secure_headers 2.3.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2ea3335e72b8eaea53c9fc03a77c008b73fc674c
-  data.tar.gz: 4097b301e8e7f18174abda1c6412f9652cd4c39a
+  metadata.gz: bdc7e4cc47367102f2318244051b544e4bc5d611
+  data.tar.gz: f4bb9651462b15c056ab9720a0c079283e9c2462
 SHA512:
-  metadata.gz: 53db0ad5f6d9e7a85bde9aa167a927e3bda91351ce2f57af0f505d1b6c0856ca50b295ad87e26c1b25fa0142a95d8ef8b11f12f562377e60a0b398454abdd5b9
-  data.tar.gz: a6c3c2366fcf08ed3749f6c6e9146e2fbc33fb167a504404e195bd9813c709b0d497c2c2fc64f138a482a5fcc68eb4d212895761722ae0beed4b49ccea481e81
+  metadata.gz: 888729b84ba1eb266c25c3bbc218c270f9e262bcbf490363a2daad6202803f4ba71a21f59c1a36e816a06c01ab8d28126ba81e05ae4f37ac36a53ee670af8420
+  data.tar.gz: 26640f0a917396faf083eaff557316d4a376e6956ae95915cfb5c815de3269a6ec5cb9a9f6a7684d871d8ff634dc586bb6a6a20dd79ece6cee034d5ec8f20648

data/.ruby-version

@@ -1 +1 @@
-2.1.6
+2.2.3

data/.travis.yml

@@ -1,6 +1,7 @@
 language: ruby
 
 rvm:
+  - "2.2"
   - "2.1"
   - "2.0.0"
   - "1.9.3"

data/Gemfile

@@ -3,7 +3,8 @@ source 'https://rubygems.org'
 gemspec
 
 group :test do
-  gem 'rails', '3.2.12'
+  gem 'test-unit', '~> 3.0'
+  gem 'rails', '3.2.22'
   gem 'sqlite3', :platforms => [:ruby, :mswin, :mingw]
   gem 'jdbc-sqlite3', :platforms => [:jruby]
   gem 'rspec-rails', '>= 3.1'

data/README.md

@@ -8,7 +8,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
 - X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
-- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorites. [Public Key Pinnning  Specification](https://tools.ietf.org/html/rfc7469)
+- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinnning  Specification](https://tools.ietf.org/html/rfc7469)
 
 ## Usage
 
@@ -29,16 +29,12 @@ The following methods are going to be called, unless they are provided in a `ski
 * `:set_x_download_options_header`
 * `:set_x_permitted_cross_domain_policies_header`
 
-### Bonus Features
-
-This gem makes a few assumptions about how you will use some features.  For example:
-
-* It fills any blank directives with the value in `:default_src`  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying `:disable_fill_missing => true`. This is referred to as the "effective-directive" in the spec, but is not well supported as of Nov 5, 2013.
-
 ## Configuration
 
 **Place the following in an initializer (recommended):**
 
+**NOTE: All CSP config values accept procs for one way of dynamically setting values**
+
 ```ruby
 ::SecureHeaders::Configuration.configure do |config|
   config.hsts = {:max_age => 20.years.to_i, :include_subdomains => true}
@@ -48,10 +44,23 @@ This gem makes a few assumptions about how you will use some features.  For exam
   config.x_download_options = 'noopen'
   config.x_permitted_cross_domain_policies = 'none'
   config.csp = {
-    :default_src => "https: self",
-    :enforce => proc {|controller| controller.current_user.enforce_csp? },
+    :default_src => "https: 'self'",
+    :enforce => proc {|controller| controller.my_feature_flag_api.enabled? },
     :frame_src => "https: http:.twimg.com http://itunes.apple.com",
     :img_src => "https:",
+    :connect_src => "wws:"
+    :font_src => "'self' data:",
+    :frame_src => "'self'",
+    :img_src => "mycdn.com data:",
+    :media_src => "utoob.com",
+    :object_src => "'self'",
+    :script_src => "'self'",
+    :style_src => "'unsafe-inline'",
+    :base_uri => "'self'",
+    :child_src => "'self'",
+    :form_action => "'self' github.com",
+    :frame_ancestors => "'none'",
+    :plugin_types => 'application/x-shockwave-flash',
     :report_uri => '//example.com/uri-directive'
   }
   config.hpkp = {
@@ -81,6 +90,37 @@ ensure_security_headers(
 )
 ```
 
+## Per-action configuration
+
+Sometimes you need to override your content security policy for a given endpoint. Rather than applying the exception globally, you have a few options:
+
+1. Use procs as config values as mentioned above.
+1. Specifying `ensure_security_headers csp: ::SecureHeaders::Configuration.csp.merge(script_src: shadyhost.com)` in a descendent controller will override the settings for that controller only.
+1. Override the `secure_header_options_for` class instance method. e.g.
+
+```ruby
+class SomethingController < ApplicationController 
+  def wumbus
+    # gets style-src override
+  end
+
+  def diffendoofer
+    # does not get style-src override
+  end
+
+  def secure_header_options_for(header, options)
+    options = super
+    if params[:action] == "wumbus"
+      if header == :csp
+        options.merge(style_src: "'self'")
+      end
+    else
+      options
+    end
+  end
+end
+```
+
 ## Options for ensure\_security\_headers
 
 **To disable any of these headers, supply a value of false (e.g. :hsts => false), supplying nil will set the default value**
@@ -142,7 +182,7 @@ This configuration will likely work for most applications without modification.
 ```ruby
 # most basic example
 :csp => {
-  :default_src => "https: inline eval",
+  :default_src => "https: 'unsafe-inline' 'unsafe-eval'",
   :report_uri => '/uri-directive'
 }
 
@@ -158,7 +198,7 @@ This configuration will likely work for most applications without modification.
 
 # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
 :csp => {
-  :default_src => 'self',
+  :default_src => "'self'",
   :img_src => '*',
   :object_src => ['media1.com', 'media2.com', '*.cdn.com'],
   # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
@@ -197,8 +237,8 @@ Setting a nonce will also set 'unsafe-inline' for browsers that don't support no
 
 ```ruby
 :csp => {
-  :default_src => 'self',
-  :script_src => 'self nonce'
+  :default_src => "'self'",
+  :script_src => "'self' nonce"
 }
 ```
 
@@ -244,7 +284,7 @@ If you only have a few hashes, you can hardcode them for the entire app:
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => 'self'
+    :script_src => "'self'"
     :script_hashes => ['sha1-abc', 'sha1-qwe']
   }
 ```
@@ -254,7 +294,7 @@ The following will work as well, but may not be as clear:
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => "self 'sha1-qwe'"
+    :script_src => "'self' 'sha1-qwe'"
   }
 ```
 
@@ -269,7 +309,7 @@ use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => 'self',
+    :script_src => "'self'",
     :script_hash_middleware => true
   }
 ```

data/Rakefile

@@ -15,7 +15,7 @@ task :default => :all_spec
 desc "Run all specs, and test fixture apps"
 task :all_spec => :spec do
   pwd = Dir.pwd
-  Dir.chdir 'fixtures/rails_3_2_12'
+  Dir.chdir 'fixtures/rails_3_2_22'
   puts Dir.pwd
   str = `bundle install >> /dev/null; bundle exec rspec spec`
   puts str
@@ -25,7 +25,7 @@ task :all_spec => :spec do
   end
 
   Dir.chdir pwd
-  Dir.chdir 'fixtures/rails_3_2_12_no_init'
+  Dir.chdir 'fixtures/rails_3_2_22_no_init'
   puts Dir.pwd
   puts `bundle install >> /dev/null; bundle exec rspec spec`
 

data/fixtures/{rails_3_2_12_no_init → rails_3_2_22}/Gemfile

@@ -1,5 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '3.2.12'
+gem 'test-unit', '~> 3.0'
+gem 'rails', '3.2.22'
 gem 'rspec-rails', '>= 2.0.0'
 gem 'secure_headers', :path => '../..'

data/fixtures/{rails_3_2_12 → rails_3_2_22}/config/initializers/secure_headers.rb

@@ -5,9 +5,8 @@
   config.x_xss_protection = {:value => 1, :mode => 'block'}
   config.x_permitted_cross_domain_policies = 'none'
   csp = {
-    :default_src => "self",
-    :script_src => "self nonce",
-    :disable_fill_missing => true,
+    :default_src => "'self'",
+    :script_src => "'self' nonce",
     :report_uri => 'somewhere',
     :script_hash_middleware => true,
     :enforce => false # false means warnings only

data/fixtures/{rails_3_2_12 → rails_3_2_22_no_init}/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '3.2.12'
+gem 'test-unit'
+gem 'rails', '3.2.22'
 gem 'rspec-rails', '>= 2.0.0'
 gem 'secure_headers', :path => '../..'
-

data/fixtures/{rails_3_2_12_no_init → rails_3_2_22_no_init}/app/controllers/other_things_controller.rb

@@ -1,5 +1,5 @@
 class OtherThingsController < ApplicationController
-  ensure_security_headers :csp => {:default_src => 'self', :disable_fill_missing => true}
+  ensure_security_headers :csp => {:default_src => "'self'"}
   def index
 
   end
@@ -11,7 +11,7 @@ class OtherThingsController < ApplicationController
   def secure_header_options_for(header, options)
     if params[:action] == "other_action"
       if header == :csp
-        options.merge(:style_src => 'self')
+        options.merge(:style_src => "'self'")
       end
     else
       options

data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb

@@ -5,9 +5,8 @@
   config.x_xss_protection = {:value => 0}
   config.x_permitted_cross_domain_policies = 'none'
   csp = {
-    :default_src => "self",
-    :script_src => "self nonce",
-    :disable_fill_missing => true,
+    :default_src => "'self'",
+    :script_src => "'self' nonce",
     :report_uri => 'somewhere',
     :script_hash_middleware => true,
     :enforce => false # false means warnings only

data/lib/secure_headers/headers/content_security_policy.rb

@@ -20,33 +20,25 @@ module SecureHeaders
         :media_src,
         :object_src,
         :script_src,
-        :style_src
-      ]
-
-      NON_DEFAULT_SOURCES = [
+        :style_src,
         :base_uri,
         :child_src,
         :form_action,
         :frame_ancestors,
-        :plugin_types,
-        :referrer,
-        :reflected_xss
+        :plugin_types
       ]
 
       OTHER = [
         :report_uri
       ]
 
-      SOURCE_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
-
-      ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES + OTHER
+      ALL_DIRECTIVES = DIRECTIVES + OTHER
       CONFIG_KEY = :csp
     end
 
     include Constants
 
-    attr_reader :disable_fill_missing, :ssl_request
-    alias :disable_fill_missing? :disable_fill_missing
+    attr_reader :ssl_request
     alias :ssl_request? :ssl_request
 
     class << self
@@ -112,7 +104,7 @@ module SecureHeaders
       @config = config.inject({}) do |hash, (key, value)|
         config_val = value.respond_to?(:call) ? value.call(@controller) : value
 
-        if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
+        if DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|
@@ -128,15 +120,12 @@ module SecureHeaders
       @http_additions = @config.delete(:http_additions)
       @app_name = @config.delete(:app_name)
       @report_uri = @config.delete(:report_uri)
-
-      @disable_fill_missing = !!@config.delete(:disable_fill_missing)
       @enforce = !!@config.delete(:enforce)
       @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
       @tag_report_uri = !!@config.delete(:tag_report_uri)
       @script_hashes = @config.delete(:script_hashes) || []
 
       add_script_hashes if @script_hashes.any?
-      fill_directives unless disable_fill_missing?
     end
 
     ##
@@ -195,21 +184,10 @@ module SecureHeaders
       append_http_additions unless ssl_request?
       header_value = [
         generic_directives,
-        non_default_directives,
         report_uri_directive
       ].join.strip
     end
 
-    def fill_directives
-      if default = @config[:default_src]
-        DIRECTIVES.each do |directive|
-          unless @config[directive]
-            @config[directive] = default
-          end
-        end
-      end
-    end
-
     def append_http_additions
       return unless @http_additions
       @http_additions.each do |k, v|
@@ -220,9 +198,10 @@ module SecureHeaders
 
     def translate_dir_value val
       if %w{inline eval}.include?(val)
+        warn "[DEPRECATION] using inline/eval may not be supported in the future. Instead use 'unsafe-inline'/'unsafe-eval' instead."
         val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
-        # self/none are special sources/src-dir-values and need to be quoted
       elsif %{self none}.include?(val)
+        warn "[DEPRECATION] using self/none may not be supported in the future. Instead use 'self'/'none' instead."
         "'#{val}'"
       elsif val == 'nonce'
         if supports_nonces?(@ua)
@@ -271,15 +250,6 @@ module SecureHeaders
       header_value
     end
 
-    def non_default_directives
-      header_value = ''
-      NON_DEFAULT_SOURCES.each do |directive_name|
-        header_value += build_directive(directive_name) if @config[directive_name]
-      end
-
-      header_value
-    end
-
     def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.3.0"
+  VERSION = "2.4.0"
 end

data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb

@@ -13,8 +13,8 @@ module SecureHeaders
         :disable_fill_missing => true,
         :default_src => 'https://*',
         :report_uri => '/csp_report',
-        :script_src => 'inline eval https://* data:',
-        :style_src => "inline https://* about:"
+        :script_src => "'unsafe-inline' 'unsafe-eval' https://* data:",
+        :style_src => "'unsafe-inline' https://* about:"
       }
     end
 

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -4,13 +4,13 @@ module SecureHeaders
   describe ContentSecurityPolicy do
     let(:default_opts) do
       {
-        :disable_fill_missing => true,
         :default_src => 'https:',
         :report_uri => '/csp_report',
-        :script_src => 'inline eval https: data:',
-        :style_src => "inline https: about:"
+        :script_src => "'unsafe-inline' 'unsafe-eval' https: data:",
+        :style_src => "'unsafe-inline' https: about:"
       }
     end
+    let(:controller) { DummyClass.new }
 
     IE = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
     FIREFOX = "Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8"
@@ -67,7 +67,7 @@ module SecureHeaders
       json2 = %({"style-src":["'unsafe-inline'"],"img-src":["https:","data:"]})
       json3 = %({"style-src":["https:","about:"]})
       config = ContentSecurityPolicy.from_json(json1, json2, json3)
-      policy = ContentSecurityPolicy.new(config.merge(:disable_fill_missing => true))
+      policy = ContentSecurityPolicy.new(config)
 
       expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
       expect(policy.to_json).to eq(expected)
@@ -82,8 +82,7 @@ module SecureHeaders
 
     describe "#normalize_csp_options" do
       before(:each) do
-        default_opts.delete(:disable_fill_missing)
-        default_opts[:script_src] << ' self none'
+        default_opts[:script_src] <<  " 'self' 'none'"
         @opts = default_opts
       end
 
@@ -107,7 +106,7 @@ module SecureHeaders
 
         it "accepts procs for report-uris" do
           opts = {
-            :default_src => 'self',
+            :default_src => "'self'",
             :report_uri => proc { "http://lambda/result" }
           }
 
@@ -119,7 +118,6 @@ module SecureHeaders
           opts = {
             :default_src => proc { "http://lambda/result" },
             :enforce => proc { true },
-            :disable_fill_missing => proc { true }
           }
 
           csp = ContentSecurityPolicy.new(opts)
@@ -133,8 +131,7 @@ module SecureHeaders
 
           allow(controller).to receive(:current_user).and_return(user)
           opts = {
-            :disable_fill_missing => true,
-            :default_src => "self",
+            :default_src => "'self'",
             :enforce => lambda { |c| c.current_user.beta_testing? }
           }
           csp = ContentSecurityPolicy.new(opts, :controller => controller)
@@ -151,47 +148,28 @@ module SecureHeaders
         }.to raise_error(RuntimeError)
       end
 
-      context "CSP level 2 directives" do
-        let(:config) { {:default_src => 'self'} }
-        ::SecureHeaders::ContentSecurityPolicy::Constants::NON_DEFAULT_SOURCES.each do |non_default_source|
-          it "supports all level 2 directives" do
-            directive_name = ::SecureHeaders::ContentSecurityPolicy.send(:symbol_to_hyphen_case, non_default_source)
-            config.merge!({ non_default_source => "value" })
-            csp = ContentSecurityPolicy.new(config, :request => request_for(CHROME))
-            expect(csp.value).to match(/#{directive_name} value;/)
-          end
-        end
-      end
-
       context "auto-whitelists data: uris for img-src" do
         it "sets the value if no img-src specified" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :disable_fill_missing => true}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "appends the value if img-src is specified" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_fill_missing => true}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self'"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "doesn't add a duplicate data uri if img-src specifies it already" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self data:', :disable_fill_missing => true}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self' data:"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "allows the user to disable img-src data: uris auto-whitelisting" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_img_src_data_uri => true, :disable_fill_missing => true}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self'", :disable_img_src_data_uri => true}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self';")
         end
       end
 
-      it "fills in directives without values with default-src value" do
-        options = default_opts.merge(:disable_fill_missing => false)
-        csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-        value = "default-src https:; connect-src https:; font-src https:; frame-src https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;"
-        expect(csp.value).to eq(value)
-      end
-
       it "sends the standard csp header if an unknown browser is supplied" do
         csp = ContentSecurityPolicy.new(default_opts, :request => request_for(IE))
         expect(csp.value).to match "default-src"
@@ -213,39 +191,39 @@ module SecureHeaders
 
       context "when using a nonce" do
         it "adds a nonce and unsafe-inline to the script-src value when using chrome" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(CHROME))
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds a nonce and unsafe-inline to the script-src value when using firefox" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(FIREFOX))
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(FIREFOX), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds a nonce and unsafe-inline to the script-src value when using opera" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(OPERA))
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(OPERA), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "does not add a nonce and unsafe-inline to the script-src value when using Safari" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(SAFARI))
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(SAFARI), :controller => controller)
           expect(header.value).to include("script-src 'self' 'unsafe-inline'")
           expect(header.value).not_to include("nonce")
         end
 
         it "does not add a nonce and unsafe-inline to the script-src value when using IE" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(IE))
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(IE), :controller => controller)
           expect(header.value).to include("script-src 'self' 'unsafe-inline'")
           expect(header.value).not_to include("nonce")
         end
 
         it "adds a nonce and unsafe-inline to the style-src value" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce"), :request => request_for(CHROME))
+          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("style-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds an identical nonce to the style and script-src directives" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce", :script_src => "self nonce"), :request => request_for(CHROME))
+          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "'self' nonce", :script_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           nonce = header.nonce
           value = header.value
           expect(value).to include("style-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
@@ -253,7 +231,7 @@ module SecureHeaders
         end
 
         it "does not add 'unsafe-inline' twice" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce inline"), :request => request_for(CHROME))
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce 'unsafe-inline'"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline';")
         end
       end
@@ -301,7 +279,7 @@ module SecureHeaders
 
         describe ".add_to_env" do
           let(:controller) { double }
-          let(:config) { {:default_src => 'self'} }
+          let(:config) { {:default_src => "'self'"} }
           let(:options) { {:controller => controller} }
 
           it "adds metadata to env" do

data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb

@@ -27,7 +27,7 @@ module SecureHeaders
         it "doesn't accept anything besides no-sniff" do
           expect {
             XContentTypeOptions.new("donkey")
-          }.to raise_error
+          }.to raise_error(XContentTypeOptionsBuildError)
         end
       end
     end

data/spec/lib/secure_headers/headers/x_download_options_spec.rb

@@ -25,7 +25,7 @@ module SecureHeaders
       it "doesn't accept anything besides noopen" do
         expect {
           XDownloadOptions.new("open")
-        }.to raise_error
+        }.to raise_error(XDOBuildError)
       end
     end
   end

data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb

@@ -57,7 +57,7 @@ module SecureHeaders
       it "doesn't accept invalid values" do
         expect {
           XPermittedCrossDomainPolicies.new("open")
-        }.to raise_error
+        }.to raise_error(XPCDPBuildError)
       end
     end
   end

data/spec/lib/secure_headers_spec.rb

@@ -1,10 +1,6 @@
 require 'spec_helper'
 
 describe SecureHeaders do
-  class DummyClass
-    include ::SecureHeaders
-  end
-
   subject {DummyClass.new}
   let(:headers) {double}
   let(:response) {double(:headers => headers)}
@@ -131,7 +127,7 @@ describe SecureHeaders do
 
     it "saves the options to the env when using script hashes" do
       opts = {
-        :default_src => 'self',
+        :default_src => "'self'",
         :script_hash_middleware => true
       }
       stub_user_agent(USER_AGENTS[:chrome])
@@ -170,7 +166,7 @@ describe SecureHeaders do
     end
 
     it "produces a hash of headers given a hash as config" do
-      hash = SecureHeaders::header_hash(:csp => {:default_src => 'none', :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
       expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
       expect_default_values(hash)
     end
@@ -190,7 +186,7 @@ describe SecureHeaders do
         }
       end
 
-      hash = SecureHeaders::header_hash(:csp => {:default_src => 'none', :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
       ::SecureHeaders::Configuration.configure do |config|
         config.hsts = nil
         config.hpkp = nil

data/spec/spec_helper.rb

@@ -31,6 +31,10 @@ USER_AGENTS = {
   :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
 }
 
+class DummyClass
+  include ::SecureHeaders
+end
+
 def should_assign_header name, value
   expect(response.headers).to receive(:[]=).with(name, value)
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.4.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-09-30 00:00:00.000000000 Z
+date: 2015-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -53,60 +53,60 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- fixtures/rails_3_2_12/.rspec
-- fixtures/rails_3_2_12/Gemfile
-- fixtures/rails_3_2_12/README.rdoc
-- fixtures/rails_3_2_12/Rakefile
-- fixtures/rails_3_2_12/app/controllers/application_controller.rb
-- fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
-- fixtures/rails_3_2_12/app/controllers/things_controller.rb
-- fixtures/rails_3_2_12/app/models/.gitkeep
-- fixtures/rails_3_2_12/app/views/layouts/application.html.erb
-- fixtures/rails_3_2_12/app/views/other_things/index.html.erb
-- fixtures/rails_3_2_12/app/views/things/index.html.erb
-- fixtures/rails_3_2_12/config.ru
-- fixtures/rails_3_2_12/config/application.rb
-- fixtures/rails_3_2_12/config/boot.rb
-- fixtures/rails_3_2_12/config/environment.rb
-- fixtures/rails_3_2_12/config/environments/test.rb
-- fixtures/rails_3_2_12/config/initializers/secure_headers.rb
-- fixtures/rails_3_2_12/config/routes.rb
-- fixtures/rails_3_2_12/config/script_hashes.yml
-- fixtures/rails_3_2_12/lib/assets/.gitkeep
-- fixtures/rails_3_2_12/lib/tasks/.gitkeep
-- fixtures/rails_3_2_12/log/.gitkeep
-- fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb
-- fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb
-- fixtures/rails_3_2_12/spec/spec_helper.rb
-- fixtures/rails_3_2_12/vendor/assets/javascripts/.gitkeep
-- fixtures/rails_3_2_12/vendor/assets/stylesheets/.gitkeep
-- fixtures/rails_3_2_12/vendor/plugins/.gitkeep
-- fixtures/rails_3_2_12_no_init/.rspec
-- fixtures/rails_3_2_12_no_init/Gemfile
-- fixtures/rails_3_2_12_no_init/README.rdoc
-- fixtures/rails_3_2_12_no_init/Rakefile
-- fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
-- fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
-- fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
-- fixtures/rails_3_2_12_no_init/app/models/.gitkeep
-- fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
-- fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
-- fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
-- fixtures/rails_3_2_12_no_init/config.ru
-- fixtures/rails_3_2_12_no_init/config/application.rb
-- fixtures/rails_3_2_12_no_init/config/boot.rb
-- fixtures/rails_3_2_12_no_init/config/environment.rb
-- fixtures/rails_3_2_12_no_init/config/environments/test.rb
-- fixtures/rails_3_2_12_no_init/config/routes.rb
-- fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
-- fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
-- fixtures/rails_3_2_12_no_init/log/.gitkeep
-- fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb
-- fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb
-- fixtures/rails_3_2_12_no_init/spec/spec_helper.rb
-- fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
-- fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
-- fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
+- fixtures/rails_3_2_22/.rspec
+- fixtures/rails_3_2_22/Gemfile
+- fixtures/rails_3_2_22/README.rdoc
+- fixtures/rails_3_2_22/Rakefile
+- fixtures/rails_3_2_22/app/controllers/application_controller.rb
+- fixtures/rails_3_2_22/app/controllers/other_things_controller.rb
+- fixtures/rails_3_2_22/app/controllers/things_controller.rb
+- fixtures/rails_3_2_22/app/models/.gitkeep
+- fixtures/rails_3_2_22/app/views/layouts/application.html.erb
+- fixtures/rails_3_2_22/app/views/other_things/index.html.erb
+- fixtures/rails_3_2_22/app/views/things/index.html.erb
+- fixtures/rails_3_2_22/config.ru
+- fixtures/rails_3_2_22/config/application.rb
+- fixtures/rails_3_2_22/config/boot.rb
+- fixtures/rails_3_2_22/config/environment.rb
+- fixtures/rails_3_2_22/config/environments/test.rb
+- fixtures/rails_3_2_22/config/initializers/secure_headers.rb
+- fixtures/rails_3_2_22/config/routes.rb
+- fixtures/rails_3_2_22/config/script_hashes.yml
+- fixtures/rails_3_2_22/lib/assets/.gitkeep
+- fixtures/rails_3_2_22/lib/tasks/.gitkeep
+- fixtures/rails_3_2_22/log/.gitkeep
+- fixtures/rails_3_2_22/spec/controllers/other_things_controller_spec.rb
+- fixtures/rails_3_2_22/spec/controllers/things_controller_spec.rb
+- fixtures/rails_3_2_22/spec/spec_helper.rb
+- fixtures/rails_3_2_22/vendor/assets/javascripts/.gitkeep
+- fixtures/rails_3_2_22/vendor/assets/stylesheets/.gitkeep
+- fixtures/rails_3_2_22/vendor/plugins/.gitkeep
+- fixtures/rails_3_2_22_no_init/.rspec
+- fixtures/rails_3_2_22_no_init/Gemfile
+- fixtures/rails_3_2_22_no_init/README.rdoc
+- fixtures/rails_3_2_22_no_init/Rakefile
+- fixtures/rails_3_2_22_no_init/app/controllers/application_controller.rb
+- fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb
+- fixtures/rails_3_2_22_no_init/app/controllers/things_controller.rb
+- fixtures/rails_3_2_22_no_init/app/models/.gitkeep
+- fixtures/rails_3_2_22_no_init/app/views/layouts/application.html.erb
+- fixtures/rails_3_2_22_no_init/app/views/other_things/index.html.erb
+- fixtures/rails_3_2_22_no_init/app/views/things/index.html.erb
+- fixtures/rails_3_2_22_no_init/config.ru
+- fixtures/rails_3_2_22_no_init/config/application.rb
+- fixtures/rails_3_2_22_no_init/config/boot.rb
+- fixtures/rails_3_2_22_no_init/config/environment.rb
+- fixtures/rails_3_2_22_no_init/config/environments/test.rb
+- fixtures/rails_3_2_22_no_init/config/routes.rb
+- fixtures/rails_3_2_22_no_init/lib/assets/.gitkeep
+- fixtures/rails_3_2_22_no_init/lib/tasks/.gitkeep
+- fixtures/rails_3_2_22_no_init/log/.gitkeep
+- fixtures/rails_3_2_22_no_init/spec/controllers/other_things_controller_spec.rb
+- fixtures/rails_3_2_22_no_init/spec/controllers/things_controller_spec.rb
+- fixtures/rails_3_2_22_no_init/spec/spec_helper.rb
+- fixtures/rails_3_2_22_no_init/vendor/assets/javascripts/.gitkeep
+- fixtures/rails_3_2_22_no_init/vendor/assets/stylesheets/.gitkeep
+- fixtures/rails_3_2_22_no_init/vendor/plugins/.gitkeep
 - fixtures/rails_4_1_8/Gemfile
 - fixtures/rails_4_1_8/README.rdoc
 - fixtures/rails_4_1_8/Rakefile
@@ -186,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Add easily configured security headers to responses including content-security-policy,