secure_headers 4.0.0.alpha03 → 4.0.0.alpha04

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 85aab6315aa227ca4e8e7814e1044fc43f4d0d3d
-  data.tar.gz: 6cbb3f6f3fec29168f3213d794babc76143c3201
+  metadata.gz: 96b8466fa2b4e4400b0c587bdba7abebdac251f7
+  data.tar.gz: f721a9682de31fc461dd713e153cba427f846b51
 SHA512:
-  metadata.gz: 6e767caf78326e1ed60678dfd22f4f5f8328fbb30dc520d5283f86c018708c3be2326ffb79df585453f7f995771dc8521e1c6ca48e0af787620a60b5de831d26
-  data.tar.gz: 1b699528fdcd23ab18921c825e646fd8de323c3d0497b3e482e99386f5ac008bd948ffc1889e9c32f82cbd6b8d40c74c62a18fbeee87622aebc34b043a86c2a4
+  metadata.gz: 29125ef959986803eff014bfd101972752272c97a5170356961dde54b78c4bcafdb5dc6fc55f99cd49f46b5c29c247e63161da9af6932fdb136d690f1dc2a598
+  data.tar.gz: b23ef45067291c21c66b735ebe19c454e8b35b5d829324ea35e33a4cb8018fad7e2a53081508334d9483bb7ff86cd9ce90b053f1c4b9052bad8c0d991d9d7f6e

data/CHANGELOG.md

@@ -1,6 +1,6 @@
 ## 4.x
 
-- See the [upgrading to 4.0](upgrading-to-4.0.md) guide. Lots of breaking changes.
+- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
 
 ## 3.6.5
 

data/README.md

@@ -19,6 +19,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
 - Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
+- Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
 - Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
@@ -77,6 +78,11 @@ SecureHeaders::Configuration.default do |config|
     "storage",
     "executionContexts"
   ]
+  config.expect_certificate_transparency = {
+    enforce: false,
+    max_age: 1.day.to_i,
+    report_uri: "https://report-uri.io/example-ct"
+  }
   config.csp = {
     # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
@@ -94,6 +100,7 @@ SecureHeaders::Configuration.default do |config|
     manifest_src: %w('self'),
     media_src: %w(utoob.com),
     object_src: %w('self'),
+    sandbox: true, # true and [] will set a maximally restrictive setting
     plugin_types: %w(application/x-shockwave-flash),
     script_src: %w('self'),
     style_src: %w('unsafe-inline'),

data/lib/secure_headers.rb

@@ -12,6 +12,7 @@ require "secure_headers/headers/x_download_options"
 require "secure_headers/headers/x_permitted_cross_domain_policies"
 require "secure_headers/headers/referrer_policy"
 require "secure_headers/headers/clear_site_data"
+require "secure_headers/headers/expect_certificate_transparency"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
@@ -52,6 +53,7 @@ module SecureHeaders
   CSP = ContentSecurityPolicy
 
   ALL_HEADER_CLASSES = [
+    ExpectCertificateTransparency,
     ClearSiteData,
     ContentSecurityPolicyConfig,
     ContentSecurityPolicyReportOnlyConfig,

data/lib/secure_headers/configuration.rb

@@ -117,7 +117,7 @@ module SecureHeaders
 
     attr_writer :hsts, :x_frame_options, :x_content_type_options,
       :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
-      :referrer_policy, :clear_site_data
+      :referrer_policy, :clear_site_data, :expect_certificate_transparency
 
     attr_reader :cached_headers, :csp, :cookies, :csp_report_only, :hpkp, :hpkp_report_host
 
@@ -144,6 +144,7 @@ module SecureHeaders
       @x_frame_options = nil
       @x_permitted_cross_domain_policies = nil
       @x_xss_protection = nil
+      @expect_certificate_transparency = nil
 
       self.hpkp = OPT_OUT
       self.referrer_policy = OPT_OUT
@@ -169,6 +170,7 @@ module SecureHeaders
       copy.x_download_options = @x_download_options
       copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
       copy.clear_site_data = @clear_site_data
+      copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
       copy.hpkp = @hpkp
       copy.hpkp_report_host = @hpkp_report_host
@@ -201,6 +203,7 @@ module SecureHeaders
       XDownloadOptions.validate_config!(@x_download_options)
       XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
       ClearSiteData.validate_config!(@clear_site_data)
+      ExpectCertificateTransparency.validate_config!(@expect_certificate_transparency)
       PublicKeyPins.validate_config!(@hpkp)
       Cookie.validate_config!(@cookies)
     end

data/lib/secure_headers/headers/content_security_policy.rb

@@ -75,20 +75,55 @@ module SecureHeaders
         case DIRECTIVE_VALUE_TYPES[directive_name]
         when :boolean
           symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)
-        when :string
-          [symbol_to_hyphen_case(directive_name), @config.directive_value(directive_name)].join(" ")
-        else
-          build_directive(directive_name)
+        when :sandbox_list
+          build_sandbox_list_directive(directive_name)
+        when :media_type_list
+          build_media_type_list_directive(directive_name)
+        when :source_list
+          build_source_list_directive(directive_name)
         end
       end.compact.join("; ")
     end
 
+    def build_sandbox_list_directive(directive)
+      return unless sandbox_list = @config.directive_value(directive)
+      max_strict_policy = case sandbox_list
+      when Array
+        sandbox_list.empty?
+      when true
+        true
+      else
+        false
+      end
+
+      # A maximally strict sandbox policy is just the `sandbox` directive,
+      # whith no configuraiton values.
+      if max_strict_policy
+        symbol_to_hyphen_case(directive)
+      elsif sandbox_list && sandbox_list.any?
+        [
+          symbol_to_hyphen_case(directive),
+          sandbox_list.uniq
+        ].join(" ")
+      end
+    end
+
+    def build_media_type_list_directive(directive)
+      return unless media_type_list = @config.directive_value(directive)
+      if media_type_list && media_type_list.any?
+        [
+          symbol_to_hyphen_case(directive),
+          media_type_list.uniq
+        ].join(" ")
+      end
+    end
+
     # Private: builds a string that represents one directive in a minified form.
     #
     # directive_name - a symbol representing the various ALL_DIRECTIVES
     #
     # Returns a string representing a directive.
-    def build_directive(directive)
+    def build_source_list_directive(directive)
       source_list = case directive
       when :child_src
         if supported_directives.include?(:child_src)

data/lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+module SecureHeaders
+  class ExpectCertificateTransparencyConfigError < StandardError; end
+
+  class ExpectCertificateTransparency
+    HEADER_NAME = "Expect-CT".freeze
+    CONFIG_KEY  = :expect_certificate_transparency
+    INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
+    INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
+    REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
+    INVALID_MAX_AGE_ERROR       = "max-age must be a number.".freeze
+
+    class << self
+      # Public: Generate a Expect-CT header.
+      #
+      # Returns nil if not configured, returns header name and value if
+      # configured.
+      def make_header(config)
+        return if config.nil?
+
+        header = new(config)
+        [HEADER_NAME, header.value]
+      end
+
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
+
+        unless [true, false, nil].include?(config[:enforce])
+          raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
+        end
+
+        if !config[:max_age]
+          raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
+        elsif config[:max_age].to_s !~ /\A\d+\z/
+          raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
+        end
+      end
+    end
+
+    def initialize(config)
+      @enforced   = config.fetch(:enforce, nil)
+      @max_age    = config.fetch(:max_age, nil)
+      @report_uri = config.fetch(:report_uri, nil)
+    end
+
+    def value
+      [
+        enforced_directive,
+        max_age_directive,
+        report_uri_directive
+      ].compact.join("; ").strip
+    end
+
+    def enforced_directive
+      # Unfortunately `if @enforced` isn't enough here in case someone
+      # passes in a random string so let's be specific with it to prevent
+      # accidental enforcement.
+      "enforce" if @enforced == true
+    end
+
+    def max_age_directive
+      "max-age=#{@max_age}" if @max_age
+    end
+
+    def report_uri_directive
+      "report-uri=\"#{@report_uri}\"" if @report_uri
+    end
+  end
+end

data/lib/secure_headers/headers/policy_management.rb

@@ -116,18 +116,6 @@ module SecureHeaders
     # everything else is in between.
     BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
 
-    # These are directives that do not inherit the default-src value. This is
-    # useful when calling #combine_policies.
-    NON_FETCH_SOURCES = [
-      BASE_URI,
-      FORM_ACTION,
-      FRAME_ANCESTORS,
-      PLUGIN_TYPES,
-      REPORT_URI
-    ]
-
-    FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES
-
     VARIATIONS = {
       "Chrome" => CHROME_DIRECTIVES,
       "Opera" => CHROME_DIRECTIVES,
@@ -155,14 +143,30 @@ module SecureHeaders
       MANIFEST_SRC              => :source_list,
       MEDIA_SRC                 => :source_list,
       OBJECT_SRC                => :source_list,
-      PLUGIN_TYPES              => :source_list,
+      PLUGIN_TYPES              => :media_type_list,
       REPORT_URI                => :source_list,
-      SANDBOX                   => :source_list,
+      SANDBOX                   => :sandbox_list,
       SCRIPT_SRC                => :source_list,
       STYLE_SRC                 => :source_list,
       UPGRADE_INSECURE_REQUESTS => :boolean
     }.freeze
 
+    # These are directives that don't have use a source list, and hence do not
+    # inherit the default-src value.
+    NON_SOURCE_LIST_SOURCES = DIRECTIVE_VALUE_TYPES.select do |_, type|
+      type != :source_list
+    end.keys.freeze
+
+    # These are directives that take a source list, but that do not inherit
+    # the default-src value.
+    NON_FETCH_SOURCES = [
+      BASE_URI,
+      FORM_ACTION,
+      FRAME_ANCESTORS,
+      REPORT_URI
+    ]
+
+    FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES - NON_SOURCE_LIST_SOURCES
 
     STAR_REGEXP = Regexp.new(Regexp.escape(STAR))
     HTTP_SCHEME_REGEX = %r{\Ahttps?://}
@@ -264,7 +268,7 @@ module SecureHeaders
       # when each hash contains a value for a given key.
       def merge_policy_additions(original, additions)
         original.merge(additions) do |directive, lhs, rhs|
-          if source_list?(directive)
+          if list_directive?(directive)
             (lhs.to_a + rhs.to_a).compact.uniq
           else
             rhs
@@ -272,20 +276,27 @@ module SecureHeaders
         end.reject { |_, value| value.nil? || value == [] } # this mess prevents us from adding empty directives.
       end
 
+      # Returns True if a directive expects a list of values and False otherwise.
+      def list_directive?(directive)
+        source_list?(directive) ||
+          sandbox_list?(directive) ||
+          media_type_list?(directive)
+      end
+
       # For each directive in additions that does not exist in the original config,
       # copy the default-src value to the original config. This modifies the original hash.
       def populate_fetch_source_with_default!(original, additions)
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.each_key do |directive|
-          if !original[directive] && ((source_list?(directive) && FETCH_SOURCES.include?(directive)) || nonce_added?(original, additions))
-            if nonce_added?(original, additions)
-              inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
-              unless original[inferred_directive] || NON_FETCH_SOURCES.include?(inferred_directive)
-                original[inferred_directive] = default_for(directive, original)
-              end
-            else
-              original[directive] = default_for(directive, original)
-            end
+          directive = if directive.to_s.end_with?("_nonce")
+            directive.to_s.gsub(/_nonce/, "_src").to_sym
+          else
+            directive
+          end
+          # Don't set a default if directive has an existing value
+          next if original[directive]
+          if FETCH_SOURCES.include?(directive)
+            original[directive] = default_for(directive, original)
           end
         end
       end
@@ -296,45 +307,77 @@ module SecureHeaders
         original[DEFAULT_SRC]
       end
 
-      def nonce_added?(original, additions)
-        [:script_nonce, :style_nonce].each do |nonce|
-          if additions[nonce] && !original[nonce]
-            return true
-          end
-        end
-      end
-
       def source_list?(directive)
         DIRECTIVE_VALUE_TYPES[directive] == :source_list
       end
 
+      def sandbox_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :sandbox_list
+      end
+
+      def media_type_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :media_type_list
+      end
+
       # Private: Validates that the configuration has a valid type, or that it is a valid
       # source expression.
-      def validate_directive!(directive, source_expression)
+      def validate_directive!(directive, value)
+        ensure_valid_directive!(directive)
         case ContentSecurityPolicy::DIRECTIVE_VALUE_TYPES[directive]
         when :boolean
-          unless boolean?(source_expression)
-            raise ContentSecurityPolicyConfigError.new("#{directive} must be a boolean value")
-          end
-        when :string
-          unless source_expression.is_a?(String)
-            raise ContentSecurityPolicyConfigError.new("#{directive} Must be a string. Found #{config.class}: #{config} value")
+          unless boolean?(value)
+            raise ContentSecurityPolicyConfigError.new("#{directive} must be a boolean. Found #{value.class} value")
           end
+        when :sandbox_list
+          validate_sandbox_expression!(directive, value)
+        when :media_type_list
+          validate_media_type_expression!(directive, value)
+        when :source_list
+          validate_source_expression!(directive, value)
         else
-          validate_source_expression!(directive, source_expression)
+          raise ContentSecurityPolicyConfigError.new("Unknown directive #{directive}")
+        end
+      end
+
+      # Private: validates that a sandbox token expression:
+      # 1. is an array of strings or optionally `true` (to enable maximal sandboxing)
+      # 2. For arrays, each element is of the form allow-*
+      def validate_sandbox_expression!(directive, sandbox_token_expression)
+        # We support sandbox: true to indicate a maximally secure sandbox.
+        return if boolean?(sandbox_token_expression) && sandbox_token_expression == true
+        ensure_array_of_strings!(directive, sandbox_token_expression)
+        valid = sandbox_token_expression.compact.all? do |v|
+          v.is_a?(String) && v.start_with?("allow-")
+        end
+        if !valid
+          raise ContentSecurityPolicyConfigError.new("#{directive} must be True or an array of zero or more sandbox token strings (ex. allow-forms)")
+        end
+      end
+
+      # Private: validates that a media type expression:
+      # 1. is an array of strings
+      # 2. each element is of the form type/subtype
+      def validate_media_type_expression!(directive, media_type_expression)
+        ensure_array_of_strings!(directive, media_type_expression)
+        valid = media_type_expression.compact.all? do |v|
+          # All media types are of the form: <type from RFC 2045> "/" <subtype from RFC 2045>.
+          v =~ /\A.+\/.+\z/
+        end
+        if !valid
+          raise ContentSecurityPolicyConfigError.new("#{directive} must be an array of valid media types (ex. application/pdf)")
         end
       end
 
       # Private: validates that a source expression:
-      # 1. has a valid name
-      # 2. is an array of strings
-      # 3. does not contain any depreated, now invalid values (inline, eval, self, none)
+      # 1. is an array of strings
+      # 2. does not contain any deprecated, now invalid values (inline, eval, self, none)
       #
       # Does not validate the invididual values of the source expression (e.g.
       # script_src => h*t*t*p: will not raise an exception)
       def validate_source_expression!(directive, source_expression)
-        ensure_valid_directive!(directive)
-        ensure_array_of_strings!(directive, source_expression)
+        if source_expression != OPT_OUT
+          ensure_array_of_strings!(directive, source_expression)
+        end
         ensure_valid_sources!(directive, source_expression)
       end
 
@@ -344,8 +387,8 @@ module SecureHeaders
         end
       end
 
-      def ensure_array_of_strings!(directive, source_expression)
-        if (!source_expression.is_a?(Array) || !source_expression.compact.all? { |v| v.is_a?(String) }) && source_expression != OPT_OUT
+      def ensure_array_of_strings!(directive, value)
+        if (!value.is_a?(Array) || !value.compact.all? { |v| v.is_a?(String) })
           raise ContentSecurityPolicyConfigError.new("#{directive} must be an array of strings")
         end
       end

data/secure_headers.gemspec

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "4.0.0.alpha03"
+  gem.version       = "4.0.0.alpha04"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -96,6 +96,21 @@ module SecureHeaders
         expect(csp.value).to eq("default-src example.org")
       end
 
+      it "creates maximally strict sandbox policy when passed no sandbox token values" do
+        csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
+        expect(csp.value).to eq("default-src example.org; sandbox")
+      end
+
+      it "creates maximally strict sandbox policy when passed true" do
+        csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: true)
+        expect(csp.value).to eq("default-src example.org; sandbox")
+      end
+
+      it "creates sandbox policy when passed valid sandbox token values" do
+        csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: %w(allow-forms allow-scripts))
+        expect(csp.value).to eq("default-src example.org; sandbox allow-forms allow-scripts")
+      end
+
       it "does not emit a warning when using frame-src" do
         expect(Kernel).to_not receive(:warn)
         ContentSecurityPolicy.new(default_src: %w('self'), frame_src: %w('self')).value
@@ -120,50 +135,52 @@ module SecureHeaders
             block_all_mixed_content: true,
             upgrade_insecure_requests: true,
             script_src: %w(script-src.com),
-            script_nonce: 123456
+            script_nonce: 123456,
+            sandbox: %w(allow-forms),
+            plugin_types: %w(application/pdf)
           })
         end
 
         it "does not filter any directives for Chrome" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "does not filter any directives for Opera" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
         end
 
         it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
-          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
         end
 
         it "adds 'unsafe-inline', filters  blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
         end
 
         it "falls back to standard Firefox defaults when the useragent version is not present" do
           ua = USER_AGENTS[:firefox].dup
           allow(ua).to receive(:version).and_return(nil)
           policy = ContentSecurityPolicy.new(complex_opts, ua)
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
       end
     end

data/spec/lib/secure_headers/headers/expect_certificate_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+require "spec_helper"
+
+module SecureHeaders
+  describe ExpectCertificateTransparency do
+    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce; max-age=1234") }
+    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: false).value).to eq("max-age=1234") }
+    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: "yolocopter").value).to eq("max-age=1234") }
+    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234; report-uri=\"https://report-uri.io/expect-ct\"") }
+    specify do
+      config = { enforce: true, max_age: 1234, report_uri: "https://report-uri.io/expect-ct" }
+      header_value = "enforce; max-age=1234; report-uri=\"https://report-uri.io/expect-ct\""
+      expect(ExpectCertificateTransparency.new(config).value).to eq(header_value)
+    end
+
+    context "with an invalid configuration" do
+      it "raises an exception when configuration isn't a hash" do
+        expect do
+          ExpectCertificateTransparency.validate_config!(%w(a))
+        end.to raise_error(ExpectCertificateTransparencyConfigError)
+      end
+
+      it "raises an exception when max-age is not provided" do
+        expect do
+          ExpectCertificateTransparency.validate_config!(foo: "bar")
+        end.to raise_error(ExpectCertificateTransparencyConfigError)
+      end
+
+      it "raises an exception with an invalid max-age" do
+        expect do
+          ExpectCertificateTransparency.validate_config!(max_age: "abc123")
+        end.to raise_error(ExpectCertificateTransparencyConfigError)
+      end
+
+      it "raises an exception with an invalid enforce value" do
+        expect do
+          ExpectCertificateTransparency.validate_config!(enforce: "brokenstring")
+        end.to raise_error(ExpectCertificateTransparencyConfigError)
+      end
+    end
+  end
+end

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -111,6 +111,36 @@ module SecureHeaders
           ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w(self none inline eval), script_src: %w('self')))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
+
+      it "rejects anything not of the form allow-* as a sandbox value" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["steve"])))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "accepts anything of the form allow-* as a sandbox value " do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["allow-foo"])))
+        end.to_not raise_error
+      end
+
+      it "accepts true as a sandbox policy" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: true)))
+        end.to_not raise_error
+      end
+
+      it "rejects anything not of the form type/subtype as a plugin-type value" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["steve"])))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
+      it "accepts anything of the form type/subtype as a plugin-type value " do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["application/pdf"])))
+        end.to_not raise_error
+      end
     end
 
     describe "#combine_policies" do

data/spec/spec_helper.rb

@@ -33,6 +33,7 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
   expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
+  expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders

data/upgrading-to-4-0.md

@@ -18,6 +18,12 @@ config.cookies = {
 config.cookies = OPT_OUT
 ```
 
+## script_src must be set
+
+Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose. 
+
+However, sometimes you really don't need a `script-src` e.g. API responses (`default-src 'none'`) so you can set `script_src: SecureHeaders::OPT_OUT` to work around this.
+
 ## Default Content Security Policy
 
 The default CSP has changed to be more universal without sacrificing too much security.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 4.0.0.alpha03
+  version: 4.0.0.alpha04
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-25 00:00:00.000000000 Z
+date: 2017-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -74,6 +74,7 @@ files:
 - lib/secure_headers/headers/content_security_policy.rb
 - lib/secure_headers/headers/content_security_policy_config.rb
 - lib/secure_headers/headers/cookie.rb
+- lib/secure_headers/headers/expect_certificate_transparency.rb
 - lib/secure_headers/headers/policy_management.rb
 - lib/secure_headers/headers/public_key_pins.rb
 - lib/secure_headers/headers/referrer_policy.rb
@@ -93,6 +94,7 @@ files:
 - spec/lib/secure_headers/headers/clear_site_data_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/cookie_spec.rb
+- spec/lib/secure_headers/headers/expect_certificate_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb
@@ -143,6 +145,7 @@ test_files:
 - spec/lib/secure_headers/headers/clear_site_data_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/cookie_spec.rb
+- spec/lib/secure_headers/headers/expect_certificate_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb