fix: allow URIs with schema to have trailing slashes normalised

keithamus · dgreif · keithamus · commit 6ffcee7537cd · 2022-04-04T16:29:58.000+01:00
Co-authored-by: Dusty Greif &lt;dgreif@users.noreply.github.com&gt;
diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -152,6 +152,14 @@ def normalize_uri_paths(source_list)
       source_list.map do |source|
         # Normalize domains ending in a single / as without omitting the slash accomplisheg the same.
         # https://www.w3.org/TR/CSP3/#match-paths § 6.6.2.10 Step 2
+        begin
+          uri = URI(source)
+          if uri.path == "/"
+            next source.chomp("/")
+          end
+        rescue URI::InvalidURIError
+        end
+
         if source.chomp("/").include?("/")
           source
         else
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -50,10 +50,10 @@ module SecureHeaders
 
       it "normalizes source expressions that end with a trailing /" do
         config = {
-          default_src: %w(a.example.org/ b.example.com/ c.example.net/foo/ b.example.co/bar)
+          default_src: %w(a.example.org/ b.example.com/ wss://c.example.com/ c.example.net/foo/ b.example.co/bar wss://b.example.co/)
         }
         csp = ContentSecurityPolicy.new(config)
-        expect(csp.value).to eq("default-src a.example.org b.example.com c.example.net/foo/ b.example.co/bar")
+        expect(csp.value).to eq("default-src a.example.org b.example.com wss://c.example.com c.example.net/foo/ b.example.co/bar wss://b.example.co")
       end
 
       it "minifies source expressions based on overlapping wildcards" do
