secure_headers 3.0.0.pre2 → 3.0.0.pre3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d6e439e921b5270ed007c604d2287b04a5ef691f
-  data.tar.gz: 6ae708cd125952e4ad7f24121d1be4f5b8d54d1d
+  metadata.gz: 7e0a5f8e1d4955125f71ede3b2f1bd882ccaca56
+  data.tar.gz: 656cc8d6965a49288b7ccd2ab3fc91fb13ab9792
 SHA512:
-  metadata.gz: a426253499c8e6e1c70d6f1f11cde022d90f4ea9dc8db1073f1055ee0c82e6be007b2746ff5e98cb4e12c0f0064b7e656c4861e97bf10fd01f156f8e78d551a1
-  data.tar.gz: 91ef0e9f9f32d311389d35c0caf3b607da10b6e8fc029d1a4a1514c35ca2df92b1a9dbda224d6e4808d39517dc4d2ef62317bcf1c7f3d1071cd37231fe461141
+  metadata.gz: 4a61ccca281e3968c41aa6daf1d069b6a6aef9d796c62cc0b5c7be45007fc3ca41908f71310c289c854e386dfafbb1b96cfa5eca45fc598f43113edb8b7678f0
+  data.tar.gz: edd0190e206824a91e961131f8f612ac7a10559ced00c9b314cba681d579cfc27c9280205dbe687725579a7a242fcae70c6e4a279bafcb2981e63ee00679c4e6

data/README.md

@@ -1,26 +1,31 @@
-# SecureHeaders [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.png)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.png)](https://coveralls.io/r/twitter/secureheaders)
+# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.png)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.png)](https://coveralls.io/r/twitter/secureheaders)
+
 
 **The 3.x branch was recently merged**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
 
-**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be maintained**. The documentation below only applies to the 2.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
+**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be maintained**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
 
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
 - HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks.  [HSTS Specification](https://tools.ietf.org/html/rfc6797)
 - X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
-- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
-- X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
-- X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
+- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](https://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
+- X-Content-Type-Options - [Prevent content type sniffing](https://msdn.microsoft.com/library/gg622941\(v=vs.85\).aspx)
+- X-Download-Options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
 
-`secure_headers` is a library with a global config, per request overrides, and rack milddleware that enables you customize your application settings.
+`secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
+
+## Use
+
+`gem install secure_headers`
 
 ## Configuration
 
 If you do not supply a `default` configuration, exceptions will be raised. If you would like to use a default configuration (which is fairly locked down), just call `SecureHeaders::Configuration.default` without any arguments or block.
 
-All `nil` values will fallback to their default value. `SecureHeaders::OPT_OUT` will disable the header entirely.
+All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
 
 ```ruby
 SecureHeaders::Configuration.default do |config|
@@ -31,12 +36,15 @@ SecureHeaders::Configuration.default do |config|
   config.x_download_options = "noopen"
   config.x_permitted_cross_domain_policies = "none"
   config.csp = {
+    # "meta" values. these will shaped the header, but the values are not included in the header.
+    report_only:  true,     # default: false
+    preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+
+    # directive values: these values will directly translate into source directives
     default_src: %w(https: 'self'),
-    report_only: false,
-    frame_src: %w(*.twimg.com itunes.apple.com),
+    frame_src: %w('self' *.twimg.com itunes.apple.com),
     connect_src: %w(wws:),
     font_src: %w('self' data:),
-    frame_src: %w('self'),
     img_src: %w(mycdn.com data:),
     media_src: %w(utoob.com),
     object_src: %w('self'),
@@ -129,7 +137,7 @@ end
 
 ## Per-action configuration
 
-You can override the settings for a given action by producing a temporary override. This approach is not recommended because the header values will be computed per request.
+You can override the settings for a given action by producing a temporary override. Be aware that because of the dynamic nature of the value, the header values will be computed per request.
 
 ```ruby
 # Given a config of:
@@ -148,7 +156,7 @@ class MyController < ApplicationController
 
     # Overrides the previously set source list, override 'none' values
     # Produces: default-src 'self'; script-src s3.amazaonaws.com; object-src 'self'
-    override_content_security_policy_directive(script_src: %w(s3.amazaonaws.com), object_src: %w('self'))
+    override_content_security_policy_directives(script_src: %w(s3.amazaonaws.com), object_src: %w('self'))
 
     # Global settings default to "sameorigin"
     override_x_frame_options("DENY")
@@ -157,7 +165,7 @@ class MyController < ApplicationController
 
 The following methods are available as controller instance methods. They are also available as class methods, but require you to pass in the `request` object.
 * `append_content_security_policy_directives(hash)`: appends each value to the corresponding CSP app-wide configuration.
-* `override_content_security_policy_directive(hash)`: merges the hash into the app-wide configuration, overwriting any previous config
+* `override_content_security_policy_directives(hash)`: merges the hash into the app-wide configuration, overwriting any previous config
 * `override_x_frame_options(value)`: sets the `X-Frame-Options header` to `value`
 
 ## Appending / overriding Content Security Policy
@@ -169,7 +177,7 @@ When manipulating content security policy, there are a few things to consider. T
 The value of `default_src` is joined with the addition. Note the `https:` is carried over from the `default-src` config. If you do not want this, use `override_content_security_policy_directives` instead. To illustrate:
 
 ```ruby
-::SecureHeaders::Configuration.configure do |config|
+::SecureHeaders::Configuration.default do |config|
    config.csp = {
      default_src: %w('self')
    }
@@ -181,11 +189,6 @@ Code  | Result
 `append_content_security_policy_directives(script_src: %w(mycdn.com))` | `default-src 'self'; script-src 'self' mycdn.com`
 `override_content_security_policy_directives(script_src: %w(mycdn.com))`  | `default-src 'self'; script-src mycdn.com`
 
-Code  | Result
-------------- | -------------
-`append_content_security_policy_directives(script_src: %w(mycdn.com))` | `default-src https:; script-src https: mycdn.com`
-`override_content_security_policy_directives(script_src: %w(mycdn.com))`  | `default-src https:; script-src mycdn.com`
-
 #### Nonce
 
 script/style-nonce can be used to whitelist inline content. To do this, call the SecureHeaders::content_security_policy_nonce then set the nonce attributes on the various tags.
@@ -269,7 +272,7 @@ require 'secure_headers'
 
 use SecureHeaders::Middleware
 
-SecureHeaders::Configuration.configure do |config|
+SecureHeaders::Configuration.default do |config|
   ...
 end
 
@@ -314,7 +317,7 @@ and in `config/boot.rb`:
 
 ```ruby
 def before_load
-  SecureHeaders::Configuration.configure do |config|
+  SecureHeaders::Configuration.default do |config|
     ...
   end
 end
@@ -322,13 +325,14 @@ end
 
 ## Similar libraries
 
-* Rack [rack-secure_headers](https://github.com/harmoni/rack-secure_headers)
-* Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
+* Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)
+* Node.js (express) [helmet](https://github.com/helmetjs/helmet) and [hood](https://github.com/seanmonstar/hood)
 * Node.js (hapi) [blankie](https://github.com/nlf/blankie)
 * J2EE Servlet >= 3.0 [headlines](https://github.com/sourceclear/headlines)
 * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
 * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
 * Go - [secureheader](https://github.com/kr/secureheader)
+* Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
 
 ## License
 

data/lib/secure_headers.rb

@@ -47,12 +47,15 @@ module SecureHeaders
     # additions - a hash containing directives. e.g.
     #    script_src: %w(another-host.com)
     def override_content_security_policy_directives(request, additions)
-      config = config_for(request).dup
-      if config.csp == OPT_OUT
-        config.csp = {}
+      config = config_for(request)
+      unless CSP.idempotent_additions?(config.csp, additions)
+        config = config.dup
+        if config.csp == OPT_OUT
+          config.csp = {}
+        end
+        config.csp.merge!(additions)
+        override_secure_headers_request_config(request, config)
       end
-      config.csp.merge!(additions)
-      override_secure_headers_request_config(request, config)
     end
 
     # Public: appends source values to the current configuration. If no value
@@ -62,9 +65,12 @@ module SecureHeaders
     # additions - a hash containing directives. e.g.
     #    script_src: %w(another-host.com)
     def append_content_security_policy_directives(request, additions)
-      config = config_for(request).dup
-      config.csp = CSP.combine_policies(config.csp, additions)
-      override_secure_headers_request_config(request, config)
+      config = config_for(request)
+      unless CSP.idempotent_additions?(config.csp, additions)
+        config = config.dup
+        config.csp = CSP.combine_policies(config.csp, additions)
+        override_secure_headers_request_config(request, config)
+      end
     end
 
     # Public: override X-Frame-Options settings for this request.

data/lib/secure_headers/headers/content_security_policy.rb

@@ -145,7 +145,12 @@ module SecureHeaders
       STAR,
       DATA_PROTOCOL,
       BLOB_PROTOCOL
-    ]
+    ].freeze
+
+    META_CONFIGS = [
+      :report_only,
+      :preserve_schemes
+    ].freeze
 
     class << self
       # Public: generate a header name, value array that is user-agent-aware.
@@ -157,13 +162,7 @@ module SecureHeaders
         [header.name, header.value]
       end
 
-      # Public: Validates that the configuration has a valid type, or that it is a valid
-      # source expression.
-      #
-      # Private: validates that a source expression:
-      # 1. has a valid name
-      # 2. is an array of strings
-      # 3. does not contain any depreated, now invalid values (inline, eval, self, none)
+      # Public: Validates each source expression.
       #
       # Does not validate the invididual values of the source expression (e.g.
       # script_src => h*t*t*p: will not raise an exception)
@@ -171,7 +170,7 @@ module SecureHeaders
         return if config.nil? || config == OPT_OUT
         raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config[:default_src]
         config.each do |key, value|
-          if key == :report_only
+          if META_CONFIGS.include?(key)
             raise ContentSecurityPolicyConfigError.new("#{key} must be a boolean value") unless boolean?(value) || value.nil?
           else
             validate_directive!(key, value)
@@ -179,6 +178,17 @@ module SecureHeaders
         end
       end
 
+      # Public: determine if merging +additions+ will cause a change to the
+      # actual value of the config.
+      #
+      # e.g. config = { script_src: %w(example.org google.com)} and
+      # additions = { script_src: %w(google.com)} then idempotent_additions? would return
+      # because google.com is already in the config.
+      def idempotent_additions?(config, additions)
+        return false if config == OPT_OUT
+        config.to_s == combine_policies(config, additions).to_s
+      end
+
       # Public: combine the values from two different configs.
       #
       # original - the main config
@@ -208,11 +218,11 @@ module SecureHeaders
         # when each hash contains a value for a given key.
         original.merge(additions) do |directive, lhs, rhs|
           if source_list?(directive)
-            lhs | rhs
+            (lhs.to_a + rhs).uniq.compact
           else
             rhs
           end
-        end
+        end.reject { |_, value| value.nil? || value == [] } # this mess prevents us from adding empty directives.
       end
 
       private
@@ -275,7 +285,8 @@ module SecureHeaders
       else
         UserAgent.parse(user_agent)
       end
-      @report_only = !!@config[:report_only]
+      @report_only = @config[:report_only]
+      @preserve_schemes = @config[:preserve_schemes]
       @script_nonce = @config[:script_nonce]
       @style_nonce = @config[:style_nonce]
     end
@@ -345,9 +356,12 @@ module SecureHeaders
         source_list.reject! { |value| value == NONE } if source_list.length > 1
 
         # remove schemes and dedup source expressions
-        source_list = strip_source_schemes(source_list) unless directive_name == REPORT_URI
+        unless directive_name == REPORT_URI || @preserve_schemes
+          source_list = strip_source_schemes(source_list)
+        end
         dedup_source_list(source_list).join(" ")
       end
+
       [symbol_to_hyphen_case(directive_name), value].join(" ")
     end
 

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.0.0.pre2"
+  gem.version       = "3.0.0.pre3"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -23,6 +23,35 @@ module SecureHeaders
     end
 
     describe "#validate_config!" do
+      it "accepts all keys" do
+        # (pulled from README)
+        config = {
+          # "meta" values. these will shaped the header, but the values are not included in the header.
+          report_only:  true,     # default: false
+          preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+
+          # directive values: these values will directly translate into source directives
+          default_src: %w(https: 'self'),
+          frame_src: %w('self' *.twimg.com itunes.apple.com),
+          connect_src: %w(wws:),
+          font_src: %w('self' data:),
+          img_src: %w(mycdn.com data:),
+          media_src: %w(utoob.com),
+          object_src: %w('self'),
+          script_src: %w('self'),
+          style_src: %w('unsafe-inline'),
+          base_uri: %w('self'),
+          child_src: %w('self'),
+          form_action: %w('self' github.com),
+          frame_ancestors: %w('none'),
+          plugin_types: %w(application/x-shockwave-flash),
+          block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
+          report_uri: %w(https://example.com/uri-directive)
+        }
+
+        CSP.validate_config!(config)
+      end
+
       it "requires a :default_src value" do
         expect do
           CSP.validate_config!(script_src: %('self'))
@@ -35,6 +64,12 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
+      it "requires :preserve_schemes to be a truthy value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(preserve_schemes: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
       it "requires :block_all_mixed_content to be a boolean value" do
         expect do
           CSP.validate_config!(default_opts.merge(block_all_mixed_content: "steve"))
@@ -109,6 +144,19 @@ module SecureHeaders
       end
     end
 
+    describe "#idempotent_additions?" do
+      specify { expect(ContentSecurityPolicy.idempotent_additions?(OPT_OUT, script_src: %w(b.com))).to be false }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(c.com))).to be false }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: %w(b.com))).to be false }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(a.com b.com c.com))).to be false }
+
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com))).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w(b.com a.com))).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: %w())).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, script_src: [nil])).to be true }
+      specify { expect(ContentSecurityPolicy.idempotent_additions?({script_src: %w(a.com b.com)}, style_src: [nil])).to be true }
+    end
+
     describe "#value" do
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(frame_src: %w('self' 'none')))
@@ -138,6 +186,11 @@ module SecureHeaders
         expect(csp.value).to eq("default-src https:; report-uri https://example.org")
       end
 
+      it "does not remove schemes when :preserve_schemes is true" do
+        csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), :preserve_schemes => true)
+        expect(csp.value).to eq("default-src https://example.org")
+      end
+
       it "removes nil from source lists" do
         csp = ContentSecurityPolicy.new(default_src: ["https://example.org", nil])
         expect(csp.value).to eq("default-src example.org")

data/upgrading-to-3-0.md

@@ -11,6 +11,7 @@ Changes
 | `self`/`none` source expressions     | could be `self` / `none` / `'self'` / `'none'`                   | Must be `'self'` or `'none'`                                                                                                                                                   |
 | `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'`                                                                                                                                   |
 | Per-action configuration         | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111)  | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
+| CSP/HPKP use `report_only` config that defaults to false | `enforce: false` |  `report_only: false` |
 
 Migrating to 3.x from <= 2.x
 ==
@@ -18,6 +19,7 @@ Migrating to 3.x from <= 2.x
 1. Convert all headers except for CSP/HPKP using hashes to string values. The values are validated at runtime and will provide guidance on misconfigured headers.
 1. Convert all instances of `self`/`none`/`eval`/`inline` to the corresponding values in the above table.
 1. Convert all CSP space-delimited directives to an array of strings.
+1. Convert all `enforce: true|false` to `report_only: true|false`. 
 
 Everything is terrible, why should I upgrade?
 ==

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.0.0.pre2
+  version: 3.0.0.pre3
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-22 00:00:00.000000000 Z
+date: 2016-02-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake