secure_headers 3.4.0 → 3.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 88233251c7a26e1269f77957d56823619e3d9d11
-  data.tar.gz: 8e9c0e69fcca0298ee52223d587134f5a8df062f
+  metadata.gz: 45e392304147a02bee8cf0709fe52e16f9ad255c
+  data.tar.gz: e07030aa93c84a20e9b22d88af6489d8a71c95e7
 SHA512:
-  metadata.gz: f421d0d58eb9b5a7b22fd13932644c2c3868e0294886cbf5250127e8807fa20dec95717219e0a82ce59f49f376b32e17b97b77c7e011d2e2d1633162c1297bbc
-  data.tar.gz: ae63cbdd588bf6c31e531bfec5480e022a5df96c8ee2cc4c824d1e869f64df2a44073d795cc6d5e7ffeca6d6369f0d2e33f202ce8ceda04d274849e95789ff43
+  metadata.gz: 8238f728eb74303b6aac54d40e3eaf1aacdaf7e0c910fe9a05f3dc005daa9eb96876391619eb2cb613a0d2a8ad358a48bc899626be46d201561f05064f47fdf8
+  data.tar.gz: d0d448274a7a4789f668ac59c49903bf50889a2675a82d62d91ca721c5160b50288b5fafcf8b041422f575cc42d31b4a614fbc8036759fb522c149131a472f33

data/CHANGELOG.md

@@ -1,3 +1,64 @@
+## 3.4.1 Named Appends
+
+### Small bugfix
+
+If your CSP did not define a script/style-src and you tried to use a script/style nonce, the nonce would be added to the page but it would not be added to the CSP. A workaround is to define a script/style src but now it should add the missing directive (and populate it with the default-src).
+
+### Named Appends
+
+Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into `append_content_security_policy_directives`. The current request object is passed as an argument to the block for even more flexibility.
+
+```ruby
+def show
+  if include_widget?
+    @widget = widget.render
+    use_content_security_policy_named_append(:widget_partial)
+  end
+end
+
+
+SecureHeaders::Configuration.named_append(:widget_partial) do |request|
+  if request.controller_instance.current_user.in_test_bucket?
+    SecureHeaders.override_x_frame_options(request, "DENY")
+    { child_src: %w(beta.thirdpartyhost.com) }
+  else
+    { child_src: %w(thirdpartyhost.com) }
+  end
+end
+```
+
+You can use as many named appends as you would like per request, but be careful because order of inclusion matters. Consider the following:
+
+```ruby
+SecureHeader::Configuration.default do |config|
+  config.csp = { default_src: %w('self')}
+end
+
+SecureHeaders::Configuration.named_append(:A) do |request|
+  { default_src: %w(myhost.com) }
+end
+
+SecureHeaders::Configuration.named_append(:B) do |request|
+  { script_src: %w('unsafe-eval') }
+end
+```
+
+The following code will produce different policies due to the way policies are normalized (e.g. providing a previously undefined directive that inherits from `default-src`, removing host source values when `*` is provided. Removing `'none'` when additional values are present, etc.):
+
+```ruby
+def index
+  use_content_security_policy_named_append(:A)
+  use_content_security_policy_named_append(:B)
+  # produces default-src 'self' myhost.com; script-src 'self' myhost.com 'unsafe-eval';
+end
+
+def show
+  use_content_security_policy_named_append(:B)
+  use_content_security_policy_named_append(:A)
+  # produces default-src 'self' myhost.com; script-src 'self' 'unsafe-eval';
+end
+```
+
 ## 3.4.0 the frame-src/child-src transition for Firefox.
 
 Handle the `child-src`/`frame-src` transition semi-intelligently across versions. I think the code best descibes the behavior here:

data/README.md

@@ -1,4 +1,4 @@
-# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.png)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.png)](https://coveralls.io/r/twitter/secureheaders)
+# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
 
 
 **The 3.x branch was recently merged**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
@@ -94,6 +94,62 @@ use SecureHeaders::Middleware
 
 All headers except for PublicKeyPins have a default value. See the [corresponding classes for their defaults](https://github.com/twitter/secureheaders/tree/master/lib/secure_headers/headers).
 
+## Named Appends
+
+Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into `append_content_security_policy_directives`. The current request object is passed as an argument to the block for even more flexibility.
+
+```ruby
+def show
+  if include_widget?
+    @widget = widget.render
+    use_content_security_policy_named_append(:widget_partial)
+  end
+end
+
+
+SecureHeaders::Configuration.named_append(:widget_partial) do |request|
+  SecureHeaders.override_x_frame_options(request, "DENY")
+  if request.controller_instance.current_user.in_test_bucket?
+    { child_src: %w(beta.thirdpartyhost.com) }
+  else
+    { child_src: %w(thirdpartyhost.com) }
+  end
+end
+```
+
+You can use as many named appends as you would like per request, but be careful because order of inclusion matters. Consider the following:
+
+```ruby
+SecureHeader::Configuration.default do |config|
+  config.csp = { default_src: %w('self')}
+end
+
+SecureHeaders::Configuration.named_append(:A) do |request|
+  { default_src: %w(myhost.com) }
+end
+
+SecureHeaders::Configuration.named_append(:B) do |request|
+  { script_src: %w('unsafe-eval') }
+end
+```
+
+The following code will produce different policies due to the way policies are normalized (e.g. providing a previously undefined directive that inherits from `default-src`, removing host source values when `*` is provided. Removing `'none'` when additional values are present, etc.):
+
+```ruby
+def index
+  use_content_security_policy_named_append(:A)
+  use_content_security_policy_named_append(:B)
+  # produces default-src 'self' myhost.com; script-src 'self' myhost.com 'unsafe-eval';
+end
+
+def show
+  use_content_security_policy_named_append(:B)
+  use_content_security_policy_named_append(:A)
+  # produces default-src 'self' myhost.com; script-src 'self' 'unsafe-eval';
+end
+```
+
+
 ## Named overrides
 
 Named overrides serve two purposes:
@@ -125,7 +181,7 @@ end
 
 class MyController < ApplicationController
   def index
-    # Produces default-src 'self'; script-src example.org otherdomain.org
+    # Produces default-src 'self'; script-src example.org otherdomain.com
     use_secure_headers_override(:script_from_otherdomain_com)
   end
 

data/lib/secure_headers.rb

@@ -72,6 +72,11 @@ module SecureHeaders
       override_secure_headers_request_config(request, config)
     end
 
+    def use_content_security_policy_named_append(request, name)
+      additions = SecureHeaders::Configuration.named_appends(name).call(request)
+      append_content_security_policy_directives(request, additions)
+    end
+
     # Public: override X-Frame-Options settings for this request.
     #
     # value - deny, sameorigin, or allowall
@@ -267,4 +272,8 @@ module SecureHeaders
   def override_x_frame_options(value)
     SecureHeaders.override_x_frame_options(request, value)
   end
+
+  def use_content_security_policy_named_append(name)
+    SecureHeaders.use_content_security_policy_named_append(request, name)
+  end
 end

data/lib/secure_headers/configuration.rb

@@ -46,6 +46,17 @@ module SecureHeaders
         @configurations[name]
       end
 
+      def named_appends(name)
+        @appends ||= {}
+        @appends[name]
+      end
+
+      def named_append(name, target = nil, &block)
+        @appends ||= {}
+        raise "Provide a configuration block" unless block_given?
+        @appends[name] = block
+      end
+
       private
 
       # Private: add a valid configuration to the global set of named configs.

data/lib/secure_headers/headers/policy_management.rb

@@ -53,16 +53,6 @@ module SecureHeaders
     FRAME_ANCESTORS = :frame_ancestors
     PLUGIN_TYPES = :plugin_types
 
-    # These are directives that do not inherit the default-src value. This is
-    # useful when calling #combine_policies.
-    NON_FETCH_SOURCES = [
-      BASE_URI,
-      FORM_ACTION,
-      FRAME_ANCESTORS,
-      PLUGIN_TYPES,
-      REPORT_URI
-    ]
-
     DIRECTIVES_2_0 = [
       DIRECTIVES_1_0,
       BASE_URI,
@@ -127,6 +117,18 @@ module SecureHeaders
     # everything else is in between.
     BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
 
+    # These are directives that do not inherit the default-src value. This is
+    # useful when calling #combine_policies.
+    NON_FETCH_SOURCES = [
+      BASE_URI,
+      FORM_ACTION,
+      FRAME_ANCESTORS,
+      PLUGIN_TYPES,
+      REPORT_URI
+    ]
+
+    FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES
+
     VARIATIONS = {
       "Chrome" => CHROME_DIRECTIVES,
       "Opera" => CHROME_DIRECTIVES,
@@ -268,8 +270,23 @@ module SecureHeaders
       def populate_fetch_source_with_default!(original, additions)
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.keys.each do |directive|
-          unless original[directive] || !source_list?(directive) || NON_FETCH_SOURCES.include?(directive)
-            original[directive] = original[:default_src]
+          if !original[directive] && ((source_list?(directive) && FETCH_SOURCES.include?(directive)) || nonce_added?(original, additions))
+            if nonce_added?(original, additions)
+              inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
+              unless original[inferred_directive] || NON_FETCH_SOURCES.include?(inferred_directive)
+                original[inferred_directive] = original[:default_src]
+              end
+            else
+              original[directive] = original[:default_src]
+            end
+          end
+        end
+      end
+
+      def nonce_added?(original, additions)
+        [:script_nonce, :style_nonce].each do |nonce|
+          if additions[nonce] && !original[nonce]
+            return true
           end
         end
       end

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.4.0"
+  gem.version       = "3.4.1"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers_spec.rb

@@ -138,6 +138,10 @@ module SecureHeaders
       end
 
       context "content security policy" do
+        let(:chrome_request) {
+          Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
+        }
+
         it "appends a value to csp directive" do
           Configuration.default do |config|
             config.csp = {
@@ -151,6 +155,52 @@ module SecureHeaders
           expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
 
+        it "supports named appends" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self')
+            }
+          end
+
+          Configuration.named_append(:moar_default_sources) do |request|
+            { default_src: %w(https:)}
+          end
+
+          Configuration.named_append(:how_about_a_script_src_too) do |request|
+            { script_src: %w('unsafe-inline')}
+          end
+
+          SecureHeaders.use_content_security_policy_named_append(request, :moar_default_sources)
+          SecureHeaders.use_content_security_policy_named_append(request, :how_about_a_script_src_too)
+          hash = SecureHeaders.header_hash_for(request)
+
+          expect(hash[CSP::HEADER_NAME]).to eq("default-src 'self' https:; script-src 'self' https: 'unsafe-inline'")
+        end
+
+        it "appends a nonce to a missing script-src value" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self')
+            }
+          end
+
+          SecureHeaders.content_security_policy_script_nonce(request) # should add the value to the header
+          hash = SecureHeaders.header_hash_for(chrome_request)
+          expect(hash[CSP::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/
+        end
+
+        it "appends a hash to a missing script-src value" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self')
+            }
+          end
+
+          SecureHeaders.append_content_security_policy_directives(request, script_src: %w('sha256-abc123'))
+          hash = SecureHeaders.header_hash_for(chrome_request)
+          expect(hash[CSP::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/
+        end
+
         it "dups global configuration just once when overriding n times and only calls idempotent_additions? once" do
           Configuration.default do |config|
             config.csp = {
@@ -234,7 +284,6 @@ module SecureHeaders
             }
           end
 
-          chrome_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
           nonce = SecureHeaders.content_security_policy_script_nonce(chrome_request)
 
           # simulate the nonce being used multiple times in a request:

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.4.0
+  version: 3.4.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-07-18 00:00:00.000000000 Z
+date: 2016-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake