Merge pull request #249 from tomgilligan/master

Add support for Referrer Policy header

Author: oreoshake

README.md

@@ -13,6 +13,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Content-Type-Options - [Prevent content type sniffing](https://msdn.microsoft.com/library/gg622941\(v=vs.85\).aspx)
 - X-Download-Options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
+- Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
@@ -44,6 +45,7 @@ SecureHeaders::Configuration.default do |config|
   config.x_xss_protection = "1; mode=block"
   config.x_download_options = "noopen"
   config.x_permitted_cross_domain_policies = "none"
+  config.referrer_policy = "origin-when-cross-origin"
   config.csp = {
     # "meta" values. these will shaped the header, but the values are not included in the header.
     report_only:  true,     # default: false

lib/secure_headers.rb

@@ -9,6 +9,7 @@
 require "secure_headers/headers/x_content_type_options"
 require "secure_headers/headers/x_download_options"
 require "secure_headers/headers/x_permitted_cross_domain_policies"
+require "secure_headers/headers/referrer_policy"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
@@ -27,6 +28,7 @@ module SecureHeaders
     ContentSecurityPolicy,
     StrictTransportSecurity,
     PublicKeyPins,
+    ReferrerPolicy,
     XContentTypeOptions,
     XDownloadOptions,
     XFrameOptions,

lib/secure_headers/configuration.rb

@@ -104,7 +104,7 @@ def deep_copy_if_hash(value)
 
     attr_writer :hsts, :x_frame_options, :x_content_type_options,
       :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
-      :hpkp, :dynamic_csp, :cookies
+      :hpkp, :dynamic_csp, :cookies, :referrer_policy
 
     attr_reader :cached_headers, :csp, :dynamic_csp, :cookies
 
@@ -117,6 +117,7 @@ def deep_copy_if_hash(value)
 
     def initialize(&block)
       self.hpkp = OPT_OUT
+      self.referrer_policy = OPT_OUT
       self.csp = self.class.send(:deep_copy, CSP::DEFAULT_CONFIG)
       instance_eval &block if block_given?
     end
@@ -136,6 +137,7 @@ def dup
       copy.x_xss_protection = @x_xss_protection
       copy.x_download_options = @x_download_options
       copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
+      copy.referrer_policy = @referrer_policy
       copy.hpkp = @hpkp
       copy
     end
@@ -175,6 +177,7 @@ def current_csp
     def validate_config!
       StrictTransportSecurity.validate_config!(@hsts)
       ContentSecurityPolicy.validate_config!(@csp)
+      ReferrerPolicy.validate_config!(@referrer_policy)
       XFrameOptions.validate_config!(@x_frame_options)
       XContentTypeOptions.validate_config!(@x_content_type_options)
       XXssProtection.validate_config!(@x_xss_protection)

lib/secure_headers/headers/referrer_policy.rb

@@ -0,0 +1,33 @@
+module SecureHeaders
+  class ReferrerPolicyConfigError < StandardError; end
+  class ReferrerPolicy
+    HEADER_NAME = "Referrer-Policy"
+    DEFAULT_VALUE = "origin-when-cross-origin"
+    VALID_POLICIES = %w(
+      no-referrer
+      no-referrer-when-downgrade
+      origin
+      origin-when-cross-origin
+      unsafe-url
+    )
+    CONFIG_KEY = :referrer_policy
+
+    class << self
+      # Public: generate an Referrer Policy header.
+      #
+      # Returns a default header if no configuration is provided, or a
+      # header name and value based on the config.
+      def make_header(config = nil)
+        [HEADER_NAME, config || DEFAULT_VALUE]
+      end
+
+      def validate_config!(config)
+        return if config.nil? || config == OPT_OUT
+        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+        unless VALID_POLICIES.include?(config.downcase)
+          raise ReferrerPolicyConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
+        end
+      end
+    end
+  end
+end

lib/secure_headers/railtie.rb

@@ -7,7 +7,7 @@ class Railtie < Rails::Railtie
                              'X-Permitted-Cross-Domain-Policies', 'X-Download-Options',
                              'X-Content-Type-Options', 'Strict-Transport-Security',
                              'Content-Security-Policy', 'Content-Security-Policy-Report-Only',
-                             'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
+                             'Public-Key-Pins', 'Public-Key-Pins-Report-Only', 'Referrer-Policy']
 
       initializer "secure_headers.middleware" do
         Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware

spec/lib/secure_headers/headers/referrer_policy_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper'
+
+module SecureHeaders
+  describe ReferrerPolicy do
+    specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
+    specify { expect(ReferrerPolicy.make_header('no-referrer')).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
+
+    context "valid configuration values" do
+      it "accepts 'no-referrer'" do
+        expect do
+          ReferrerPolicy.validate_config!("no-referrer")
+        end.not_to raise_error
+      end
+
+      it "accepts 'no-referrer-when-downgrade'" do
+        expect do
+          ReferrerPolicy.validate_config!("no-referrer-when-downgrade")
+        end.not_to raise_error
+      end
+
+      it "accepts 'origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("origin")
+        end.not_to raise_error
+      end
+
+      it "accepts 'origin-when-cross-origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("origin-when-cross-origin")
+        end.not_to raise_error
+      end
+
+      it "accepts 'unsafe-url'" do
+        expect do
+          ReferrerPolicy.validate_config!("unsafe-url")
+        end.not_to raise_error
+      end
+
+      it "accepts nil" do
+        expect do
+          ReferrerPolicy.validate_config!(nil)
+        end.not_to raise_error
+      end
+    end
+
+    context 'invlaid configuration values' do
+      it "doesn't accept invalid values" do
+        expect do
+          ReferrerPolicy.validate_config!("open")
+        end.to raise_error(ReferrerPolicyConfigError)
+      end
+    end
+  end
+end

spec/lib/secure_headers_spec.rb

@@ -312,6 +312,14 @@ module SecureHeaders
         end.to raise_error(XPCDPConfigError)
       end
 
+      it "validates your referrer_policy config upon configuration" do
+        expect do
+          Configuration.default do |config|
+            config.referrer_policy = "lol"
+          end
+        end.to raise_error(ReferrerPolicyConfigError)
+      end
+
       it "validates your hpkp config upon configuration" do
         expect do
           Configuration.default do |config|

spec/spec_helper.rb

@@ -30,6 +30,7 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::XXssProtection::HEADER_NAME]).to eq(SecureHeaders::XXssProtection::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
+  expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders