Merge branch 'master' into hpkp-warn

Author: oreoshake

README.md

@@ -13,6 +13,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Content-Type-Options - [Prevent content type sniffing](https://msdn.microsoft.com/library/gg622941\(v=vs.85\).aspx)
 - X-Download-Options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
+- Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
@@ -44,6 +45,7 @@ SecureHeaders::Configuration.default do |config|
   config.x_xss_protection = "1; mode=block"
   config.x_download_options = "noopen"
   config.x_permitted_cross_domain_policies = "none"
+  config.referrer_policy = "origin-when-cross-origin"
   config.csp = {
     # "meta" values. these will shaped the header, but the values are not included in the header.
     report_only:  true,     # default: false

lib/secure_headers.rb

@@ -9,6 +9,7 @@
 require "secure_headers/headers/x_content_type_options"
 require "secure_headers/headers/x_download_options"
 require "secure_headers/headers/x_permitted_cross_domain_policies"
+require "secure_headers/headers/referrer_policy"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
@@ -27,6 +28,7 @@ module SecureHeaders
     ContentSecurityPolicy,
     StrictTransportSecurity,
     PublicKeyPins,
+    ReferrerPolicy,
     XContentTypeOptions,
     XDownloadOptions,
     XFrameOptions,

lib/secure_headers/configuration.rb

@@ -106,7 +106,8 @@ def deep_copy_if_hash(value)
     attr_accessor :dynamic_csp
 
     attr_writer :hsts, :x_frame_options, :x_content_type_options,
-      :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies
+      :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
+      :referrer_policy
 
     attr_reader :cached_headers, :csp, :cookies, :hpkp, :hpkp_report_host
 
@@ -119,6 +120,7 @@ def deep_copy_if_hash(value)
 
     def initialize(&block)
       self.hpkp = OPT_OUT
+      self.referrer_policy = OPT_OUT
       self.csp = self.class.send(:deep_copy, CSP::DEFAULT_CONFIG)
       instance_eval &block if block_given?
     end
@@ -138,6 +140,7 @@ def dup
       copy.x_xss_protection = @x_xss_protection
       copy.x_download_options = @x_download_options
       copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
+      copy.referrer_policy = @referrer_policy
       copy.hpkp = @hpkp
       copy.hpkp_report_host = @hpkp_report_host
       copy
@@ -178,6 +181,7 @@ def current_csp
     def validate_config!
       StrictTransportSecurity.validate_config!(@hsts)
       ContentSecurityPolicy.validate_config!(@csp)
+      ReferrerPolicy.validate_config!(@referrer_policy)
       XFrameOptions.validate_config!(@x_frame_options)
       XContentTypeOptions.validate_config!(@x_content_type_options)
       XXssProtection.validate_config!(@x_xss_protection)

lib/secure_headers/headers/policy_management.rb

@@ -91,6 +91,7 @@ def self.included(base)
       UPGRADE_INSECURE_REQUESTS
     ].freeze
 
+    EDGE_DIRECTIVES = DIRECTIVES_1_0
     SAFARI_DIRECTIVES = DIRECTIVES_1_0
 
     FIREFOX_UNSUPPORTED_DIRECTIVES = [
@@ -118,6 +119,7 @@ def self.included(base)
       "Opera" => CHROME_DIRECTIVES,
       "Firefox" => FIREFOX_DIRECTIVES,
       "Safari" => SAFARI_DIRECTIVES,
+      "Edge" => EDGE_DIRECTIVES,
       "Other" => CHROME_DIRECTIVES
     }.freeze
 

lib/secure_headers/headers/referrer_policy.rb

@@ -0,0 +1,33 @@
+module SecureHeaders
+  class ReferrerPolicyConfigError < StandardError; end
+  class ReferrerPolicy
+    HEADER_NAME = "Referrer-Policy"
+    DEFAULT_VALUE = "origin-when-cross-origin"
+    VALID_POLICIES = %w(
+      no-referrer
+      no-referrer-when-downgrade
+      origin
+      origin-when-cross-origin
+      unsafe-url
+    )
+    CONFIG_KEY = :referrer_policy
+
+    class << self
+      # Public: generate an Referrer Policy header.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        [HEADER_NAME, config || DEFAULT_VALUE]
+      end
+
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+        unless VALID_POLICIES.include?(config.downcase)
+          raise ReferrerPolicyConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
+        end
+      end
+    end
+  end
+end

lib/secure_headers/railtie.rb

@@ -7,7 +7,7 @@ class Railtie < Rails::Railtie
                              'X-Permitted-Cross-Domain-Policies', 'X-Download-Options',
                              'X-Content-Type-Options', 'Strict-Transport-Security',
                              'Content-Security-Policy', 'Content-Security-Policy-Report-Only',
-                             'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
+                             'Public-Key-Pins', 'Public-Key-Pins-Report-Only', 'Referrer-Policy']
 
       initializer "secure_headers.middleware" do
         Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -104,6 +104,11 @@ module SecureHeaders
           expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
 
+        it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
+          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
+          expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri 'self'")
+        end
+
         it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
           expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri 'self'")

spec/lib/secure_headers/headers/referrer_policy_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper'
+
+module SecureHeaders
+  describe ReferrerPolicy do
+    specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
+    specify { expect(ReferrerPolicy.make_header('no-referrer')).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
+
+    context "valid configuration values" do
+      it "accepts 'no-referrer'" do
+        expect do
+          ReferrerPolicy.validate_config!("no-referrer")
+        end.not_to raise_error
+      end
+
+      it "accepts 'no-referrer-when-downgrade'" do
+        expect do
+          ReferrerPolicy.validate_config!("no-referrer-when-downgrade")
+        end.not_to raise_error
+      end
+
+      it "accepts 'origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("origin")
+        end.not_to raise_error
+      end
+
+      it "accepts 'origin-when-cross-origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("origin-when-cross-origin")
+        end.not_to raise_error
+      end
+
+      it "accepts 'unsafe-url'" do
+        expect do
+          ReferrerPolicy.validate_config!("unsafe-url")
+        end.not_to raise_error
+      end
+
+      it "accepts nil" do
+        expect do
+          ReferrerPolicy.validate_config!(nil)
+        end.not_to raise_error
+      end
+    end
+
+    context 'invlaid configuration values' do
+      it "doesn't accept invalid values" do
+        expect do
+          ReferrerPolicy.validate_config!("open")
+        end.to raise_error(ReferrerPolicyConfigError)
+      end
+    end
+  end
+end

spec/lib/secure_headers_spec.rb

@@ -20,6 +20,13 @@ module SecureHeaders
       end.to raise_error(Configuration::NotYetConfiguredError)
     end
 
+    it "raises and ArgumentError when referencing an override that has not been set" do
+      expect do
+        Configuration.default
+        SecureHeaders.use_secure_headers_override(request, :missing)
+      end.to raise_error(ArgumentError)
+    end
+
     describe "#header_hash_for" do
       it "allows you to opt out of individual headers via API" do
         Configuration.default
@@ -305,13 +312,29 @@ module SecureHeaders
         end.to raise_error(XPCDPConfigError)
       end
 
+      it "validates your referrer_policy config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.referrer_policy = "lol"
+          end
+        end.to raise_error(ReferrerPolicyConfigError)
+      end
+
       it "validates your hpkp config upon configuration" do
         expect do
           Configuration.default do |config|
             config.hpkp = "lol"
           end
         end.to raise_error(PublicKeyPinsConfigError)
       end
+
+      it "validates your cookies config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.cookies = { secure: "lol" }
+          end
+        end.to raise_error(CookiesConfigError)
+      end
     end
   end
 end

spec/spec_helper.rb

@@ -11,6 +11,7 @@
 
 
 USER_AGENTS = {
+  edge: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
   firefox: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
   chrome: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
   ie: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
@@ -30,6 +31,7 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::XXssProtection::HEADER_NAME]).to eq(SecureHeaders::XXssProtection::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders