Merge pull request #178 from twitter/directive-cleanup

Directive cleanup

Author: oreoshake

README.md

@@ -42,10 +42,23 @@ The following methods are going to be called, unless they are provided in a `ski
   config.x_download_options = 'noopen'
   config.x_permitted_cross_domain_policies = 'none'
   config.csp = {
-    :default_src => "https: self",
+    :default_src => "https: 'self'",
     :enforce => proc {|controller| controller.current_user.enforce_csp? },
     :frame_src => "https: http:.twimg.com http://itunes.apple.com",
     :img_src => "https:",
+    :connect_src => "wws:"
+    :font_src => "'self' data:",
+    :frame_src => "'self'",
+    :img_src => "mycdn.com data:",
+    :media_src => "utoob.com",
+    :object_src => "'self'",
+    :script_src => "'self'",
+    :style_src => "'unsafe-inline'",
+    :base_uri => "'self'",
+    :child_src => "'self'",
+    :form_action => "'self' github.com",
+    :frame_ancestors => "'none'",
+    :plugin_types => 'application/x-shockwave-flash',
     :report_uri => '//example.com/uri-directive'
   }
   config.hpkp = {
@@ -152,7 +165,7 @@ This configuration will likely work for most applications without modification.
 
 # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
 :csp => {
-  :default_src => 'self',
+  :default_src => "'self'",
   :img_src => '*',
   :object_src => ['media1.com', 'media2.com', '*.cdn.com'],
   # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
@@ -191,8 +204,8 @@ Setting a nonce will also set 'unsafe-inline' for browsers that don't support no
 
 ```ruby
 :csp => {
-  :default_src => 'self',
-  :script_src => 'self nonce'
+  :default_src => "'self'",
+  :script_src => "'self' nonce"
 }
 ```
 
@@ -238,7 +251,7 @@ If you only have a few hashes, you can hardcode them for the entire app:
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => 'self'
+    :script_src => "'self'"
     :script_hashes => ['sha1-abc', 'sha1-qwe']
   }
 ```
@@ -248,7 +261,7 @@ The following will work as well, but may not be as clear:
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => "self 'sha1-qwe'"
+    :script_src => "'self' 'sha1-qwe'"
   }
 ```
 
@@ -263,7 +276,7 @@ use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => 'self',
+    :script_src => "'self'",
     :script_hash_middleware => true
   }
 ```

fixtures/rails_3_2_22/config/initializers/secure_headers.rb

@@ -5,8 +5,8 @@
   config.x_xss_protection = {:value => 1, :mode => 'block'}
   config.x_permitted_cross_domain_policies = 'none'
   csp = {
-    :default_src => "self",
-    :script_src => "self nonce",
+    :default_src => "'self'",
+    :script_src => "'self' nonce",
     :report_uri => 'somewhere',
     :script_hash_middleware => true,
     :enforce => false # false means warnings only

fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb

@@ -1,5 +1,5 @@
 class OtherThingsController < ApplicationController
-  ensure_security_headers :csp => {:default_src => 'self'}
+  ensure_security_headers :csp => {:default_src => "'self'"}
   def index
 
   end
@@ -11,7 +11,7 @@ def other_action
   def secure_header_options_for(header, options)
     if params[:action] == "other_action"
       if header == :csp
-        options.merge(:style_src => 'self')
+        options.merge(:style_src => "'self'")
       end
     else
       options

fixtures/rails_4_1_8/config/initializers/secure_headers.rb

@@ -5,8 +5,8 @@
   config.x_xss_protection = {:value => 0}
   config.x_permitted_cross_domain_policies = 'none'
   csp = {
-    :default_src => "self",
-    :script_src => "self nonce",
+    :default_src => "'self'",
+    :script_src => "'self' nonce",
     :report_uri => 'somewhere',
     :script_hash_middleware => true,
     :enforce => false # false means warnings only

lib/secure_headers/headers/content_security_policy.rb

@@ -20,26 +20,19 @@ module Constants
         :media_src,
         :object_src,
         :script_src,
-        :style_src
-      ]
-
-      NON_DEFAULT_SOURCES = [
+        :style_src,
         :base_uri,
         :child_src,
         :form_action,
         :frame_ancestors,
-        :plugin_types,
-        :referrer,
-        :reflected_xss
+        :plugin_types
       ]
 
       OTHER = [
         :report_uri
       ]
 
-      SOURCE_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
-
-      ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES + OTHER
+      ALL_DIRECTIVES = DIRECTIVES + OTHER
       CONFIG_KEY = :csp
     end
 
@@ -111,7 +104,7 @@ def initialize(config=nil, options={})
       @config = config.inject({}) do |hash, (key, value)|
         config_val = value.respond_to?(:call) ? value.call(@controller) : value
 
-        if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
+        if DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|
@@ -191,7 +184,6 @@ def build_value
       append_http_additions unless ssl_request?
       header_value = [
         generic_directives,
-        non_default_directives,
         report_uri_directive
       ].join.strip
     end
@@ -258,15 +250,6 @@ def generic_directives
       header_value
     end
 
-    def non_default_directives
-      header_value = ''
-      NON_DEFAULT_SOURCES.each do |directive_name|
-        header_value += build_directive(directive_name) if @config[directive_name]
-      end
-
-      header_value
-    end
-
     def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -82,7 +82,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
     describe "#normalize_csp_options" do
       before(:each) do
-        default_opts[:script_src] << ' self none'
+        default_opts[:script_src] <<  " 'self' 'none'"
         @opts = default_opts
       end
 
@@ -106,7 +106,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
         it "accepts procs for report-uris" do
           opts = {
-            :default_src => 'self',
+            :default_src => "'self'",
             :report_uri => proc { "http://lambda/result" }
           }
 
@@ -131,7 +131,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
           allow(controller).to receive(:current_user).and_return(user)
           opts = {
-            :default_src => "self",
+            :default_src => "'self'",
             :enforce => lambda { |c| c.current_user.beta_testing? }
           }
           csp = ContentSecurityPolicy.new(opts, :controller => controller)
@@ -148,36 +148,24 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
         }.to raise_error(RuntimeError)
       end
 
-      context "CSP level 2 directives" do
-        let(:config) { {:default_src => 'self'} }
-        ::SecureHeaders::ContentSecurityPolicy::Constants::NON_DEFAULT_SOURCES.each do |non_default_source|
-          it "supports all level 2 directives" do
-            directive_name = ::SecureHeaders::ContentSecurityPolicy.send(:symbol_to_hyphen_case, non_default_source)
-            config.merge!({ non_default_source => "value" })
-            csp = ContentSecurityPolicy.new(config, :request => request_for(CHROME))
-            expect(csp.value).to match(/#{directive_name} value;/)
-          end
-        end
-      end
-
       context "auto-whitelists data: uris for img-src" do
         it "sets the value if no img-src specified" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self'}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "appends the value if img-src is specified" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self'}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self'"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "doesn't add a duplicate data uri if img-src specifies it already" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self data:'}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self' data:"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "allows the user to disable img-src data: uris auto-whitelisting" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_img_src_data_uri => true}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self'", :disable_img_src_data_uri => true}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self';")
         end
       end
@@ -203,47 +191,47 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
       context "when using a nonce" do
         it "adds a nonce and unsafe-inline to the script-src value when using chrome" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(CHROME), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds a nonce and unsafe-inline to the script-src value when using firefox" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(FIREFOX), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(FIREFOX), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds a nonce and unsafe-inline to the script-src value when using opera" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(OPERA), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(OPERA), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "does not add a nonce and unsafe-inline to the script-src value when using Safari" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(SAFARI), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(SAFARI), :controller => controller)
           expect(header.value).to include("script-src 'self' 'unsafe-inline'")
           expect(header.value).not_to include("nonce")
         end
 
         it "does not add a nonce and unsafe-inline to the script-src value when using IE" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(IE), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(IE), :controller => controller)
           expect(header.value).to include("script-src 'self' 'unsafe-inline'")
           expect(header.value).not_to include("nonce")
         end
 
         it "adds a nonce and unsafe-inline to the style-src value" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce"), :request => request_for(CHROME), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("style-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds an identical nonce to the style and script-src directives" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce", :script_src => "self nonce"), :request => request_for(CHROME), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "'self' nonce", :script_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           nonce = header.nonce
           value = header.value
           expect(value).to include("style-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
           expect(value).to include("script-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
         end
 
         it "does not add 'unsafe-inline' twice" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce 'unsafe-inline'"), :request => request_for(CHROME), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce 'unsafe-inline'"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline';")
         end
       end
@@ -291,7 +279,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
         describe ".add_to_env" do
           let(:controller) { double }
-          let(:config) { {:default_src => 'self'} }
+          let(:config) { {:default_src => "'self'"} }
           let(:options) { {:controller => controller} }
 
           it "adds metadata to env" do