Merge pull request #224 from twitter/handle-non-default-sources

oreoshake · oreoshake · commit 082f6c81a638 · 2016-02-29T06:38:45.000-10:00
Handle policy merges when directives do not inherit from default-src
diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -55,6 +55,16 @@ class ContentSecurityPolicy
     FRAME_ANCESTORS = :frame_ancestors
     PLUGIN_TYPES = :plugin_types
 
+    # These are directives that do not inherit the default-src value. This is
+    # useful when calling #combine_policies.
+    NON_DEFAULT_SOURCES = [
+      BASE_URI,
+      FORM_ACTION,
+      FRAME_ANCESTORS,
+      PLUGIN_TYPES,
+      REPORT_URI
+    ]
+
     DIRECTIVES_2_0 = [
       DIRECTIVES_1_0,
       BASE_URI,
@@ -214,7 +224,7 @@ def combine_policies(original, additions)
 
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.keys.each do |directive|
-          unless original[directive] || !source_list?(directive)
+          unless original[directive] || !source_list?(directive) || NON_DEFAULT_SOURCES.include?(directive)
             original[directive] = original[:default_src]
           end
         end
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -124,8 +124,29 @@ module SecureHeaders
             report_only: false
           }.freeze
         end
-        combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: %w(https://report-uri.io/asdf))
-        expect(combined_config[:report_uri]).to_not be_nil
+        report_uri = "https://report-uri.io/asdf"
+        combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: [report_uri])
+        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        expect(csp.value).to include("report-uri #{report_uri}")
+      end
+
+      it "does not combine the default-src value for directives that don't fall back to default sources" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w('self'),
+            report_only: false
+          }.freeze
+        end
+        non_default_source_additions = CSP::NON_DEFAULT_SOURCES.each_with_object({}) do |directive, hash|
+          hash[directive] = %w("http://example.org)
+        end
+        combined_config = CSP.combine_policies(Configuration.get.csp, non_default_source_additions)
+
+        CSP::NON_DEFAULT_SOURCES.each do |directive|
+          expect(combined_config[directive]).to eq(%w("http://example.org))
+        end
+
+         ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox]).value
       end
 
       it "overrides the report_only flag" do
