add ability to import a policy from json

Author: oreoshake

lib/secure_headers/headers/content_security_policy.rb

@@ -169,7 +169,17 @@ def value
 
     def to_json
       build_value
-      @config.to_json
+      @config.to_json.gsub(/(\w+)_src/, "\\1-src")
+    end
+
+    def self.from_json(*json_configs)
+      json_configs.inject({}) do |combined_config, one_config|
+        one_config = one_config.gsub(/(\w+)-src/, "\\1_src")
+        config = JSON.parse(one_config, :symbolize_names => true)
+        combined_config.merge(config) do |_, lhs, rhs|
+          lhs | rhs
+        end
+      end
     end
 
     private

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -58,7 +58,17 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
     it "exports a policy to JSON" do
       policy = ContentSecurityPolicy.new(default_opts)
-      expected = %({"default_src":["https:"],"script_src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style_src":["'unsafe-inline'","https:","about:"],"img_src":["https:","data:"]})
+      expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
+      expect(policy.to_json).to eq(expected)
+    end
+
+    it "imports JSON to build a policy" do
+      json1 = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"]})
+      json2 = %({"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
+      config = ContentSecurityPolicy.from_json(json1, json2)
+      policy = ContentSecurityPolicy.new(config.merge(:disable_fill_missing => true))
+
+      expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
       expect(policy.to_json).to eq(expected)
     end