Support worker-src CSP directive (#364)

arr-dev · oreoshake · commit 4bc4b746accf · 2017-10-03T07:04:04.000-10:00
* Support worker-src CSP directive

* Add newline after `worker_src` const def

* Remove trailing whitespace
diff --git a/README.md b/README.md
@@ -95,6 +95,7 @@ SecureHeaders::Configuration.default do |config|
     plugin_types: %w(application/x-shockwave-flash),
     script_src: %w('self'),
     style_src: %w('unsafe-inline'),
+    worker_src: %w('self'),
     upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
     report_uri: %w(https://report-uri.io/example-csp)
   }
diff --git a/lib/secure_headers/headers/content_security_policy_config.rb b/lib/secure_headers/headers/content_security_policy_config.rb
@@ -38,6 +38,7 @@ def initialize(hash)
       @script_src = nil
       @style_nonce = nil
       @style_src = nil
+      @worker_src = nil
       @upgrade_insecure_requests = nil
 
       from_hash(hash)
diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -72,10 +72,13 @@ def self.included(base)
     BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
     MANIFEST_SRC = :manifest_src
     UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
+    WORKER_SRC = :worker_src
+
     DIRECTIVES_3_0 = [
       DIRECTIVES_2_0,
       BLOCK_ALL_MIXED_CONTENT,
       MANIFEST_SRC,
+      WORKER_SRC,
       UPGRADE_INSECURE_REQUESTS
     ].flatten.freeze
 
@@ -86,6 +89,7 @@ def self.included(base)
     FIREFOX_UNSUPPORTED_DIRECTIVES = [
       BLOCK_ALL_MIXED_CONTENT,
       CHILD_SRC,
+      WORKER_SRC,
       PLUGIN_TYPES
     ].freeze
 
@@ -95,6 +99,7 @@ def self.included(base)
 
     FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
       BLOCK_ALL_MIXED_CONTENT,
+      WORKER_SRC,
       PLUGIN_TYPES
     ].freeze
 
@@ -148,6 +153,7 @@ def self.included(base)
       SANDBOX                   => :sandbox_list,
       SCRIPT_SRC                => :source_list,
       STYLE_SRC                 => :source_list,
+      WORKER_SRC                => :source_list,
       UPGRADE_INSECURE_REQUESTS => :boolean
     }.freeze
 
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -143,12 +143,12 @@ module SecureHeaders
 
         it "does not filter any directives for Chrome" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
         end
 
         it "does not filter any directives for Opera" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
diff --git a/spec/lib/secure_headers/headers/policy_management_spec.rb b/spec/lib/secure_headers/headers/policy_management_spec.rb
@@ -33,6 +33,7 @@ module SecureHeaders
           object_src: %w('self'),
           script_src: %w('self'),
           style_src: %w('unsafe-inline'),
+          worker_src: %w(worker.com),
           base_uri: %w('self'),
           form_action: %w('self' github.com),
           frame_ancestors: %w('none'),

Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,7 @@ SecureHeaders::Configuration.default do \|config\|`
`95`	`95`	`plugin_types: %w(application/x-shockwave-flash),`
`96`	`96`	`script_src: %w('self'),`
`97`	`97`	`style_src: %w('unsafe-inline'),`
	`98`	`+ worker_src: %w('self'),`
`98`	`99`	`upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/`
`99`	`100`	`report_uri: %w(https://report-uri.io/example-csp)`
`100`	`101`	`}`