bug fixes and tests for filtered directives

oreoshake · oreoshake · commit 07367a2276b1 · 2015-10-05T13:04:55.000-10:00
diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -67,7 +67,7 @@ module Constants
         DIRECTIVES_2_0 + DIRECTIVES_DRAFT
       ).freeze
 
-      ALL_DIRECTIVES = [DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT].flatten.uniq
+      ALL_DIRECTIVES = [DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT].flatten.sort.uniq
       CONFIG_KEY = :csp
     end
 
@@ -274,21 +274,24 @@ def translate_dir_value val
       end
     end
 
+    # ensures defualt_src is first and report_uri is last
     def generic_directives
-      header_value = ''
+      header_value = build_directive(:default_src)
       data_uri = @disable_img_src_data_uri ? [] : ["data:"]
       if @config[:img_src]
         @config[:img_src] = @config[:img_src] + data_uri unless @config[:img_src].include?('data:')
       else
         @config[:img_src] = @config[:default_src] + data_uri
       end
 
-      ALL_DIRECTIVES.each do |directive_name|
+      (ALL_DIRECTIVES - [:default_src, :report_uri]).each do |directive_name|
         if @config[directive_name]
           header_value += build_directive(directive_name)
         end
       end
 
+      header_value += build_directive(:report_uri) if @config[:report_uri]
+
       header_value.strip
     end
 
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -143,6 +143,27 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
     end
 
     describe "#value" do
+      context "browser sniffing" do
+        let(:complex_opts) do
+          ALL_DIRECTIVES.inject({}) { |memo, directive| memo[directive] = "'self'"; memo }.merge(:block_all_mixed_content => '')
+        end
+
+        it "does not filter any directives for Chrome" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(CHROME))
+          expect(policy.value).to eq("default-src 'self'; base-url 'self'; block-all-mixed-content ; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+
+        it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(FIREFOX))
+          expect(policy.value).to eq("default-src 'self'; base-url 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+
+        it "filters base-url, blocked-all-mixed-content, child-src, form-action, frame-ancestors, and plugin-types for safari" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(SAFARI))
+          expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+      end
+
       it "raises an exception when default-src is missing" do
         csp = ContentSecurityPolicy.new({:script_src => 'anything'}, :request => request_for(CHROME))
         expect {
