secure_headers 6.3.4 → 6.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3953b8d0c4ce0a01012d4d6475ad94c60ce4b06b9d93994ef14cc2474ced6177
-  data.tar.gz: 3aa96804cacf26d4a275b19e870755313a3afd055b598014749d0338e4f0f4af
+  metadata.gz: e5372953d5180d45526a777c1b66e7e86a8ccfca08f6b7b613549d8ba1509a6e
+  data.tar.gz: 0d1cc3b012df7b1cfd549bcf09063a390945b05c03009acda31017f859ff7d2d
 SHA512:
-  metadata.gz: b04fd60ff28519273f29d335b81b44ebfe938d4e97d82d31b69d8596dc84e38c812573248e7b70bb142fecebab357c7f34f9f10934edaf354e3174915220580f
-  data.tar.gz: 10748a3ff12365fffe42828fe324e0bfbb3f146635b095a9e8a13b5a57b5bdfe17a5463df3b5009d8591dbc88494c45036a12dd061fc6b8e921c4c99a0d523ef
+  metadata.gz: 35844f24ecb678a83548492545403bc174a6d0ce74896f7817d93cb30f62d97b415ea876dccd3efbed7cad3e5dd5c9cda4f676f7dc2c858b2f2010f2c33a0f73
+  data.tar.gz: 196a212de355c06a2a3fee6c22302fb1bfd7471dba402124adc7072f90dbd0c4a5b3ee8fa7604d0b164479717bfb65050d3b4802948410b61aba3382d5c8eb39

data/.github/workflows/build.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ '2.5', '2.6', '2.7', '3.0' ]
+        ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1' ]
 
     steps:
     - uses: actions/checkout@v2

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 6.4.0
+
+- CSP: Add support for trusted-types, require-trusted-types-for directive (@JackMc): https://github.com/github/secure_headers/pull/486
+
 ## 6.3.4
 
 - CSP: Do not deduplicate alternate schema source expressions (@keithamus): https://github.com/github/secure_headers/pull/478

data/lib/secure_headers/configuration.rb

@@ -84,11 +84,12 @@ module SecureHeaders
       def deep_copy(config)
         return unless config
         config.each_with_object({}) do |(key, value), hash|
-          hash[key] = if value.is_a?(Array)
-            value.dup
-          else
-            value
-          end
+          hash[key] =
+            if value.is_a?(Array)
+              value.dup
+            else
+              value
+            end
         end
       end
 

data/lib/secure_headers/headers/content_security_policy.rb

@@ -7,17 +7,18 @@ module SecureHeaders
     include PolicyManagement
 
     def initialize(config = nil)
-      @config = if config.is_a?(Hash)
-        if config[:report_only]
-          ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
+      @config =
+        if config.is_a?(Hash)
+          if config[:report_only]
+            ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
+          else
+            ContentSecurityPolicyConfig.new(config || DEFAULT_CONFIG)
+          end
+        elsif config.nil?
+          ContentSecurityPolicyConfig.new(DEFAULT_CONFIG)
         else
-          ContentSecurityPolicyConfig.new(config || DEFAULT_CONFIG)
+          config
         end
-      elsif config.nil?
-        ContentSecurityPolicyConfig.new(DEFAULT_CONFIG)
-      else
-        config
-      end
 
       @preserve_schemes = @config.preserve_schemes
       @script_nonce = @config.script_nonce
@@ -34,11 +35,12 @@ module SecureHeaders
     ##
     # Return the value of the CSP header
     def value
-      @value ||= if @config
-        build_value
-      else
-        DEFAULT_VALUE
-      end
+      @value ||=
+        if @config
+          build_value
+        else
+          DEFAULT_VALUE
+        end
     end
 
     private
@@ -51,7 +53,9 @@ module SecureHeaders
     def build_value
       directives.map do |directive_name|
         case DIRECTIVE_VALUE_TYPES[directive_name]
-        when :source_list, :require_sri_for_list # require_sri is a simple set of strings that don't need to deal with symbol casing
+        when :source_list,
+             :require_sri_for_list, # require_sri is a simple set of strings that don't need to deal with symbol casing
+             :require_trusted_types_for_list
           build_source_list_directive(directive_name)
         when :boolean
           symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -35,6 +35,7 @@ module SecureHeaders
       @report_only = nil
       @report_uri = nil
       @require_sri_for = nil
+      @require_trusted_types_for = nil
       @sandbox = nil
       @script_nonce = nil
       @script_src = nil
@@ -44,6 +45,7 @@ module SecureHeaders
       @style_src = nil
       @style_src_elem = nil
       @style_src_attr = nil
+      @trusted_types = nil
       @worker_src = nil
       @upgrade_insecure_requests = nil
       @disable_nonce_backwards_compatibility = nil

data/lib/secure_headers/headers/policy_management.rb

@@ -98,7 +98,19 @@ module SecureHeaders
       STYLE_SRC_ATTR
     ].flatten.freeze
 
-    ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0).uniq.sort
+    # Experimental directives - these vary greatly in support
+    # See MDN for details.
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types
+    TRUSTED_TYPES = :trusted_types
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for
+    REQUIRE_TRUSTED_TYPES_FOR = :require_trusted_types_for
+
+    DIRECTIVES_EXPERIMENTAL = [
+      TRUSTED_TYPES,
+      REQUIRE_TRUSTED_TYPES_FOR,
+    ].flatten.freeze
+
+    ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_EXPERIMENTAL).uniq.sort
 
     # Think of default-src and report-uri as the beginning and end respectively,
     # everything else is in between.
@@ -121,6 +133,7 @@ module SecureHeaders
       OBJECT_SRC                => :source_list,
       PLUGIN_TYPES              => :media_type_list,
       REQUIRE_SRI_FOR           => :require_sri_for_list,
+      REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
       REPORT_URI                => :source_list,
       PREFETCH_SRC              => :source_list,
       SANDBOX                   => :sandbox_list,
@@ -130,6 +143,7 @@ module SecureHeaders
       STYLE_SRC                 => :source_list,
       STYLE_SRC_ELEM            => :source_list,
       STYLE_SRC_ATTR            => :source_list,
+      TRUSTED_TYPES             => :source_list,
       WORKER_SRC                => :source_list,
       UPGRADE_INSECURE_REQUESTS => :boolean,
     }.freeze
@@ -175,6 +189,7 @@ module SecureHeaders
     ].freeze
 
     REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
+    REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w(script))
 
     module ClassMethods
       # Public: generate a header name, value array that is user-agent-aware.
@@ -270,7 +285,8 @@ module SecureHeaders
         source_list?(directive) ||
           sandbox_list?(directive) ||
           media_type_list?(directive) ||
-          require_sri_for_list?(directive)
+          require_sri_for_list?(directive) ||
+          require_trusted_types_for_list?(directive)
       end
 
       # For each directive in additions that does not exist in the original config,
@@ -278,11 +294,12 @@ module SecureHeaders
       def populate_fetch_source_with_default!(original, additions)
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.each_key do |directive|
-          directive = if directive.to_s.end_with?("_nonce")
-            directive.to_s.gsub(/_nonce/, "_src").to_sym
-          else
-            directive
-          end
+          directive =
+            if directive.to_s.end_with?("_nonce")
+              directive.to_s.gsub(/_nonce/, "_src").to_sym
+            else
+              directive
+            end
           # Don't set a default if directive has an existing value
           next if original[directive]
           if FETCH_SOURCES.include?(directive)
@@ -307,6 +324,10 @@ module SecureHeaders
         DIRECTIVE_VALUE_TYPES[directive] == :require_sri_for_list
       end
 
+      def require_trusted_types_for_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :require_trusted_types_for_list
+      end
+
       # Private: Validates that the configuration has a valid type, or that it is a valid
       # source expression.
       def validate_directive!(directive, value)
@@ -324,6 +345,8 @@ module SecureHeaders
           validate_media_type_expression!(directive, value)
         when :require_sri_for_list
           validate_require_sri_source_expression!(directive, value)
+        when :require_trusted_types_for_list
+          validate_require_trusted_types_for_source_expression!(directive, value)
         else
           raise ContentSecurityPolicyConfigError.new("Unknown directive #{directive}")
         end
@@ -368,6 +391,16 @@ module SecureHeaders
         end
       end
 
+      # Private: validates that a require trusted types for expression:
+      # 1. is an array of strings
+      # 2. is a subset of ["script"]
+      def validate_require_trusted_types_for_source_expression!(directive, require_trusted_types_for_expression)
+        ensure_array_of_strings!(directive, require_trusted_types_for_expression)
+        unless require_trusted_types_for_expression.to_set.subset?(REQUIRE_TRUSTED_TYPES_FOR_VALUES)
+          raise ContentSecurityPolicyConfigError.new(%(require-trusted-types-for for must be a subset of #{REQUIRE_TRUSTED_TYPES_FOR_VALUES.to_a} but was #{require_trusted_types_for_expression}))
+        end
+      end
+
       # Private: validates that a source expression:
       # 1. is an array of strings
       # 2. does not contain any deprecated, now invalid values (inline, eval, self, none)

data/lib/secure_headers/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureHeaders
-  VERSION = "6.3.4"
+  VERSION = "6.4.0"
 end

data/lib/secure_headers/view_helper.rb

@@ -147,12 +147,13 @@ module SecureHeaders
 
     def nonced_tag(type, content_or_options, block)
       options = {}
-      content = if block
-        options = content_or_options
-        capture(&block)
-      else
-        content_or_options.html_safe # :'(
-      end
+      content =
+        if block
+          options = content_or_options
+          capture(&block)
+        else
+          content_or_options.html_safe # :'(
+        end
       content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
     end
 

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -146,6 +146,11 @@ module SecureHeaders
         expect(csp.value).to eq("default-src 'self'; require-sri-for script style")
       end
 
+      it "allows style as a require-trusted-types-for source" do
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_trusted_types_for: %w(script))
+        expect(csp.value).to eq("default-src 'self'; require-trusted-types-for script")
+      end
+
       it "includes prefetch-src" do
         csp = ContentSecurityPolicy.new(default_src: %w('self'), prefetch_src: %w(foo.com))
         expect(csp.value).to eq("default-src 'self'; prefetch-src foo.com")
@@ -185,6 +190,21 @@ module SecureHeaders
         csp = ContentSecurityPolicy.new({style_src: %w('self'), style_src_attr: %w('self')})
         expect(csp.value).to eq("style-src 'self'; style-src-attr 'self'")
       end
+
+      it "supports trusted-types directive" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w(blahblahpolicy)})
+        expect(csp.value).to eq("trusted-types blahblahpolicy")
+      end
+
+      it "supports trusted-types directive with 'none'" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w(none)})
+        expect(csp.value).to eq("trusted-types none")
+      end
+
+      it "allows duplicate policy names in trusted-types directive" do
+        csp = ContentSecurityPolicy.new({trusted_types: %w(blahblahpolicy 'allow-duplicates')})
+        expect(csp.value).to eq("trusted-types blahblahpolicy 'allow-duplicates'")
+      end
     end
   end
 end

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -45,6 +45,7 @@ module SecureHeaders
           plugin_types: %w(application/x-shockwave-flash),
           prefetch_src: %w(fetch.com),
           require_sri_for: %w(script style),
+          require_trusted_types_for: %w(script),
           script_src: %w('self'),
           style_src: %w('unsafe-inline'),
           upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
@@ -53,6 +54,7 @@ module SecureHeaders
           script_src_attr: %w(example.com),
           style_src_elem: %w(example.com),
           style_src_attr: %w(example.com),
+          trusted_types: %w(abcpolicy),
 
           report_uri: %w(https://example.com/uri-directive),
         }
@@ -120,6 +122,12 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
+      it "rejects style for trusted types" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(style_src: %w('self'), require_trusted_types_for: %w(script style), trusted_types: %w(abcpolicy))))
+        end
+      end
+
       # this is mostly to ensure people don't use the antiquated shorthands common in other configs
       it "performs light validation on source lists" do
         expect do

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -6,7 +6,7 @@ class Message < ERB
   include SecureHeaders::ViewHelpers
 
   def self.template
-<<-TEMPLATE
+    <<-TEMPLATE
 <% hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
   console.log(1)
 <% end %>
@@ -62,9 +62,10 @@ TEMPLATE
   end
 
   def content_tag(type, content = nil, options = nil, &block)
-    content = if block_given?
-      capture(block)
-    end
+    content =
+      if block_given?
+        capture(block)
+      end
 
     if options.is_a?(Hash)
       options = options.map { |k, v| " #{k}=#{v}" }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.3.4
+  version: 6.4.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-28 00:00:00.000000000 Z
+date: 2022-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -116,7 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
+rubygems_version: 3.2.9
 signing_key: 
 specification_version: 4
 summary: Add easily configured security headers to responses including content-security-policy,