wip

Author: oreoshake

Gemfile

@@ -3,6 +3,7 @@ source 'https://rubygems.org'
 gemspec
 
 group :test do
+  gem 'pry'
   gem 'test-unit', '~> 3.0'
   gem 'rails', '3.2.22'
   gem 'sqlite3', :platforms => [:ruby, :mswin, :mingw]

README.md

@@ -61,6 +61,7 @@ The following methods are going to be called, unless they are provided in a `ski
     :form_action => "'self' github.com",
     :frame_ancestors => "'none'",
     :plugin_types => 'application/x-shockwave-flash',
+    :block_all_mixed_content => '' # see [http://www.w3.org/TR/mixed-content/]()
     :report_uri => '//example.com/uri-directive'
   }
   config.hpkp = {
@@ -99,7 +100,7 @@ Sometimes you need to override your content security policy for a given endpoint
 1. Override the `secure_header_options_for` class instance method. e.g.
 
 ```ruby
-class SomethingController < ApplicationController 
+class SomethingController < ApplicationController
   def wumbus
     # gets style-src override
   end

lib/secure_headers/headers/content_security_policy.rb

@@ -3,6 +3,7 @@
 require 'securerandom'
 require 'user_agent_parser'
 require 'json'
+require 'pry'
 
 module SecureHeaders
   class ContentSecurityPolicyBuildError < StandardError; end
@@ -11,28 +12,62 @@ module Constants
       DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
       HEADER_NAME = "Content-Security-Policy"
       ENV_KEY = 'secure_headers.content_security_policy'
-      DIRECTIVES = [
+
+      DIRECTIVES_1_0 = [
         :default_src,
         :connect_src,
         :font_src,
         :frame_src,
         :img_src,
         :media_src,
         :object_src,
+        :sandbox,
         :script_src,
         :style_src,
-        :base_uri,
+        :report_uri
+      ].freeze
+
+      DIRECTIVES_2_0 = [
+        DIRECTIVES_1_0,
+        :base_url,
         :child_src,
         :form_action,
         :frame_ancestors,
         :plugin_types
-      ]
+      ].flatten.freeze
 
-      OTHER = [
-        :report_uri
-      ]
 
-      ALL_DIRECTIVES = DIRECTIVES + OTHER
+      # All the directives currently under consideration for CSP level 3.
+      # https://w3c.github.io/webappsec/specs/CSP2/
+      DIRECTIVES_3_0 = [
+        DIRECTIVES_2_0,
+        :manifest_src,
+        :reflected_xss
+      ].flatten.freeze
+
+      # All the directives that are not currently in a formal spec, but have
+      # been implemented somewhere.
+      DIRECTIVES_DRAFT = [
+        :block_all_mixed_content,
+      ].freeze
+
+      SAFARI_DIRECTIVES = DIRECTIVES_1_0
+
+      FIREFOX_UNSUPPORTED_DIRECTIVES = [
+        :block_all_mixed_content,
+        :child_src,
+        :plugin_types
+      ].freeze
+
+      FIREFOX_DIRECTIVES = (
+        DIRECTIVES_2_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
+      ).freeze
+
+      CHROME_DIRECTIVES = (
+        DIRECTIVES_2_0 + DIRECTIVES_DRAFT
+      ).freeze
+
+      ALL_DIRECTIVES = DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT
       CONFIG_KEY = :csp
     end
 
@@ -99,33 +134,36 @@ def initialize(config=nil, options={})
       @ua = options[:ua]
       @ssl_request = !!options.delete(:ssl)
       @request_uri = options.delete(:request_uri)
+      @http_additions = config.delete(:http_additions)
+      @app_name = config.delete(:app_name)
+      @enforce = !!config.delete(:enforce)
+      @disable_img_src_data_uri = !!config.delete(:disable_img_src_data_uri)
+      @tag_report_uri = !!config.delete(:tag_report_uri)
+      @script_hashes = config.delete(:script_hashes) || []
 
       # Config values can be string, array, or lamdba values
       @config = config.inject({}) do |hash, (key, value)|
         config_val = value.respond_to?(:call) ? value.call(@controller) : value
-
-        if DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
+        if ContentSecurityPolicy::ALL_DIRECTIVES.include?(key.to_sym) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|
               translate_dir_value(val)
             end.flatten.uniq
           end
+        else
+          raise ArgumentError.new("Unknown directive supplied: #{key}")
         end
 
+
         hash[key] = config_val
         hash
       end
 
-      @http_additions = @config.delete(:http_additions)
-      @app_name = @config.delete(:app_name)
-      @report_uri = @config.delete(:report_uri)
-      @enforce = !!@config.delete(:enforce)
-      @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
-      @tag_report_uri = !!@config.delete(:tag_report_uri)
-      @script_hashes = @config.delete(:script_hashes) || []
-
       add_script_hashes if @script_hashes.any?
+      puts @config
+      strip_unsupported_directives
+      puts @config
     end
 
     ##
@@ -160,13 +198,20 @@ def value
 
     def to_json
       build_value
-      @config.to_json.gsub(/(\w+)_src/, "\\1-src")
+      out = @config.inject({}) do |hash, (key, value)|
+        hash[key.to_s.gsub(/(\w+)_(\w+)/, "\\1-\\2")] = value
+        hash
+      end
+      puts out
+      out.to_json
     end
 
     def self.from_json(*json_configs)
       json_configs.inject({}) do |combined_config, one_config|
-        one_config = one_config.gsub(/(\w+)-src/, "\\1_src")
-        config = JSON.parse(one_config, :symbolize_names => true)
+        config = JSON.parse(one_config).inject({}) do |hash, (key, value)|
+          hash[key.gsub(/(\w+)-(\w+)/, "\\1_\\2").to_sym] = value
+          hash
+        end
         combined_config.merge(config) do |_, lhs, rhs|
           lhs | rhs
         end
@@ -182,10 +227,7 @@ def add_script_hashes
     def build_value
       raise "Expected to find default_src directive value" unless @config[:default_src]
       append_http_additions unless ssl_request?
-      header_value = [
-        generic_directives,
-        report_uri_directive
-      ].join.strip
+      generic_directives
     end
 
     def append_http_additions
@@ -204,7 +246,7 @@ def translate_dir_value val
         warn "[DEPRECATION] using self/none may not be supported in the future. Instead use 'self'/'none' instead."
         "'#{val}'"
       elsif val == 'nonce'
-        if supports_nonces?(@ua)
+        if supports_nonces?
           self.class.set_nonce(@controller, nonce)
           ["'nonce-#{nonce}'", "'unsafe-inline'"]
         else
@@ -215,25 +257,6 @@ def translate_dir_value val
       end
     end
 
-    def report_uri_directive
-      return '' if @report_uri.nil?
-
-      if @report_uri.start_with?('//')
-        @report_uri = if @ssl_request
-                        "https:" + @report_uri
-                      else
-                        "http:" + @report_uri
-                      end
-      end
-
-      if @tag_report_uri
-        @report_uri = "#{@report_uri}?enforce=#{@enforce}"
-        @report_uri += "&app_name=#{@app_name}" if @app_name
-      end
-
-      "report-uri #{@report_uri};"
-    end
-
     def generic_directives
       header_value = ''
       data_uri = @disable_img_src_data_uri ? [] : ["data:"]
@@ -243,7 +266,7 @@ def generic_directives
         @config[:img_src] = @config[:default_src] + data_uri
       end
 
-      DIRECTIVES.each do |directive_name|
+      ALL_DIRECTIVES.each do |directive_name|
         header_value += build_directive(directive_name) if @config[directive_name]
       end
 
@@ -254,8 +277,25 @@ def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end
 
-    def supports_nonces?(user_agent)
-      parsed_ua = UserAgentParser.parse(user_agent)
+    def strip_unsupported_directives
+      @config.select! { |key, _| supported_directives.include?(key) }
+    end
+
+    def supported_directives
+      @supported_directives ||= case UserAgentParser.parse(@ua).family
+      when "Chrome"
+        CHROME_DIRECTIVES
+      when "Safari"
+        SAFARI_DIRECTIVES
+      when "Firefox"
+        FIREFOX_DIRECTIVES
+      else
+        DIRECTIVES_1_0
+      end
+    end
+
+    def supports_nonces?
+      parsed_ua = UserAgentParser.parse(@ua)
       ["Chrome", "Opera", "Firefox"].include?(parsed_ua.family)
     end
   end

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -5,9 +5,10 @@ module SecureHeaders
     let(:default_opts) do
       {
         :default_src => 'https:',
-        :report_uri => '/csp_report',
+        :img_src => "https: data:",
         :script_src => "'unsafe-inline' 'unsafe-eval' https: data:",
-        :style_src => "'unsafe-inline' https: about:"
+        :style_src => "'unsafe-inline' https: about:",
+        :report_uri => '/csp_report'
       }
     end
     let(:controller) { DummyClass.new }
@@ -58,7 +59,8 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
     it "exports a policy to JSON" do
       policy = ContentSecurityPolicy.new(default_opts)
-      expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
+      puts default_opts
+      expected = %({"default-src":["https:"],"img-src":["https:","data:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"report-uri":["/csp_report"]})
       expect(policy.to_json).to eq(expected)
     end