secure_headers 1.4.1 → 2.0.0.pre

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4d41b253fa38de884f864558563330b9e707e2dc
+  data.tar.gz: 69b19dbc4ab124481e6f47dad73cd7a6497aa844
+SHA512:
+  metadata.gz: fa7e778e7cb305a3273d4b3aa94bf8597972910da752b218ebf0779330c4c025c2906cec3974a410193db600fc899465a2da8bc7a8ca5720eb30ba95335e7a5d
+  data.tar.gz: 21934fb364794d3fc08e7dde201e04cb1253686e362e46ec370b06021007cb897fc3182de9a1ac646fa2448f4ce7a9f45b33da31f4d2a8690b76c42527bb9001

data/.gitignore

@@ -1,4 +1,5 @@
 *.gem
+*.DS_STORE
 *.rbc
 .bundle
 .config
@@ -15,12 +16,7 @@ rdoc
 spec/reports
 test/tmp
 test/version_tmp
-tmp
-
-/fixtures/rails_3_2_12/log/test.log
-/fixtures/rails_3_2_12_no_init/log/test.log
+*tmp
 *.sqlite3
-test.sqlite3
-*test.sqlite3
-/fixtures/rails_3_2_12_no_init/db/test.sqlite3
-/fixtures/rails_3_2_12/db/test.sqlite3
+fixtures/rails_3_2_12_no_init/log
+fixtures/rails_3_2_12/log

data/Gemfile

@@ -8,8 +8,8 @@ group :test do
   gem 'jdbc-sqlite3', :platform => :jruby
   gem 'rspec-rails', '>= 3.1'
   gem 'rspec', '>= 3.1'
+  gem 'guard-rspec', :platform => [:ruby_19, :ruby_20, :ruby_21]
   gem 'growl'
   gem 'rb-fsevent'
-  gem 'debugger', :platform => :ruby_19
-  gem 'ruby-debug', :platform => :ruby_18
+  gem 'coveralls', :platform => :ruby_19
 end

data/Guardfile

@@ -0,0 +1,8 @@
+notification :growl
+
+guard 'rspec', cmd: 'rspec' do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch(%r{^app/controllers/(.+)\.rb$})     { |m| "spec/controllers/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end

data/README.md

@@ -1,4 +1,4 @@
-# SecureHeaders [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.png)](https://codeclimate.com/github/twitter/secureheaders)
+# SecureHeaders [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.png)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.png)](https://coveralls.io/r/twitter/secureheaders)
 
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
@@ -54,8 +54,6 @@ The following methods are going to be called, unless they are provided in a `ski
 This gem makes a few assumptions about how you will use some features.  For example:
 
 * It fills any blank directives with the value in `:default_src`  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying `:disable_fill_missing => true`. This is referred to as the "effective-directive" in the spec, but is not well supported as of Nov 5, 2013.
-* Firefox does not support cross\-origin CSP reports.  If we are using Firefox, AND the value for `:report_uri` does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if `:report_uri` only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in `:forward_endpoint` without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
-
 
 ## Configuration
 
@@ -68,9 +66,9 @@ This gem makes a few assumptions about how you will use some features.  For exam
   config.x_content_type_options = "nosniff"
   config.x_xss_protection = {:value => 1, :mode => 'block'}
   config.csp = {
-    :default_src => "https://* self",
-    :frame_src => "https://* http://*.twimg.com http://itunes.apple.com",
-    :img_src => "https://*",
+    :default_src => "https: self",
+    :frame_src => "https: http:.twimg.com http://itunes.apple.com",
+    :img_src => "https:",
     :report_uri => '//example.com/uri-directive'
   }
 end
@@ -125,11 +123,6 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
   # Where reports are sent. Use protocol relative URLs if you are posting to the same domain (TLD+1). Use paths if you are posting to the application serving the header
   :report_uri  => '//mysite.example.com',
 
-  # Send reports that cannot be sent across host here. These requests are sent
-  # the server, not the browser. If no value is supplied, it will default to
-  # the value in report_uri. Use this if you cannot use relative protocols mentioned above due to host mismatches.
-  :forward_endpoint => 'https://internal.mylogaggregator.example.com'
-
   # these directives all take 'none', 'self', or a globbed pattern
   :img_src     => nil,
   :frame_src   => nil,
@@ -144,25 +137,12 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
   # over http, relaxing the policy
   # e.g.
   # :csp => {
-  #   :img_src => 'https://*',
-  #   :http_additions => {:img_src => 'http//*'}
+  #   :img_src => 'https:',
+  #   :http_additions => {:img_src => 'http'}
   # }
-  # would produce the directive: "img-src https://* http://*;"
+  # would produce the directive: "img-src https: http:;"
   # when over http, ignored for https requests
   :http_additions => {}
-
-  # If you have enforce => true, you can use the `experiments` block to
-  # also produce a report-only header. Values in this block override the
-  # parent config for the report-only, and leave the enforcing header
-  # unaltered. http_additions work the same way described above, but
-  # are added to your report-only header as expected.
-  :experimental => {
-    :script_src => 'self',
-    :img_src => 'https://mycdn.example.com',
-    :http_additions {
-      :img_src => 'http://mycdn.example.com'
-    }
-  }
 }
 ```
 
@@ -172,19 +152,19 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 ```ruby
 # most basic example
 :csp => {
-  :default_src => "https://* inline eval",
+  :default_src => "https: inline eval",
   :report_uri => '/uri-directive'
 }
 
-> "default-src 'unsafe-inline' 'unsafe-eval' https://*; report-uri /uri-directive;"
+> "default-src 'unsafe-inline' 'unsafe-eval' https:; report-uri /uri-directive;"
 
 # turn off inline scripting/eval
 :csp => {
-  :default_src => 'https://*',
+  :default_src => 'https:',
   :report_uri => '/uri-directive'
 }
 
-> "default-src  https://*; report-uri /uri-directive;"
+> "default-src  https:; report-uri /uri-directive;"
 
 # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
 :csp => {
@@ -217,9 +197,13 @@ report-uri csp_reports?enforce=true&app_name=twitter
 
 ### CSP Level 2 features
 
+*NOTE: Currently, only erb is supported. Mustache support isn't far off. Hash sources are valid for inline style blocks but are not yet supported by secure_headers.*
+
+#### Nonce
+
 script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
 
-*setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.
+Setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.
 
 ```ruby
 :csp => {
@@ -243,29 +227,99 @@ script/style-nonce can be used to whitelist inline content. To do this, add "non
   console.log("won't execute, not whitelisted")
 </script>
 ```
+You can use a view helper to automatically add nonces to script tags:
+```erb
+<%= nonced_javascript_tag do %>
+  console.log("nonced!")
+<% end %>
+<%= nonced_javascript_tag("nonced without a block!") %>
+```
 
-## Note on Firefox handling of CSP
+becomes:
 
-* CSP reports will not POST cross\-origin.  This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
+```html
+<script nonce="/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=">
+console.log("nonced!")
+</script>
+```
+
+#### Hash
 
-### Adding the Firefox report forwarding endpoint
+setting hash source values will also set 'unsafe-inline' for browsers that don't support hash sources for backwards compatibility. 'unsafe-inline' is ignored if a hash is present in a directive in compliant browsers.
 
-**You need to add the following line to the TOP of confib/routes.rb**
-**This is an unauthenticated, unauthorized endpoint. Only do this if your report\-uri is not on the same origin as your application!!!**
+Hash source support works by taking the hash value of the contents of an inline script block and adding the hash "fingerprint" to the CSP header.
 
-#### Rails 2
+If you only have a few hashes, you can hardcode them for the entire app:
 
 ```ruby
-map.csp_endpoint
+  config.csp = {
+    :default_src => "https:",
+    :script_src => 'self'
+    :script_hashes => ['sha1-abc', 'sha1-qwe']
+  }
 ```
 
-#### Rails 3
+The following will work as well, but may not be as clear:
+
+```ruby
+  config.csp = {
+    :default_src => "https:",
+    :script_src => "self 'sha1-qwe'"
+  }
+```
 
-If the csp reporting endpoint is clobbered by another route, add:
+If you find you have many hashes or the content of the script tags change frequently, you can apply these hashes in a more intelligent way. This method expects config/script_hashes.yml to contain a map of templates => [hashes]. When the individual templates, layouts, or partials are rendered the hash values for the script tags in those templates will be automatically added to the header. *Currently, only erb layouts are supported.* This requires the use of middleware:
 
 ```ruby
-post SecureHeaders::ContentSecurityPolicy::FF_CSP_ENDPOINT => "content_security_policy#scribe"
+# config.ru
+require 'secure_headers/headers/content_security_policy/script_hash_middleware'
+use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
 ```
+
+```ruby
+  config.csp = {
+    :default_src => "https:",
+    :script_src => 'self',
+    :script_hash_middleware => true
+  }
+```
+
+Hashes are stored in a yaml file with a mapping of Filename => [list of hashes] in config/script_hashes.yml. You can automatically populate this file by running the following rake task:
+
+```$ bundle exec rake secure_headers:generate_hashes```
+
+Which will generate something like:
+
+```yaml
+# config/script_hashes.yml
+app/views/layouts/application.html.erb:
+- sha256-l8OLjZqYRnKilpdE0VosRMvhdYArjXT4NZaK2p7QVvs=
+app/templates/articles/edit.html.erb:
+- sha256-+7mij1/uCwtCQRWrof2NmOln5qX+5WdVwTLMpi8nuoA=
+- sha256-Ny4TRIhhFpnYnSeKC274P6bfAz4TOkezLabavIAU4dA=
+- sha256-I5e58Gqbu4WpO9dck18QxO7aYOHKrELIi70it4jIPi0=
+- sha256-Po4LMynwnAJHxiTp3DQaQ3YDBj3paN/xrDoKl4OyxY4=
+```
+
+In this example, if we visit /articles/edit/[id], the above hashes will automatically be added to the CSP header's
+script-src value!
+
+You can use plain "script" tags or you can use a built-in helper:
+
+```erb
+<%= hashed_javascript_tag do %>
+console.log("hashed automatically!")
+<% end %>
+```
+
+By using the helper, hash values will be computed dynamically in development/test environments. If a dynamically computed hash value does not match what is expected to be found in config/script_hashes.yml a warning message will be printed to the console. If you want to raise exceptions instead, use:
+
+```erb
+<%= hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
+console.log("will raise an exception if not in script_hashes.yml!")
+<% end %>
+```
+
 ### Using with Sinatra
 
 Here's an example using SecureHeaders for Sinatra applications:
@@ -282,10 +336,10 @@ require 'secure_headers'
   config.x_content_type_options = "nosniff"
   config.x_xss_protection = {:value => 1, :mode => false}
   config.csp = {
-    :default_src => "https://* inline eval",
+    :default_src => "https: inline eval",
     :report_uri => '//example.com/uri-directive',
-    :img_src => "https://* data:",
-    :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
+    :img_src => "https: data:",
+    :frame_src => "https: http:.twimg.com http://itunes.apple.com"
   }
 end
 
@@ -337,10 +391,10 @@ def before_load
     config.x_content_type_options = "nosniff"
     config.x_xss_protection       = {:value   => '1', :mode => false}
     config.csp                    = {
-      :default_src => "https://* inline eval",
+      :default_src => "https: inline eval",
       :report_uri => '//example.com/uri-directive',
-      :img_src => "https://* data:",
-      :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
+      :img_src => "https: data:",
+      :frame_src => "https: http:.twimg.com http://itunes.apple.com"
     }
   end
 end

data/Rakefile

@@ -49,119 +49,3 @@ RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.options << '--line-numbers'
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
-
-UPDATE_URI = 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'
-CA_FILE = File.expand_path(File.join('..', 'config', 'curl-ca-bundle.crt'), __FILE__)
-task :fetch_ca_bundle do
-  begin
-    FileUtils.cp CA_FILE, CA_FILE + ".bak"
-    uri = URI.parse(UPDATE_URI)
-    http = Net::HTTP.new(uri.host, uri.port)
-    http.use_ssl = true
-    http.ca_file = CA_FILE
-    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-    request = Net::HTTP::Get.new(uri.request_uri)
-
-    ca_file = StringIO.new(http.request(request).body)
-    File.open(CA_FILE, 'w') do |f|
-      f.puts mozilla_license
-    end
-
-    while line = ca_file.gets
-      next if line =~ /^#/
-      next if line =~ /^\s*$/
-      line.chomp!
-
-      if line =~ /CKA_LABEL/
-        label,type,cert_name = line.split(' ',3)
-        cert_name.sub!(/^"/, "")
-        cert_name.sub!(/"$/, "")
-        next
-      end
-      if line =~ /CKA_VALUE MULTILINE_OCTAL/
-        puts "reading cert for #{cert_name}"
-        data=''
-        while line = ca_file.gets
-          break if line =~ /^END/
-          line.chomp!
-          line.gsub(/\\([0-3][0-7][0-7])/) { data += $1.oct.chr }
-        end
-
-        open(CA_FILE, "a") do |fp|
-          puts "Appending"
-          fp.puts cert_name
-          fp.puts "================"
-          fp.puts "-----BEGIN CERTIFICATE-----"
-          fp.puts [data].pack("m*")
-          fp.puts "-----END CERTIFICATE-----"
-          fp.puts
-        end
-        puts "Parsing: " + cert_name
-      end
-    end
-
-    FileUtils.rm CA_FILE + ".bak"
-  rescue => e
-    puts "ERRROR #{e}"
-    puts e.backtrace
-    FileUtils.mv CA_FILE + '.bak', CA_FILE
-  end
-end
-
-
-def mozilla_license
-<<-EOM
-##  generated using a modified version of http://curl.haxx.se/mail/lib-2004-07/att-0134/parse-certs.sh
-##
-## lib/ca-bundle.crt -- Bundle of CA Root Certificates
-##
-## Certificate data from Mozilla as of: Tue Mar 27 20:21:58 2012
-##
-## This is a bundle of X.509 certificates of public Certificate Authorities
-## (CA). These were automatically extracted from Mozilla's root certificates
-## file (certdata.txt).  This file can be found in the mozilla source tree:
-## http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
-##
-## It contains the certificates in PEM format and therefore
-## can be directly used with curl / libcurl / php_curl, or with
-## an Apache+mod_ssl webserver for SSL client authentication.
-## Just configure this file as the SSLCACertificateFile.
-##
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-EOM
-end

data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb

@@ -6,6 +6,6 @@
 <body>
 
 <%= yield %>
-
+<script>console.log("oh hell nah")</script>
 </body>
 </html>

data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb

@@ -1 +1,2 @@
-index
+index
+<script>console.log("oh what")</script>

data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb

@@ -6,9 +6,9 @@
   csp = {
     :default_src => "self",
     :script_src => "self nonce",
-    :disable_chrome_extension => true,
     :disable_fill_missing => true,
     :report_uri => 'somewhere',
+    :script_hash_middleware => true,
     :enforce => false # false means warnings only
   }
 

data/fixtures/rails_3_2_12/config/script_hashes.yml

@@ -0,0 +1,5 @@
+---
+app/views/layouts/application.html.erb:
+- sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
+app/views/other_things/index.html.erb:
+- sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=

data/fixtures/rails_3_2_12/config.ru

@@ -2,3 +2,6 @@
 
 require ::File.expand_path('../config/environment',  __FILE__)
 run Rails3212::Application
+
+require 'secure_headers/headers/content_security_policy/script_hash_middleware'
+use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware

data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb

@@ -1,45 +1,77 @@
 require 'spec_helper'
 
+require 'secure_headers/headers/content_security_policy/script_hash_middleware'
+
 describe OtherThingsController, :type => :controller do
+  include Rack::Test::Methods
+
+  def app
+    OtherThingsController.action(:index)
+  end
+
+  def request(opts = {})
+    options = opts.merge(
+      {
+        'HTTPS' => 'on',
+        'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
+      }
+    )
+
+
+    Rack::MockRequest.env_for('/', options)
+  end
+
+
   describe "headers" do
+    before(:each) do
+      _, @env = app.call(request)
+    end
+
     it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
+      get '/'
+      expect(@env['X-XSS-Protection']).to eq('1; mode=block')
     end
 
     it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
+      get '/'
+      expect(@env['X-Frame-Options']).to eq('SAMEORIGIN')
     end
 
     it "sets the CSP header with a local reference to a nonce" do
-      get :index
-      nonce = controller.instance_exec { @content_security_policy_nonce }
-      expect(nonce).to match /[a-zA-Z0-9\+\/=]{44}/
-      expect(response.headers['Content-Security-Policy-Report-Only']).to match(/default-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-[a-zA-Z0-9\+\/=]{44}' 'unsafe-inline'; report-uri somewhere;/)
+      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
+      _, env = middleware.call(request(@env))
+      expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
+    end
+
+    it "sets the required hashes to whitelist inline script" do
+      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
+      _, env = middleware.call(request(@env))
+      hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
+      hashes.each do |hash|
+        expect(env['Content-Security-Policy-Report-Only']).to include(hash)
+      end
     end
 
     it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
+      get '/'
+      expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
     end
 
     it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq('noopen')
+      get '/'
+      expect(@env['X-Download-Options']).to eq('noopen')
     end
 
     it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
+      get '/'
+      expect(@env['X-Content-Type-Options']).to eq("nosniff")
     end
 
     context "using IE" do
       it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
+        @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
+        get '/'
+        expect(@env['X-Content-Type-Options']).to eq("nosniff")
       end
     end
   end

data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb

@@ -16,7 +16,7 @@ describe ThingsController, :type => :controller do
       expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
     end
 
-    it "sets the X-WebKit-CSP header" do
+    it "does not set CSP header" do
       get :index
       expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
     end

data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb

@@ -1,6 +1,5 @@
 class OtherThingsController < ApplicationController
-  ensure_security_headers :csp => {:default_src => 'self', :disable_chrome_extension => true,
-    :disable_fill_missing => true}
+  ensure_security_headers :csp => {:default_src => 'self', :disable_fill_missing => true}
   def index
 
   end

data/lib/secure_headers/hash_helper.rb

@@ -0,0 +1,7 @@
+module SecureHeaders
+  module HashHelper
+    def hash_source(inline_script, digest = :SHA256)
+      [digest.to_s.downcase, "-", [[Digest.const_get(digest).hexdigest(inline_script)].pack("H*")].pack("m").chomp].join
+    end
+  end
+end

data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb

@@ -0,0 +1,22 @@
+module SecureHeaders
+  class ContentSecurityPolicy
+    class ScriptHashMiddleware
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        status, headers, response = @app.call(env)
+        metadata = env[ContentSecurityPolicy::ENV_KEY]
+        if !metadata.nil?
+          config, options = metadata.values_at(:config, :options)
+          config.merge!(:script_hashes => env[HASHES_ENV_KEY])
+          csp_header = ContentSecurityPolicy.new(config, options)
+          headers[csp_header.name] = csp_header.value
+        end
+
+        [status, headers, response]
+      end
+    end
+  end
+end