secure_headers 3.2.0 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a02f16867ec55f8c168ace664cc63d760785256f
-  data.tar.gz: db54c113af8919984c8f382b957834f38210cf3e
+  metadata.gz: c3acd5dfb3fc3a7c4037ef42b72765a4f1b34ede
+  data.tar.gz: 98f0ce842bac69bf7c5f4d3d4cc19e4281ebe00e
 SHA512:
-  metadata.gz: 6d9ddcb98a8c646d4e7a8cdb79bf3d8638cae4cb230ff268660e8eab7000fba99bb65e126ce55b3ff5f2a0346013fcf8b769dab4db697c82ab4461d444d0e2bd
-  data.tar.gz: b63c79ac3e9b37a4cff698f979f1ca6fd7e92567e35b1f9026be2e68a205e5badff302d512938a4d36517e8ec5b752d4833082e1b733ff73916fbf0b326641aa
+  metadata.gz: 75d3b9033b09f0ac40675e8e8706185d9c0ca465a38f857228bf56857f5f44ba1eab5559b9c9f64f34ee398226ccd9dda5e26923f5325dcadd7be8ff0a957314
+  data.tar.gz: f6ffb2babf72009e60a4d4663ee6e933db8f8acb7159021e66a07168e1c6743df621309fb63e884f3257217d28951b196b2a192739860ce459f4fbabbab35622

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 3.3.0 referrer-policy support
+
+While not officially part of the spec and not implemented anywhere, support for the experimental [`referrer-policy` header](https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header) was [preemptively added](https://github.com/twitter/secureheaders/pull/249).
+
+Additionally, two minor enhancements were added this version:
+1. [Warn when the HPKP report host is the same as the current host](https://github.com/twitter/secureheaders/pull/246). By definition any generated reports would be reporting to a known compromised connection.
+1. [Filter unsupported CSP directives when using Edge](https://github.com/twitter/secureheaders/pull/247). Previously, this was causing many warnings in the developer console.
+
 ## 3.2.0 Cookie settings and CSP hash sources
 
 ### Cookies
@@ -114,6 +122,7 @@ console.log(1)
 Content-Security-Policy: ...
  script-src 'sha256-yktKiAsZWmc8WpOyhnmhQoDf9G2dAZvuBBC+V0LGQhg=' ... ;
  style-src 'sha256-SLp6LO3rrKDJwsG9uJUxZapb4Wp2Zhj6Bu3l+d9rnAY=' 'sha256-HSGHqlRoKmHAGTAJ2Rq0piXX4CnEbOl1ArNd6ejp2TE=' ...;
+```
 
 ## 3.1.2 Bug fix for regression
 

data/README.md

@@ -13,6 +13,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Content-Type-Options - [Prevent content type sniffing](https://msdn.microsoft.com/library/gg622941\(v=vs.85\).aspx)
 - X-Download-Options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
+- Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
@@ -44,6 +45,7 @@ SecureHeaders::Configuration.default do |config|
   config.x_xss_protection = "1; mode=block"
   config.x_download_options = "noopen"
   config.x_permitted_cross_domain_policies = "none"
+  config.referrer_policy = "origin-when-cross-origin"
   config.csp = {
     # "meta" values. these will shaped the header, but the values are not included in the header.
     report_only:  true,     # default: false
@@ -330,9 +332,7 @@ config.hpkp = {
     {sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
   ],
   report_only: true,            # defaults to false (report-only mode)
-  report_uri: 'https://report-uri.io/example-hpkp',
-  app_name: 'example',
-  tag_report_uri: true
+  report_uri: 'https://report-uri.io/example-hpkp'
 }
 ```
 

data/lib/secure_headers/configuration.rb

@@ -61,6 +61,7 @@ module SecureHeaders
         config.validate_config!
         @configurations ||= {}
         config.send(:cache_headers!)
+        config.send(:cache_hpkp_report_host)
         config.freeze
         @configurations[name] = config
       end
@@ -102,11 +103,13 @@ module SecureHeaders
       end
     end
 
+    attr_accessor :dynamic_csp
+
     attr_writer :hsts, :x_frame_options, :x_content_type_options,
       :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
-      :hpkp, :dynamic_csp, :cookies
+      :referrer_policy
 
-    attr_reader :cached_headers, :csp, :dynamic_csp, :cookies
+    attr_reader :cached_headers, :csp, :cookies, :hpkp, :hpkp_report_host
 
     HASH_CONFIG_FILE = ENV["secure_headers_generated_hashes_file"] || "config/secure_headers_generated_hashes.yml"
     if File.exists?(HASH_CONFIG_FILE)
@@ -117,6 +120,7 @@ module SecureHeaders
 
     def initialize(&block)
       self.hpkp = OPT_OUT
+      self.referrer_policy = OPT_OUT
       self.csp = self.class.send(:deep_copy, CSP::DEFAULT_CONFIG)
       instance_eval &block if block_given?
     end
@@ -136,7 +140,9 @@ module SecureHeaders
       copy.x_xss_protection = @x_xss_protection
       copy.x_download_options = @x_download_options
       copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
+      copy.referrer_policy = @referrer_policy
       copy.hpkp = @hpkp
+      copy.hpkp_report_host = @hpkp_report_host
       copy
     end
 
@@ -175,6 +181,7 @@ module SecureHeaders
     def validate_config!
       StrictTransportSecurity.validate_config!(@hsts)
       ContentSecurityPolicy.validate_config!(@csp)
+      ReferrerPolicy.validate_config!(@referrer_policy)
       XFrameOptions.validate_config!(@x_frame_options)
       XContentTypeOptions.validate_config!(@x_content_type_options)
       XXssProtection.validate_config!(@x_xss_protection)
@@ -199,12 +206,32 @@ module SecureHeaders
       @csp = new_csp
     end
 
+    def cookies=(cookies)
+      @cookies = cookies
+    end
+
     def cached_headers=(headers)
       @cached_headers = headers
     end
 
+    def hpkp=(hpkp)
+      @hpkp = hpkp
+    end
+
+    def hpkp_report_host=(hpkp_report_host)
+      @hpkp_report_host = hpkp_report_host
+    end
+
     private
 
+    def cache_hpkp_report_host
+      has_report_uri = @hpkp && @hpkp != OPT_OUT && @hpkp[:report_uri]
+      self.hpkp_report_host = if has_report_uri
+        parsed_report_uri = URI.parse(@hpkp[:report_uri])
+        parsed_report_uri.host
+      end
+    end
+
     # Public: Precompute the header names and values for this configuraiton.
     # Ensures that headers generated at configure time, not on demand.
     #

data/lib/secure_headers/headers/policy_management.rb

@@ -91,6 +91,7 @@ module SecureHeaders
       UPGRADE_INSECURE_REQUESTS
     ].freeze
 
+    EDGE_DIRECTIVES = DIRECTIVES_1_0
     SAFARI_DIRECTIVES = DIRECTIVES_1_0
 
     FIREFOX_UNSUPPORTED_DIRECTIVES = [
@@ -118,6 +119,7 @@ module SecureHeaders
       "Opera" => CHROME_DIRECTIVES,
       "Firefox" => FIREFOX_DIRECTIVES,
       "Safari" => SAFARI_DIRECTIVES,
+      "Edge" => EDGE_DIRECTIVES,
       "Other" => CHROME_DIRECTIVES
     }.freeze
 

data/lib/secure_headers/headers/referrer_policy.rb

@@ -0,0 +1,33 @@
+module SecureHeaders
+  class ReferrerPolicyConfigError < StandardError; end
+  class ReferrerPolicy
+    HEADER_NAME = "Referrer-Policy"
+    DEFAULT_VALUE = "origin-when-cross-origin"
+    VALID_POLICIES = %w(
+      no-referrer
+      no-referrer-when-downgrade
+      origin
+      origin-when-cross-origin
+      unsafe-url
+    )
+    CONFIG_KEY = :referrer_policy
+
+    class << self
+      # Public: generate an Referrer Policy header.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        [HEADER_NAME, config || DEFAULT_VALUE]
+      end
+
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+        unless VALID_POLICIES.include?(config.downcase)
+          raise ReferrerPolicyConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
+        end
+      end
+    end
+  end
+end

data/lib/secure_headers/middleware.rb

@@ -1,5 +1,7 @@
 module SecureHeaders
   class Middleware
+    HPKP_SAME_HOST_WARNING = "[WARNING] HPKP report host should not be the same as the request host. See https://github.com/twitter/secureheaders/issues/166"
+
     def initialize(app)
       @app = app
     end
@@ -10,6 +12,10 @@ module SecureHeaders
       status, headers, response = @app.call(env)
 
       config = SecureHeaders.config_for(req)
+      if config.hpkp_report_host == req.host
+        Kernel.warn(HPKP_SAME_HOST_WARNING)
+      end
+
       flag_cookies!(headers, override_secure(env, config.cookies)) if config.cookies
       headers.merge!(SecureHeaders.header_hash_for(req))
       [status, headers, response]

data/lib/secure_headers/railtie.rb

@@ -7,7 +7,7 @@ if defined?(Rails::Railtie)
                              'X-Permitted-Cross-Domain-Policies', 'X-Download-Options',
                              'X-Content-Type-Options', 'Strict-Transport-Security',
                              'Content-Security-Policy', 'Content-Security-Policy-Report-Only',
-                             'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
+                             'Public-Key-Pins', 'Public-Key-Pins-Report-Only', 'Referrer-Policy']
 
       initializer "secure_headers.middleware" do
         Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware

data/lib/secure_headers.rb

@@ -9,6 +9,7 @@ require "secure_headers/headers/x_xss_protection"
 require "secure_headers/headers/x_content_type_options"
 require "secure_headers/headers/x_download_options"
 require "secure_headers/headers/x_permitted_cross_domain_policies"
+require "secure_headers/headers/referrer_policy"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
@@ -27,6 +28,7 @@ module SecureHeaders
     ContentSecurityPolicy,
     StrictTransportSecurity,
     PublicKeyPins,
+    ReferrerPolicy,
     XContentTypeOptions,
     XDownloadOptions,
     XFrameOptions,

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.2.0"
+  gem.version       = "3.3.0"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -104,6 +104,11 @@ module SecureHeaders
           expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
 
+        it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
+          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
+          expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri 'self'")
+        end
+
         it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
           expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri 'self'")

data/spec/lib/secure_headers/headers/referrer_policy_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper'
+
+module SecureHeaders
+  describe ReferrerPolicy do
+    specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
+    specify { expect(ReferrerPolicy.make_header('no-referrer')).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
+
+    context "valid configuration values" do
+      it "accepts 'no-referrer'" do
+        expect do
+          ReferrerPolicy.validate_config!("no-referrer")
+        end.not_to raise_error
+      end
+
+      it "accepts 'no-referrer-when-downgrade'" do
+        expect do
+          ReferrerPolicy.validate_config!("no-referrer-when-downgrade")
+        end.not_to raise_error
+      end
+
+      it "accepts 'origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("origin")
+        end.not_to raise_error
+      end
+
+      it "accepts 'origin-when-cross-origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("origin-when-cross-origin")
+        end.not_to raise_error
+      end
+
+      it "accepts 'unsafe-url'" do
+        expect do
+          ReferrerPolicy.validate_config!("unsafe-url")
+        end.not_to raise_error
+      end
+
+      it "accepts nil" do
+        expect do
+          ReferrerPolicy.validate_config!(nil)
+        end.not_to raise_error
+      end
+    end
+
+    context 'invlaid configuration values' do
+      it "doesn't accept invalid values" do
+        expect do
+          ReferrerPolicy.validate_config!("open")
+        end.to raise_error(ReferrerPolicyConfigError)
+      end
+    end
+  end
+end

data/spec/lib/secure_headers/middleware_spec.rb

@@ -13,6 +13,24 @@ module SecureHeaders
       Configuration.default
     end
 
+    it "warns if the hpkp report-uri host is the same as the current host" do
+      report_host = "report-uri.io"
+      Configuration.default do |config|
+        config.hpkp = {
+          max_age: 10000000,
+          pins: [
+            {sha256: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'},
+            {sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
+          ],
+          report_uri: "https://#{report_host}/example-hpkp"
+        }
+      end
+
+      expect(Kernel).to receive(:warn).with(Middleware::HPKP_SAME_HOST_WARNING)
+
+      middleware.call(Rack::MockRequest.env_for("https://#{report_host}", {}))
+    end
+
     it "sets the headers" do
       _, env = middleware.call(Rack::MockRequest.env_for("https://looocalhost", {}))
       expect_default_values(env)

data/spec/lib/secure_headers_spec.rb

@@ -20,6 +20,13 @@ module SecureHeaders
       end.to raise_error(Configuration::NotYetConfiguredError)
     end
 
+    it "raises and ArgumentError when referencing an override that has not been set" do
+      expect do
+        Configuration.default
+        SecureHeaders.use_secure_headers_override(request, :missing)
+      end.to raise_error(ArgumentError)
+    end
+
     describe "#header_hash_for" do
       it "allows you to opt out of individual headers via API" do
         Configuration.default
@@ -305,6 +312,14 @@ module SecureHeaders
         end.to raise_error(XPCDPConfigError)
       end
 
+      it "validates your referrer_policy config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.referrer_policy = "lol"
+          end
+        end.to raise_error(ReferrerPolicyConfigError)
+      end
+
       it "validates your hpkp config upon configuration" do
         expect do
           Configuration.default do |config|
@@ -312,6 +327,14 @@ module SecureHeaders
           end
         end.to raise_error(PublicKeyPinsConfigError)
       end
+
+      it "validates your cookies config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.cookies = { secure: "lol" }
+          end
+        end.to raise_error(CookiesConfigError)
+      end
     end
   end
 end

data/spec/spec_helper.rb

@@ -11,6 +11,7 @@ require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
 
 
 USER_AGENTS = {
+  edge: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
   firefox: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
   chrome: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
   ie: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
@@ -30,6 +31,7 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::XXssProtection::HEADER_NAME]).to eq(SecureHeaders::XXssProtection::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.3.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-18 00:00:00.000000000 Z
+date: 2016-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -63,6 +63,7 @@ files:
 - lib/secure_headers/headers/cookie.rb
 - lib/secure_headers/headers/policy_management.rb
 - lib/secure_headers/headers/public_key_pins.rb
+- lib/secure_headers/headers/referrer_policy.rb
 - lib/secure_headers/headers/strict_transport_security.rb
 - lib/secure_headers/headers/x_content_type_options.rb
 - lib/secure_headers/headers/x_download_options.rb
@@ -80,6 +81,7 @@ files:
 - spec/lib/secure_headers/headers/cookie_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
+- spec/lib/secure_headers/headers/referrer_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
 - spec/lib/secure_headers/headers/x_download_options_spec.rb
@@ -122,6 +124,7 @@ test_files:
 - spec/lib/secure_headers/headers/cookie_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
+- spec/lib/secure_headers/headers/referrer_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
 - spec/lib/secure_headers/headers/x_download_options_spec.rb