Merge pull request #404 from will/disableappend

Add option to disable appending 'unsafe-inline' when using nonces

Author: oreoshake

lib/secure_headers/headers/content_security_policy.rb

@@ -179,7 +179,8 @@ def populate_nonces(directive, source_list)
     # unsafe-inline, this is more concise.
     def append_nonce(source_list, nonce)
       if nonce
-        source_list.push("'nonce-#{nonce}'", UNSAFE_INLINE)
+        source_list.push("'nonce-#{nonce}'")
+        source_list.push(UNSAFE_INLINE) unless @config[:disable_nonce_backwards_compatibility]
       end
 
       source_list

lib/secure_headers/headers/content_security_policy_config.rb

@@ -42,6 +42,7 @@ def initialize(hash)
       @style_src = nil
       @worker_src = nil
       @upgrade_insecure_requests = nil
+      @disable_nonce_backwards_compatibility = nil
 
       from_hash(hash)
     end

lib/secure_headers/headers/policy_management.rb

@@ -153,7 +153,8 @@ def self.included(base)
 
     META_CONFIGS = [
       :report_only,
-      :preserve_schemes
+      :preserve_schemes,
+      :disable_nonce_backwards_compatibility
     ].freeze
 
     NONCES = [

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -145,6 +145,11 @@ module SecureHeaders
         csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
       end
+
+      it "supports strict-dynamic and opting out of the appended 'unsafe-inline'" do
+        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456, disable_nonce_backwards_compatibility: true })
+        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
+      end
     end
   end
 end