remove concept of non-default sources

Author: oreoshake

README.md

@@ -42,10 +42,23 @@ The following methods are going to be called, unless they are provided in a `ski
   config.x_download_options = 'noopen'
   config.x_permitted_cross_domain_policies = 'none'
   config.csp = {
-    :default_src => "https: self",
+    :default_src => "https: 'self'",
     :enforce => proc {|controller| controller.current_user.enforce_csp? },
     :frame_src => "https: http:.twimg.com http://itunes.apple.com",
     :img_src => "https:",
+    :connect_src => "wws:"
+    :font_src => "'self' data:",
+    :frame_src => "'self'",
+    :img_src => "mycdn.com data:",
+    :media_src => "utoob.com",
+    :object_src => "'self'",
+    :script_src => "'self'",
+    :style_src => "'unsafe-inline'",
+    :base_uri => "'self'",
+    :child_src => "'self'",
+    :form_action => "'self' github.com",
+    :frame_ancestors => "'none'",
+    :plugin_types => 'application/x-shockwave-flash',
     :report_uri => '//example.com/uri-directive'
   }
   config.hpkp = {

lib/secure_headers/headers/content_security_policy.rb

@@ -20,26 +20,19 @@ module Constants
         :media_src,
         :object_src,
         :script_src,
-        :style_src
-      ]
-
-      NON_DEFAULT_SOURCES = [
+        :style_src,
         :base_uri,
         :child_src,
         :form_action,
         :frame_ancestors,
-        :plugin_types,
-        :referrer,
-        :reflected_xss
+        :plugin_types
       ]
 
       OTHER = [
         :report_uri
       ]
 
-      SOURCE_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
-
-      ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES + OTHER
+      ALL_DIRECTIVES = DIRECTIVES + OTHER
       CONFIG_KEY = :csp
     end
 
@@ -111,7 +104,7 @@ def initialize(config=nil, options={})
       @config = config.inject({}) do |hash, (key, value)|
         config_val = value.respond_to?(:call) ? value.call(@controller) : value
 
-        if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
+        if DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|
@@ -191,7 +184,6 @@ def build_value
       append_http_additions unless ssl_request?
       header_value = [
         generic_directives,
-        non_default_directives,
         report_uri_directive
       ].join.strip
     end
@@ -258,15 +250,6 @@ def generic_directives
       header_value
     end
 
-    def non_default_directives
-      header_value = ''
-      NON_DEFAULT_SOURCES.each do |directive_name|
-        header_value += build_directive(directive_name) if @config[directive_name]
-      end
-
-      header_value
-    end
-
     def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -148,18 +148,6 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
         }.to raise_error(RuntimeError)
       end
 
-      context "CSP level 2 directives" do
-        let(:config) { {:default_src => 'self'} }
-        ::SecureHeaders::ContentSecurityPolicy::Constants::NON_DEFAULT_SOURCES.each do |non_default_source|
-          it "supports all level 2 directives" do
-            directive_name = ::SecureHeaders::ContentSecurityPolicy.send(:symbol_to_hyphen_case, non_default_source)
-            config.merge!({ non_default_source => "value" })
-            csp = ContentSecurityPolicy.new(config, :request => request_for(CHROME))
-            expect(csp.value).to match(/#{directive_name} value;/)
-          end
-        end
-      end
-
       context "auto-whitelists data: uris for img-src" do
         it "sets the value if no img-src specified" do
           csp = ContentSecurityPolicy.new({:default_src => 'self'}, :request => request_for(CHROME))