yaml_csp_config 1.0.3 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d364ca228a1c6e897f15ceb024b277fe0d5ca6e857b8408e2beec971cd3ea62
-  data.tar.gz: 9dd744ccf9ee54ac541b364f829fbc284c839826c7a1bf2b862e4a06f7ae4bc1
+  metadata.gz: e7621b0c8c7678d033718dc0cbc40b6a1e1511f1f16a5a0bd143d1f3917224fa
+  data.tar.gz: 9b5b960c7b7b0764c7019b1fbe37ebcffbe7365f3f716d2996c0f2dad59228d0
 SHA512:
-  metadata.gz: b860612f0350846c2af70a0fe469f2b42b8dcdafd1899925e4a67834b971d6530481ab56b07c12a59e15d1f308ba7bef0e0f535bfdd08d69e6fc25947d71ef4b
-  data.tar.gz: 497d63f942a225ce8127bb516a8425330c1fce9cdb9e90fb97cfbc4400f6306cdfc6126738ea05d7972a6ab16e4ae6d8fb95f2c9038727b3aba8b04356cce10f
+  metadata.gz: a9fd4e9f2f152d0921ed9f9cc29ec2ec10de464a611a36fc01a78701136904dee686b6790d7e6c09cf763735efcfaed965defae93f8c38a616746b6f14f2c142
+  data.tar.gz: 4e6f9cfc2d777baaf0baf72e52b0800f7a2bdeaf73a1c65f68e618bb27d56925ab40e435de253343f289e1af829bb37a06d85a7a5f7a61ba62e07d50fd2f761a

data/README.md

@@ -2,92 +2,31 @@
 
 ### What?
 
-This Rails plugin gem is designed to allow you to be able to specify your content security policy 
-for Rails 5.2+ in a YAML file, instead of using the Rails DSL. 
+A gem for Rails 6+ that allows you to specify your content security policy (CSP) in a YAML file, instead of using the Rails DSL. 
 
-This makes the configuration  of your content security policy more akin to configuring other things 
-through YAML files. 
-  
-The gem also contains a extra few features. These allow you to add content security policy configuration
-via environment variables, either by configuring a specific addition for a specific directive or by 
-configuring the name of a group of configurations to be applied from the configuration file in the 
-application. This is useful for deployed environments where the content security policy may be slightly 
-different per deployment.
 
 ### Why?
 
-* Configure your CSP in YAML
-* Provide additional CSP configuration which is applied according to environment variables
-
-## Example
-
-Below is an artificial example of a security policy before and after converting DSL to YAML, 
-making use of YAML aliases to allow sharing of policy  configurations:
-
-### Before (Without this gem):
-
-`config/initializers/content_security_policy.rb`
-
-```ruby
-GOOGLE_STATIC = ["https://*.googleapis.com", "https://*.gstatic.com"].freeze
-
-CSP_SCRIPT_HOSTS = %w[
-  https://cdnjs.cloudflare.com
-  https://www.google-analytics.com
-  https://maps.googleapis.com
-].freeze
-
-CSP_FONT_HOSTS = (["https://fonts.gstatic.com"] + GOOGLE_STATIC).freeze
+The YAML configuration is potentially more structured, and easier to read and maintain
+than using the Ruby DSL with conditional logic on env vars and so on.
 
-CSP_IMAGE_HOSTS =  (["https://s3.amazonaws.com"] + GOOGLE_STATIC).freeze
-  
-CSP_WEBPACKER_HOST = "http://localhost:3035"
+Also config of the CSP becomes similar to configuring other things in Rails, such as the database, via YAML files. 
 
-CSP_DEV_CONNECT_SRC = %w[
-  http://localhost:3035
-  ws://localhost:3000
-  ws://localhost:3035
-  ws://127.0.0.1:35729
-].freeze
-
-CSP_REVIEW_CONNECT_SRC = %w[
-  wss://*.herokuapp.com
-].freeze
+### Features
 
-Rails.application.config.content_security_policy do |policy|
-  policy.report_uri("/csp-violation-report-endpoint")
-
-  policy.default_src(:self)
-
-  policy.object_src(:none)
-    
-  policy.font_src(:self, *CSP_FONT_HOSTS)
-  
-  policy.style_src(:self, :data, :unsafe_inline)
-
-  if Rails.env.development?
-    policy.img_src(:self, :data, CSP_WEBPACKER_HOST, *CSP_IMAGE_HOSTS)
-
-    policy.script_src(:self, :unsafe_eval, CSP_WEBPACKER_HOST, *CSP_SCRIPT_HOSTS)
-     
-    policy.connect_src(:self, *CSP_DEV_CONNECT_SRC)
-  else
-    policy.img_src(:self, :data, *CSP_IMAGE_HOSTS)
+* Configure your CSP in YAML
+  * Use anchors/aliases to avoid duplicated blocks of URLs between different policy directives
+  * Create Rails env specific configurations (eg directives only for `development`)
+* Extend the content security policy configuration via environment variables. Useful for deployed environments where the CSP is different per deployment.
+  1) configure a specific addition for a specific directive or 
+  2) specify the name of a group of configurations to be applied. 
+* The YAML file can contain ERB
 
-    policy.script_src(:self, *CSP_SCRIPT_HOSTS)
-  
-    if ENV["IN_REVIEW_APP"].present?
-      policy.connect_src(:self, *CSP_REVIEW_CONNECT_SRC)
-    else
-      policy.connect_src(:self)
-    end
-  end
-end
+## Example
 
-# ...
-```
+Below is an example of a security policy in YAML and Rails DSL.
 
-### After (With this gem):
+### In YAML (with this gem):
 
 `config/content_security_policy.yml`
 
@@ -149,6 +88,68 @@ review_apps:
     - wss://*.herokuapp.com
 ```
 
+### Equivalent in Ruby DSL:
+
+`config/initializers/content_security_policy.rb`
+
+```ruby
+GOOGLE_STATIC = ["https://*.googleapis.com", "https://*.gstatic.com"].freeze
+
+CSP_SCRIPT_HOSTS = %w[
+  https://cdnjs.cloudflare.com
+  https://www.google-analytics.com
+  https://maps.googleapis.com
+].freeze
+
+CSP_FONT_HOSTS = (["https://fonts.gstatic.com"] + GOOGLE_STATIC).freeze
+
+CSP_IMAGE_HOSTS =  (["https://s3.amazonaws.com"] + GOOGLE_STATIC).freeze
+  
+CSP_WEBPACKER_HOST = "http://localhost:3035"
+
+CSP_DEV_CONNECT_SRC = %w[
+  http://localhost:3035
+  ws://localhost:3000
+  ws://localhost:3035
+  ws://127.0.0.1:35729
+].freeze
+
+CSP_REVIEW_CONNECT_SRC = %w[
+  wss://*.herokuapp.com
+].freeze
+
+Rails.application.config.content_security_policy do |policy|
+  policy.report_uri("/csp-violation-report-endpoint")
+
+  policy.default_src(:self)
+
+  policy.object_src(:none)
+    
+  policy.font_src(:self, *CSP_FONT_HOSTS)
+  
+  policy.style_src(:self, :data, :unsafe_inline)
+
+  if Rails.env.development?
+    policy.img_src(:self, :data, CSP_WEBPACKER_HOST, *CSP_IMAGE_HOSTS)
+
+    policy.script_src(:self, :unsafe_eval, CSP_WEBPACKER_HOST, *CSP_SCRIPT_HOSTS)
+     
+    policy.connect_src(:self, *CSP_DEV_CONNECT_SRC)
+  else
+    policy.img_src(:self, :data, *CSP_IMAGE_HOSTS)
+
+    policy.script_src(:self, *CSP_SCRIPT_HOSTS)
+  
+    if ENV["IN_REVIEW_APP"].present?
+      policy.connect_src(:self, *CSP_REVIEW_CONNECT_SRC)
+    else
+      policy.connect_src(:self)
+    end
+  end
+end
+
+# ...
+```
 
 ## Installation
 Add to your Gemfile:
@@ -168,17 +169,9 @@ Then run the **generator to add the initializer**
 
 ## Usage
 
-### `ActionDispatch::ContentSecurityPolicy.load_from_file`
-
-`YamlCspConfig` extends `ActionDispatch::ContentSecurityPolicy` with a method to 
-load configuration from a YAML file. By default the initializer will add the `load_from_file`
-instance method and call it on initialisation.
- 
-If you wish instead to call it explicitly  make sure to comment it out from the initializer. 
-
 ### YAML file format
 
-**Note: The YAML file can also be an ERB template.**
+Note: The YAML file can also be an ERB template.
 
 The file must contain at at least the 'base' configuration group, containing the base or common CSP 
 configuration.
@@ -252,6 +245,14 @@ For example:
 
 will add `host.cdn` to the `script_src`  directive.
 
+### Note this extends `ActionDispatch::ContentSecurityPolicy.load_from_file`
+
+`YamlCspConfig` extends `ActionDispatch::ContentSecurityPolicy` with a method to
+load configuration from a YAML file. By default the initializer will add the `load_from_file`
+instance method and call it on initialisation.
+
+If you wish instead to call it explicitly  make sure to comment it out from the initializer.
+
 ## Run type check (RBS & steep)
 
 First copy the signatures for Rails from `https://github.com/pocke/rbs_rails/tree/master/assets/sig`

data/lib/yaml_csp_config/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module YamlCspConfig
-  VERSION = "1.0.3"
+  VERSION = "1.1.0"
 end

data/lib/yaml_csp_config/yaml_loader.rb

@@ -5,6 +5,7 @@ module YamlCspConfig
   class YamlLoader
     DIRECTIVES = %i[
       base_uri
+      block_all_mixed_content
       child_src
       connect_src
       default_src
@@ -15,10 +16,23 @@ module YamlCspConfig
       img_src
       manifest_src
       media_src
+      navigate_to
       object_src
+      plugin_types
       prefetch_src
+      referrer
+      report_to
+      report_uri
+      require_trusted_types_for
+      sandbox
       script_src
+      script_src_attr
+      script_src_elem
       style_src
+      style_src_attr
+      style_src_elem
+      trusted_types
+      upgrade_insecure_requests
       worker_src
     ].freeze
 
@@ -98,7 +112,8 @@ module YamlCspConfig
       DIRECTIVES.each do |rule|
         d = rule.to_s
         k = env_var_key_prefix + d.upcase
-        add_to_csp(policies, d, ENV[k].split(" ")) if ENV[k].present?
+        override_env_var_value = ENV[k]
+        add_to_csp(policies, d, override_env_var_value.split(" ")) if override_env_var_value
       end
       policies
     end

data/lib/yaml_csp_config.rb

@@ -7,10 +7,11 @@ require "yaml_csp_config/yaml_loader"
 # Exposes a configuration class for initializer
 module YamlCspConfig
   class << self
-    attr_reader :configuration
+    def configuration
+      @configuration ||= Configuration.new
+    end
 
     def configure
-      @configuration ||= Configuration.new
       yield(configuration) if block_given?
       configuration
     end

data/sig/types.rbs

@@ -49,6 +49,7 @@ module YamlCspConfig
     def env_var_group_override: (cspGroup config, cspPolicyRules policies) -> cspPolicyRules
     def env_var_direct_override: (cspPolicyRules policies) -> cspPolicyRules
     def add_to_csp: (cspPolicyRules policies, String rule, (Symbol | String | Array[String | Symbol]) value) -> void
+    def parse_policies_config: (untyped) -> untyped
     def config_key_base: -> String
   end
 end

metadata

@@ -1,85 +1,55 @@
 --- !ruby/object:Gem::Specification
 name: yaml_csp_config
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.1.0
 platform: ruby
 authors:
 - Stephen Ierodiaconou
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-10 00:00:00.000000000 Z
+date: 2024-01-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rails
+  name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
-- !ruby/object:Gem::Dependency
-  name: rbs_rails
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
+        version: '7.0'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+        version: '8.0'
 - !ruby/object:Gem::Dependency
-  name: standard
+  name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
+        version: '7.0'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: steep
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: '8.0'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: sqlite3
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
+        version: '7.0'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '8.0'
 description: yaml_csp_config provides you with a way to manage your Rails 5.2+ CSP
   configuration via a YAML file. The CSP configuration can also be extended by environment
   variables.
@@ -115,14 +85,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.6'
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: yaml_csp_config provides you with a way to manage your Rails CSP configuration