append_http_additions
       return unless http_additions
-
       http_additions.each do |k, v|
         @config[k] ||= []
         @config[k] << v
@@ -146,14 +131,10 @@ module SecureHeaders
       end
     end
 
-    def filter_unsupported_directives
-      @config = browser_strategy.filter_unsupported_directives(@config)
-    end
-
     # translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
     def translate_dir_value val
       if %w{inline eval}.include?(val)
-        translate_inline_or_eval(val)
+        val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
         # self/none are special sources/src-dir-values and need to be quoted in chrome
       elsif %{self none}.include?(val)
         "'#{val}'"
@@ -162,33 +143,21 @@ module SecureHeaders
       end
     end
 
-    def translate_inline_or_eval val
-      browser_strategy.translate_inline_or_eval(val)
-    end
-
     # if we have a forwarding endpoint setup and we are not on the same origin as our report_uri
     # or only a path was supplied (in which case we assume cross-host)
     # we need to forward the request for Firefox.
     def normalize_reporting_endpoint
-      return unless browser_strategy.normalize_reporting_endpoint?
-      if same_origin? || report_uri.nil? || URI.parse(report_uri).host.nil?
-        return
-      end
+      if @ua && @ua =~ /Firefox/
+        if same_origin? || report_uri.nil? || URI.parse(report_uri).host.nil?
+          return
+        end
 
-      if forward_endpoint
-        @report_uri = FF_CSP_ENDPOINT
+        if forward_endpoint
+          @report_uri = FF_CSP_ENDPOINT
+        end
       end
     end
 
-    def build_impl_specific_directives
-      default = expect_directive_value(:default_src)
-      browser_strategy.build_impl_specific_directives(default)
-    end
-
-    def expect_directive_value key
-      @config.delete(key) {|k| raise ContentSecurityPolicyBuildError.new("Expected to find #{k} directive value")}
-    end
-
     def same_origin?
       return unless report_uri && request_uri
 
@@ -232,19 +201,24 @@ module SecureHeaders
       end
 
       config.keys.sort_by{|k| k.to_s}.each do |k| # ensure consistent ordering
-        header_value += "#{symbol_to_hyphen_case(k)} #{config[k].join(" ")}; "
+        header_value += build_directive(k)
       end
 
       header_value
     end
 
+    # build and deletes the directive
+    def build_directive(key)
+      "#{symbol_to_hyphen_case(key)} #{@config.delete(key).join(" ")}; "
+    end
+
     def symbol_to_hyphen_case sym
       sym.to_s.gsub('_', '-')
     end
 
     def parse_request request
-      @browser = Brwsr::Browser.new(:ua => request.env['HTTP_USER_AGENT'])
       @ssl_request = request.ssl?
+      @ua = request.env['HTTP_USER_AGENT']
       @request_uri = if request.respond_to?(:original_url)
         # rails 3.1+
         request.original_url

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end

data/secure_headers.gemspec

@@ -18,6 +18,5 @@ Gem::Specification.new do |gem|
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
-  gem.add_dependency "brwsr", ">= 1.1.1"
   gem.add_development_dependency "rake"
 end

data/spec/controllers/content_security_policy_controller_spec.rb

@@ -5,7 +5,7 @@ describe ContentSecurityPolicyController do
     {
       "csp-report" => {
         "document-uri" => "http://localhost:3001/csp","violated-directive" => "script-src 'none'",
-        "original-policy" => "default-src https://* 'unsafe-eval'; frame-src 'self'; img-src chrome-extension: https://*; report-uri http://localhost:3001/scribes/csp_report; script-src 'none'; style-src 'unsafe-inline' 'self';",
+        "original-policy" => "default-src https://* 'unsafe-eval'; frame-src 'self'; img-src https://*; report-uri http://localhost:3001/scribes/csp_report; script-src 'none'; style-src 'unsafe-inline' 'self';",
         "blocked-uri" => "http://localhost:3001/stuff.js"
       }
     }

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'brwsr'
 
 module SecureHeaders
   describe ContentSecurityPolicy do
@@ -32,17 +31,17 @@ module SecureHeaders
     describe "#name" do
       context "when supplying options to override request" do
         specify { ContentSecurityPolicy.new(default_opts, :ua => IE).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(default_opts, :ua => FIREFOX).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :ua => FIREFOX).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
         specify { ContentSecurityPolicy.new(default_opts, :ua => FIREFOX_23).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(default_opts, :ua => CHROME).name.should == WEBKIT_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :ua => CHROME).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
         specify { ContentSecurityPolicy.new(default_opts, :ua => CHROME_25).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
       end
 
       context "when in report-only mode" do
         specify { ContentSecurityPolicy.new(default_opts, :request => request_for(IE)).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX)).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX)).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
         specify { ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX_23)).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME)).name.should == WEBKIT_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME)).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
         specify { ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME_25)).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
       end
 
@@ -50,18 +49,18 @@ module SecureHeaders
         let(:opts) { default_opts.merge(:enforce => true)}
 
         specify { ContentSecurityPolicy.new(opts, :request => request_for(IE)).name.should == STANDARD_HEADER_NAME}
-        specify { ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX)).name.should == FIREFOX_CSP_HEADER_NAME}
+        specify { ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX)).name.should == STANDARD_HEADER_NAME}
         specify { ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX_23)).name.should == STANDARD_HEADER_NAME}
-        specify { ContentSecurityPolicy.new(opts, :request => request_for(CHROME)).name.should == WEBKIT_CSP_HEADER_NAME}
+        specify { ContentSecurityPolicy.new(opts, :request => request_for(CHROME)).name.should == STANDARD_HEADER_NAME}
         specify { ContentSecurityPolicy.new(opts, :request => request_for(CHROME_25)).name.should == STANDARD_HEADER_NAME}
       end
 
       context "when in experimental mode" do
         let(:opts) { default_opts.merge(:enforce => true).merge(:experimental => {})}
         specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(IE)}).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(FIREFOX)}).name.should == FIREFOX_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(FIREFOX)}).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
         specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(FIREFOX_23)}).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
-        specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(CHROME)}).name.should == WEBKIT_CSP_HEADER_NAME + "-Report-Only"}
+        specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(CHROME)}).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
         specify { ContentSecurityPolicy.new(opts, {:experimental => true, :request => request_for(CHROME_25)}).name.should == STANDARD_HEADER_NAME + "-Report-Only"}
       end
     end
@@ -74,43 +73,10 @@ module SecureHeaders
         @opts = default_opts
       end
 
-      context "X-Content-Security-Policy" do
-        it "converts the script values to their equivilents" do
-          csp = ContentSecurityPolicy.new(@opts, :request => request_for(FIREFOX))
-          csp.value.should include("script-src https://* data: 'self' 'none'")
-          csp.value.should include('options inline-script eval-script')
-        end
-      end
-
-      context "X-Webkit-CSP" do
+      context "Content-Security-Policy" do
         it "converts the script values to their equivilents" do
           csp = ContentSecurityPolicy.new(@opts, :request => request_for(CHROME))
-          csp.value.should include("script-src 'unsafe-inline' 'unsafe-eval' https://* data: 'self' 'none' chrome-extension")
-        end
-      end
-    end
-
-    describe "#build_impl_specific_directives" do
-      context "X-Content-Security-Policy" do
-        it "moves script-src inline and eval values to the options directive" do
-          opts = {
-            :default_src => 'https://*',
-            :script_src => "inline eval https://*"
-          }
-          csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX))
-          browser_specific = csp.send :build_impl_specific_directives
-          browser_specific.should include('options inline-script eval-script;')
-        end
-
-        it "does not move values from style-src into options" do
-          opts = {
-            :default_src => 'https://*',
-            :style_src => "inline eval https://*"
-          }
-          csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX))
-          browser_specific = csp.send :build_impl_specific_directives
-          browser_specific.should_not include('inline-script')
-          browser_specific.should_not include('eval-script')
+          csp.value.should include("script-src 'unsafe-inline' 'unsafe-eval' https://* data: 'self' 'none'")
         end
       end
     end
@@ -162,8 +128,6 @@ module SecureHeaders
         csp = ContentSecurityPolicy.new({:report_uri => 'https://example.com'}, :request => request_for(FIREFOX, "https://anotherexample.com"))
         csp.send(:same_origin?).should be_false
       end
-
-
     end
 
     describe "#normalize_reporting_endpoint" do
@@ -252,7 +216,7 @@ module SecureHeaders
         csp.value.should == value
       end
 
-      it "sends the chrome csp header if an unknown browser is supplied" do
+      it "sends the standard csp header if an unknown browser is supplied" do
         csp = ContentSecurityPolicy.new(default_opts, :request => request_for(IE))
         csp.value.should match "default-src"
       end
@@ -260,30 +224,7 @@ module SecureHeaders
       context "Firefox" do
         it "builds a csp header for firefox" do
           csp = ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX))
-          csp.value.should == "allow https://*; options inline-script eval-script; img-src data:; script-src https://* data:; style-src https://* about:; report-uri /csp_report;"
-        end
-
-        it "does not append chrome-extension to directives" do
-          csp = ContentSecurityPolicy.new(default_opts.merge(:disable_chrome_extension => false), :request => request_for(FIREFOX))
-          csp.value.should_not match "chrome-extension:"
-        end
-
-        it "copies connect-src values to xhr_src values" do
-          opts = {
-            :default_src => 'http://twitter.com',
-            :connect_src => 'self http://*.localhost.com:*',
-            :disable_chrome_extension => true,
-            :disable_fill_missing => true
-          }
-          csp = ContentSecurityPolicy.new(opts, :request => request_for(FIREFOX))
-          csp.value.should =~ /xhr-src 'self' http:/
-        end
-
-        context "Firefox >= 23" do
-          it "builds a csp header for firefox" do
-            csp = ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX_23))
-            csp.value.should == "default-src https://*; img-src data:; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* about:; report-uri /csp_report;"
-          end
+          csp.value.should == "default-src https://*; img-src data:; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* about:; report-uri /csp_report;"
         end
       end
 
@@ -297,20 +238,6 @@ module SecureHeaders
           csp = ContentSecurityPolicy.new(@options_with_forwarding, :request => request_for(CHROME))
           csp.value.should =~ /report-uri #{@options_with_forwarding[:report_uri]};/
         end
-
-        it "whitelists chrome_extensions by default" do
-          opts = {
-            :default_src => 'https://*',
-            :report_uri => '/csp_report',
-            :script_src => 'inline eval https://* data:',
-            :style_src => "inline https://* chrome-extension: about:"
-          }
-
-          csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
-
-          # ignore the report-uri directive
-          csp.value.split(';')[0...-1].each{|directive| directive.should =~ /chrome-extension:/}
-        end
       end
 
       context "when supplying a experimental values" do
@@ -324,7 +251,6 @@ module SecureHeaders
           }
         }}
 
-        let(:header) {}
         it "returns the original value" do
           header = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
           header.value.should == "default-src 'self'; img-src data:; script-src https://*;"
@@ -384,21 +310,21 @@ module SecureHeaders
           # for comparison purposes, if not using the experimental header this would produce
           # "allow 'self'; script-src https://*" for https requests
           # and
-          # "allow 'self; script-src https://* http://*" for http requests
+          # "allow 'self'; script-src https://* http://*" for http requests
 
           it "uses the value in the experimental block over SSL" do
             csp = ContentSecurityPolicy.new(options, :experimental => true, :request => request_for(FIREFOX, '/', :ssl => true))
-            csp.value.should == "allow 'self'; img-src data:; script-src 'self';"
+            csp.value.should == "default-src 'self'; img-src data:; script-src 'self';"
           end
 
           it "detects the :ssl => true option" do
             csp = ContentSecurityPolicy.new(options, :experimental => true, :ua => FIREFOX, :ssl => true)
-            csp.value.should == "allow 'self'; img-src data:; script-src 'self';"
+            csp.value.should == "default-src 'self'; img-src data:; script-src 'self';"
           end
 
           it "merges the values from experimental/http_additions when not over SSL" do
             csp = ContentSecurityPolicy.new(options, :experimental => true, :request => request_for(FIREFOX))
-            csp.value.should == "allow 'self'; img-src data:; script-src 'self' https://mycdn.example.com;"
+            csp.value.should == "default-src 'self'; img-src data:; script-src 'self' https://mycdn.example.com;"
           end
         end
       end
@@ -415,11 +341,6 @@ module SecureHeaders
           csp.value.should match "script-nonce random;"
         end
 
-        it "uses the value in the X-Content-Security-Policy" do
-          csp = ContentSecurityPolicy.new(options, :request => request_for(FIREFOX))
-          csp.value.should match "script-nonce random;"
-        end
-
         it "runs a dynamic nonce generator" do
           options[:script_nonce] = lambda { 'something' }
           csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))

data/spec/lib/secure_headers_spec.rb

@@ -92,15 +92,7 @@ describe SecureHeaders do
     USER_AGENTS.each do |name, useragent|
       it "sets all default headers for #{name} (smoke test)" do
         stub_user_agent(useragent)
-        number_of_headers = case name
-        when :ie, :chrome
-          5
-        when :ios5, :safari5, :safari5_1
-          3 # csp breaks these browsers
-        else
-          4
-        end
-
+        number_of_headers = 5
         subject.should_receive(:set_header).exactly(number_of_headers).times # a request for a given header
         subject.set_csp_header
         subject.set_x_frame_options_header
@@ -139,18 +131,10 @@ describe SecureHeaders do
 
     it "does not set the CSP header if disabled" do
       stub_user_agent(USER_AGENTS[:chrome])
-      should_not_assign_header(WEBKIT_CSP_HEADER_NAME)
+      should_not_assign_header(STANDARD_HEADER_NAME)
       subject.set_csp_header(options_for(:csp).merge(:csp => false))
     end
 
-    # apparently iOS5 safari with CSP in enforce mode causes nothing to render
-    # it has no effect in report-only mode (as in no report is sent)
-    it "does not set CSP header if using ios5" do
-      stub_user_agent(USER_AGENTS[:ios5])
-      subject.should_not_receive(:set_header)
-      subject.set_csp_header(options_for(:csp))
-    end
-
     context "when disabled by configuration settings" do
       it "does not set any headers when disabled" do
         ::SecureHeaders::Configuration.configure do |config|
@@ -214,7 +198,7 @@ describe SecureHeaders do
   end
 
   describe "#set_x_content_type_options" do
-    [:ie, :chrome].each do |useragent|
+    USER_AGENTS.each do |useragent|
       context "when using #{useragent}" do
         before(:each) do
           stub_user_agent(USER_AGENTS[useragent])
@@ -237,7 +221,7 @@ describe SecureHeaders do
     context "when using Firefox" do
       it "sets CSP headers" do
         stub_user_agent(USER_AGENTS[:firefox])
-        should_assign_header(FIREFOX_CSP_HEADER_NAME + "-Report-Only", FIREFOX_CSP_HEADER)
+        should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
         subject.set_csp_header
       end
     end
@@ -245,7 +229,7 @@ describe SecureHeaders do
     context "when using Chrome" do
       it "sets default CSP header" do
         stub_user_agent(USER_AGENTS[:chrome])
-        should_assign_header(WEBKIT_CSP_HEADER_NAME + "-Report-Only", WEBKIT_CSP_HEADER)
+        should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
         subject.set_csp_header
       end
     end
@@ -253,7 +237,7 @@ describe SecureHeaders do
     context "when using a browser besides chrome/firefox" do
       it "sets the CSP header" do
         stub_user_agent(USER_AGENTS[:opera])
-        should_assign_header(WEBKIT_CSP_HEADER_NAME + "-Report-Only", WEBKIT_CSP_HEADER)
+        should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
         subject.set_csp_header
       end
     end
@@ -273,14 +257,14 @@ describe SecureHeaders do
 
       it "does not set the header in enforce mode if experimental is supplied, but enforce is disabled" do
         opts = @opts.merge(:enforce => false)
-        should_assign_header(WEBKIT_CSP_HEADER_NAME + "-Report-Only", anything)
-        should_not_assign_header(WEBKIT_CSP_HEADER_NAME)
+        should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
+        should_not_assign_header(STANDARD_HEADER_NAME)
         subject.set_csp_header(opts)
       end
 
       it "sets a header in enforce mode as well as report-only mode" do
-        should_assign_header(WEBKIT_CSP_HEADER_NAME, anything)
-        should_assign_header(WEBKIT_CSP_HEADER_NAME + "-Report-Only", anything)
+        should_assign_header(STANDARD_HEADER_NAME, anything)
+        should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
         subject.set_csp_header(@opts)
       end
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,24 +9,8 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-17 00:00:00.000000000 Z
+date: 2013-11-11 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: brwsr
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.1.1
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.1.1
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -150,10 +134,6 @@ files:
 - lib/secure_headers.rb
 - lib/secure_headers/header.rb
 - lib/secure_headers/headers/content_security_policy.rb
-- lib/secure_headers/headers/content_security_policy/browser_strategy.rb
-- lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb
-- lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb
-- lib/secure_headers/headers/content_security_policy/standard_browser_strategy.rb
 - lib/secure_headers/headers/strict_transport_security.rb
 - lib/secure_headers/headers/x_content_type_options.rb
 - lib/secure_headers/headers/x_frame_options.rb

data/lib/secure_headers/headers/content_security_policy/browser_strategy.rb

@@ -1,78 +0,0 @@
-require "forwardable"
-
-module SecureHeaders
-  class ContentSecurityPolicy
-    class BrowserStrategy
-      extend Forwardable
-
-      def_delegators :@content_security_policy, :browser, :experimental, :enforce, :config
-
-      def self.build(content_security_policy)
-        browser = content_security_policy.browser
-        klass = if browser.ie?
-          IeBrowserStrategy
-        elsif browser.firefox?
-          if browser.version.to_i >= 23
-            StandardBrowserStrategy
-          else
-            FirefoxBrowserStrategy
-          end
-        else
-          StandardBrowserStrategy
-        end
-
-        klass.new content_security_policy
-      end
-
-      def initialize(content_security_policy)
-        @content_security_policy = content_security_policy
-      end
-
-      def base_name
-        SecureHeaders::ContentSecurityPolicy::STANDARD_HEADER_NAME
-      end
-
-      def name
-        base = base_name
-        if !enforce || experimental
-          base += "-Report-Only"
-        end
-        base
-      end
-
-      def csp_header
-        SecureHeaders::ContentSecurityPolicy::WEBKIT_CSP_HEADER
-      end
-
-      def directives
-        SecureHeaders::ContentSecurityPolicy::WEBKIT_DIRECTIVES
-      end
-
-      def filter_unsupported_directives(config)
-        config = config.dup
-        config.delete(:frame_ancestors)
-        config
-      end
-
-      def translate_inline_or_eval val
-        val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
-      end
-
-      def build_impl_specific_directives(default)
-        if default.any?
-          "default-src #{default.join(" ")}; "
-        else
-          ""
-        end
-      end
-
-      def normalize_reporting_endpoint?
-        # noop except for Firefox for now
-      end
-
-      def add_missing_extension_values
-        # noop except for chrome for now
-      end
-    end
-  end
-end

data/lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb

@@ -1,72 +0,0 @@
-module SecureHeaders
-  class ContentSecurityPolicy
-    class FirefoxBrowserStrategy < BrowserStrategy
-      def base_name
-        SecureHeaders::ContentSecurityPolicy::FIREFOX_CSP_HEADER_NAME
-      end
-
-      def csp_header
-        SecureHeaders::ContentSecurityPolicy::FIREFOX_CSP_HEADER
-      end
-
-      def directives
-        SecureHeaders::ContentSecurityPolicy::FIREFOX_DIRECTIVES
-      end
-
-      def filter_unsupported_directives(config)
-        config = config.dup
-        config[:xhr_src] = config.delete(:connect_src) if config[:connect_src]
-        config
-      end
-
-      def translate_inline_or_eval val
-        val == 'inline' ? 'inline-script' : 'eval-script'
-      end
-
-      def build_impl_specific_directives(default)
-        build_firefox_specific_preamble(default) || ''
-      end
-
-      def build_firefox_specific_preamble(default_src_value)
-        header_value = ''
-        header_value += "allow #{default_src_value.join(" ")}; " if default_src_value.any?
-
-        options_directive = build_options_directive
-        header_value += "options #{options_directive.join(" ")}; " if options_directive.any?
-        header_value
-      end
-
-      # moves inline/eval values from script-src to options
-      # discards those values in the style-src directive
-      def build_options_directive
-        options_directive = []
-        config.each do |directive, val|
-          next if val.is_a?(String)
-          new_val = []
-          val.each do |token|
-            if ['inline-script', 'eval-script'].include?(token)
-              # Firefox does not support blocking inline styles ATM
-              # https://bugzilla.mozilla.org/show_bug.cgi?id=763879
-              unless directive?(directive, "style_src") || options_directive.include?(token)
-                options_directive << token
-              end
-            else
-              new_val << token
-            end
-          end
-          config[directive] = new_val
-        end
-
-        options_directive
-      end
-
-      def directive? val, name
-        val.to_s.casecmp(name) == 0
-      end
-
-      def normalize_reporting_endpoint?
-        true
-      end
-    end
-  end
-end

data/lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb

@@ -1,6 +0,0 @@
-module SecureHeaders
-  class ContentSecurityPolicy
-    class IeBrowserStrategy < BrowserStrategy
-    end
-  end
-end

data/lib/secure_headers/headers/content_security_policy/standard_browser_strategy.rb

@@ -1,22 +0,0 @@
-module SecureHeaders
-  class ContentSecurityPolicy
-    class StandardBrowserStrategy < BrowserStrategy
-      def base_name
-        if (browser.firefox? && browser.version.to_i >= 23) || (browser.chrome? && browser.version.to_i >= 25)
-          SecureHeaders::ContentSecurityPolicy::STANDARD_HEADER_NAME
-        else
-          SecureHeaders::ContentSecurityPolicy::WEBKIT_CSP_HEADER_NAME
-        end
-      end
-
-      def add_missing_extension_values
-        directives.each do |directive|
-          next unless config[directive]
-          if !config[directive].include?('chrome-extension:')
-            config[directive] << 'chrome-extension:'
-          end
-        end
-      end
-    end
-  end
-end