Skip to content

Commit 1bd1e4c

Browse files
keithamuskeithamus
committed
do not dedupe alternate schema source expresions
1 parent 7f89df2 commit 1bd1e4c

File tree

2 files changed

+6
-1
lines changed

2 files changed

+6
-1
lines changed

lib/secure_headers/headers/content_security_policy.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -157,7 +157,7 @@ def dedup_source_list(sources)
157157
if wild_sources.any?
158158
sources.reject do |source|
159159
!wild_sources.include?(source) &&
160-
wild_sources.any? { |pattern| File.fnmatch(pattern, source) }
160+
wild_sources.any? { |pattern| URI(pattern).scheme == URI(source).scheme && File.fnmatch(pattern, source) }
161161
end
162162
else
163163
sources

spec/lib/secure_headers/headers/content_security_policy_spec.rb

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,11 @@ module SecureHeaders
106106
expect(csp.value).to eq("default-src example.org")
107107
end
108108

109+
it "does not deduplicate non-matching schema source expressions" do
110+
csp = ContentSecurityPolicy.new(default_src: %w(*.example.org wss://*.example.org))
111+
expect(csp.value).to eq("default-src *.example.org wss://*.example.org")
112+
end
113+
109114
it "creates maximally strict sandbox policy when passed no sandbox token values" do
110115
csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
111116
expect(csp.value).to eq("default-src example.org; sandbox")

0 commit comments

Comments
 (0)