Add CSP config flag to preserve host source schemes

oreoshake · oreoshake · commit 4dffb2310903 · 2016-02-11T09:54:51.000-10:00
Before this change, all schemes were stripped from host sources. This is because modern browsers know that on an HTTPS resource, only HTTPS is allowed but on HTTP resources, both HTTP and HTTPS are allowed. Safari on the other hand doesn't support this. In an ideal world, all local development would be over HTTPS and there would never be a need to serve/load HTTP resources.

Adding :preserve_schemes (defaults to false) unfortunately also allows mixed content. i.e. If you are on an HTTPS resource, but you've whitelisted an HTTP resource you have allowed mixed content.
diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -275,7 +275,8 @@ def initialize(config = nil, user_agent = OTHER)
       else
         UserAgent.parse(user_agent)
       end
-      @report_only = !!@config[:report_only]
+      @report_only = @config[:report_only]
+      @preserve_schemes = @config[:preserve_schemes]
       @script_nonce = @config[:script_nonce]
       @style_nonce = @config[:style_nonce]
     end
@@ -345,9 +346,12 @@ def build_directive(directive_name)
         source_list.reject! { |value| value == NONE } if source_list.length > 1
 
         # remove schemes and dedup source expressions
-        source_list = strip_source_schemes(source_list) unless directive_name == REPORT_URI
+        unless directive_name == REPORT_URI || @preserve_schemes
+          source_list = strip_source_schemes(source_list)
+        end
         dedup_source_list(source_list).join(" ")
       end
+
       [symbol_to_hyphen_case(directive_name), value].join(" ")
     end
 
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -138,6 +138,11 @@ module SecureHeaders
         expect(csp.value).to eq("default-src https:; report-uri https://example.org")
       end
 
+      it "does not remove schemes when :preserve_schemes is true" do
+        csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), :preserve_schemes => true)
+        expect(csp.value).to eq("default-src https://example.org")
+      end
+
       it "removes nil from source lists" do
         csp = ContentSecurityPolicy.new(default_src: ["https://example.org", nil])
         expect(csp.value).to eq("default-src example.org")
