secure_headers 1.1.1 → 1.2.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    ZDFmNDM2NjIwYzU4MjcyYWU0ODkwMjkxMjM0MDMwYTAyNjY3YWM2ZA==
+  data.tar.gz: !binary |-
+    N2VjN2M3MGMyY2Y5ODliOTVmZTIxZDgwOTdjYTM1NTg3MDZiMjdjNw==
+SHA512:
+  metadata.gz: !binary |-
+    MTRiN2Y5NDFhYTE3ZmM2MjE4MThmMDQ3OTZmOWVhMWM5OTgxOThlNzFiOGNm
+    MzQ2ZmFiMjUyZjdmNWU4MWQwZTY3Yjc4YmM4NzVjMWNhZWE0YzI3YjlmMjcy
+    MDk3YmNiZmI3NGNmMzFmMDkxNjEyOTFkMmE5YjNlNjJlMDBkYWY=
+  data.tar.gz: !binary |-
+    NzRhM2Y5NTk0OTZhMmRlYjk0ZThkYTM3ZTQxYzc3Mjk3ZTY2MjQ4MjUwN2Rm
+    YzUwMGY4ZTdlY2Q2M2M4NDgyODQ1MTc2ZWM3ZmEyOWU5NWIwNWExMjBlMDBi
+    YWNlYjllMmZmN2M4MTU0NWE3NjIwOGNjMmQ5ODBlYzE4NzM1Njk=

data/.ruby-gemset

@@ -0,0 +1 @@
+secureheaders

data/.ruby-version

@@ -0,0 +1 @@
+ruby-1.9.3-p484

data/.travis.yml

@@ -1,4 +1,6 @@
 rvm:
+  - "2.1.0"
+  - "2.0.0"
   - "1.9.3"
   - "1.8.7"
 #  - jruby-19mode

data/Gemfile

@@ -8,9 +8,7 @@ group :test do
   gem 'jdbc-sqlite3', :platform => :jruby
   gem 'rspec-rails'
   gem 'spork'
-  gem 'pry'
   gem 'rspec'
-  gem 'guard-spork', :platform => :ruby_19
   gem 'guard-rspec', :platform => :ruby_19
   gem 'growl'
   gem 'rb-fsevent'

data/Guardfile

@@ -1,8 +1,4 @@
-guard 'spork', :aggressive_kill => false do
-  watch('spec/spec_helper.rb') { :rspec }
-end
-
-guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
+guard 'rspec' do
   watch(%r{^spec/.+_spec\.rb$})
   watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
   watch(%r{^app/controllers/(.+)\.rb$})     { |m| "spec/controllers/#{m[1]}_spec.rb" }

data/HISTORY.md

@@ -1,3 +1,19 @@
+1.2.0
+======
+
+Add support for procs (anything that respond_to?(:call)) as config values.
+
+csp = {
+  :default_src => 'self',
+  :report_uri => lambda {
+    if FeatureToggle.available?(:new_csp_endpoint)
+      '//example.com/new_csp'
+    else
+      '//example.com/old_csp'
+    end
+  }
+}
+
 1.1.1
 ======
 

data/README.md

@@ -85,9 +85,10 @@ Or simply add it to application controller
 
 ```ruby
 ensure_security_headers(
-  :hsts => {:include_subdomains, :x_frame_options => false},
+  :hsts => {:include_subdomains => true, :max_age => 20.years.to_i},
   :x_frame_options => 'DENY',
-  :csp => false)
+  :csp => false
+)
 ```
 
 ## Options for ensure\_security\_headers
@@ -117,6 +118,9 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 
 ```ruby
 :csp => {
+
+  # All values can be a String of space-delimited values, an Array of Strings, or procs.
+
   :enforce     => false,        # sets header to report-only, by default
   # default_src is required!
   :default_src     => nil,      # sets the default-src/allow+options directives
@@ -162,13 +166,6 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
       :img_src => 'http://mycdn.example.com'
     }
   }
-
-  # script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
-  # you to whitelist inline script blocks. For more information, see
-  # https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
-  :script_nonce => lambda { @script_nonce = SecureRandom.hex }
-  # which can be used to whitelist a script block:
-  # script_tag :nonce = @script_nonce { inline_script_call() }
 }
 ```
 
@@ -196,17 +193,23 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 :csp => {
   :default_src => 'self',
   :img_src => '*',
+  :connect_src => 'none'
   :object_src => ['media1.com', 'media2.com', '*.cdn.com'],
-  # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
-  :script_src => 'trustedscripts.example.com'
+  # alternatively :object_src => 'media1.com media2.com *.cdn.com'
+  :script_src => 'trustedscripts.example.com',
+  :report_uri => lambda {
+    if FeatureToggle.available?(:new_csp_endpoint)
+      '//example.com/new_csp'
+    else
+      '//example.com/old_csp'
+    end
+  }
 }
-"default-src  'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
+"default-src  'self'; connect-src 'none'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com; report-uri [one of the two values in the example]"
 ```
 
 ## Note on Firefox handling of CSP
 
-Currently, Firefox does not support the w3c draft standard.  So there are a few steps taken to make the two interchangeable.
-
 * CSP reports will not POST cross\-origin.  This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
 
 ### Adding the Firefox report forwarding endpoint
@@ -304,7 +307,7 @@ end
 * Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
 * J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines)
 * ASP.NET - [NWebsec](http://nwebsec.codeplex.com/)
-* Python - [django-csp](https://github.com/mozilla/django-csp/tree/master/csp) + [commonware](https://github.com/jsocol/commonware/tree/master/commonware/request)
+* Python - [django-csp](https://github.com/mozilla/django-csp/) + [commonware](https://github.com/jsocol/commonware/)
 * Go - [secureheader](https://github.com/kr/secureheader)
 
 ## Authors

data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb

@@ -1,44 +1,39 @@
 require 'spec_helper'
 
-describe OtherThingsController do
+describe OtherThingsController, :type => :controller do
   describe "headers" do
-    before(:each) do
-      # Chrome
-      request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
-    end
-
     it "sets the X-XSS-Protection header" do
       get :index
-      response.headers['X-XSS-Protection'].should == '1; mode=block'
+      expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
     end
 
     it "sets the X-Frame-Options header" do
       get :index
-      response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
+      expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
     end
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      response.headers['Content-Security-Policy-Report-Only'].should == "default-src 'self'; img-src data:; report-uri somewhere;"
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src data:; report-uri somewhere;")
     end
 
     #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index
-      response.headers['Strict-Transport-Security'].should == "max-age=315576000"
+      expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
     end
 
     it "sets the X-Content-Type-Options header" do
       get :index
-      response.headers['X-Content-Type-Options'].should == "nosniff"
+      expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
     end
 
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
-        response.headers['X-Content-Type-Options'].should == "nosniff"
+        expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
       end
     end
   end

data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb

@@ -4,45 +4,40 @@ require 'spec_helper'
 # all values are defaulted because no initializer is configured, and the values in app controller
 # only provide csp => false
 
-describe ThingsController do
+describe ThingsController, :type => :controller do
   describe "headers" do
-    before(:each) do
-        # Chrome
-        request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
-    end
-
     it "sets the X-XSS-Protection header" do
       get :index
-      response.headers['X-XSS-Protection'].should == '1; mode=block'
+      expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
     end
 
     it "sets the X-Frame-Options header" do
       get :index
-      response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
+      expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
     end
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      response.headers['Content-Security-Policy-Report-Only'].should == nil
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
     end
 
     #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index
-      response.headers['Strict-Transport-Security'].should == "max-age=315576000"
+      expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
     end
 
     it "sets the X-Content-Type-Options header" do
       get :index
-      response.headers['X-Content-Type-Options'].should == "nosniff"
+      expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
     end
 
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
-        response.headers['X-Content-Type-Options'].should == "nosniff"
+        expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
       end
     end
   end

data/fixtures/rails_3_2_12/spec/spec_helper.rb

@@ -11,7 +11,6 @@ require 'spork'
   ENV["RAILS_ENV"] ||= 'test'
   require File.expand_path("../../config/environment", __FILE__)
   require 'rspec/rails'
-  require 'rspec/autorun'
 # end
 
 Spork.each_run do

data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb

@@ -1,44 +1,39 @@
 require 'spec_helper'
 
-describe OtherThingsController do
+describe OtherThingsController, :type => :controller do
   describe "headers" do
-    before(:each) do
-      # Chrome
-      request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
-    end
-
     it "sets the X-XSS-Protection header" do
       get :index
-      response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
+      expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
     end
 
     it "sets the X-Frame-Options header" do
       get :index
-      response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
+      expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
     end
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      response.headers['Content-Security-Policy-Report-Only'].should == "default-src 'self'; img-src data:;"
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src data:;")
     end
 
     #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index
-      response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
+      expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
     end
 
     it "sets the X-Content-Type-Options header" do
       get :index
-      response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
+      expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
     end
 
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
-        response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
+        expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
       end
     end
   end

data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb

@@ -4,45 +4,40 @@ require 'spec_helper'
 # all values are defaulted because no initializer is configured, and the values in app controller
 # only provide csp => false
 
-describe ThingsController do
+describe ThingsController, :type => :controller do
   describe "headers" do
-    before(:each) do
-        # Chrome
-        request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
-    end
-
     it "sets the X-XSS-Protection header" do
       get :index
-      response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
+      expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
     end
 
     it "sets the X-Frame-Options header" do
       get :index
-      response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
+      expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
     end
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      response.headers['Content-Security-Policy-Report-Only'].should == nil
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
     end
 
     #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index
-      response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
+      expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
     end
 
     it "sets the X-Content-Type-Options header" do
       get :index
-      response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
+      expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
     end
 
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
-        response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
+        expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
       end
     end
   end

data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb

@@ -11,7 +11,6 @@ Spork.prefork do
   ENV["RAILS_ENV"] ||= 'test'
   require File.expand_path("../../config/environment", __FILE__)
   require 'rspec/rails'
-  require 'rspec/autorun'
   # require 'ruby-debug'
 end
 

data/lib/secure_headers/headers/content_security_policy.rb

@@ -58,9 +58,6 @@ module SecureHeaders
         self.send("#{meta}=", @config.delete(meta))
       end
 
-      @report_uri = @config.delete(:report_uri)
-      @script_nonce = @config.delete(:script_nonce)
-
       normalize_csp_options
       normalize_reporting_endpoint
       fill_directives unless disable_fill_missing?
@@ -92,8 +89,7 @@ module SecureHeaders
         # ensure default-src is first
         build_directive(:default_src),
         generic_directives(@config),
-        report_uri_directive,
-        script_nonce_directive,
+        report_uri_directive
       ].join
 
       #store the value for next time
@@ -123,12 +119,23 @@ module SecureHeaders
     end
 
     def normalize_csp_options
-      @config.each do |k,v|
-        @config[k] = v.split if v.is_a? String
-        @config[k] = @config[k].map do |val|
+      @config = @config.inject({}) do |hash, (k, v)|
+        config_val = if v.respond_to?(:call)
+          v.call
+        else
+          v
+        end
+
+        config_val = config_val.split if config_val.is_a? String
+        config_val = config_val.map do |val|
           translate_dir_value(val)
         end
+
+        hash[k] = config_val
+        hash
       end
+
+      @report_uri = @config.delete(:report_uri).join(" ") if @config[:report_uri]
     end
 
     # translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
@@ -180,18 +187,6 @@ module SecureHeaders
       "report-uri #{@report_uri};"
     end
 
-    def script_nonce_directive
-      return '' if @script_nonce.nil?
-      nonce_value = if @script_nonce.is_a?(String)
-                      @script_nonce
-                    elsif @controller
-                      @controller.instance_exec(&@script_nonce)
-                    else
-                      @script_nonce.call
-                    end
-      "script-nonce #{nonce_value};"
-    end
-
     def generic_directives(config)
       header_value = ''
       if config[:img_src]

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "1.1.1"
+  VERSION = "1.2.0"
 end