Merge branch 'master' into tests_for_csp_override_action

oreoshake · oreoshake · commit cdc74c5e29c8 · 2015-06-25T15:09:55.000-07:00
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ This gem makes a few assumptions about how you will use some features.  For exam
   config.x_permitted_cross_domain_policies = 'none'
   config.csp = {
     :default_src => "https: self",
+    :enforce => proc {|controller| contoller.current_user.enforce_csp? }
     :frame_src => "https: http:.twimg.com http://itunes.apple.com",
     :img_src => "https:",
     :report_uri => '//example.com/uri-directive'
diff --git a/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb b/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb
@@ -13,7 +13,7 @@ def request(opts = {})
     options = opts.merge(
       {
         'HTTPS' => 'on',
-        'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
+        'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
       }
     )
 
diff --git a/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb b/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
@@ -13,7 +13,7 @@ def request(opts = {})
     options = opts.merge(
       {
         'HTTPS' => 'on',
-        'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
+        'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
       }
     )
 
diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -1,6 +1,7 @@
 require 'uri'
 require 'base64'
 require 'securerandom'
+require 'user_agent_parser'
 
 module SecureHeaders
   class ContentSecurityPolicyBuildError < StandardError; end
@@ -106,7 +107,7 @@ def initialize(config=nil, options={})
 
       # Config values can be string, array, or lamdba values
       @config = config.inject({}) do |hash, (key, value)|
-        config_val = value.respond_to?(:call) ? value.call : value
+        config_val = value.respond_to?(:call) ? value.call(@controller) : value
 
         if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String
@@ -205,8 +206,12 @@ def translate_dir_value val
       elsif %{self none}.include?(val)
         "'#{val}'"
       elsif val == 'nonce'
-        self.class.set_nonce(@controller, nonce)
-        ["'nonce-#{nonce}'", "'unsafe-inline'"]
+        if supports_nonces?(@ua)
+          self.class.set_nonce(@controller, nonce)
+          ["'nonce-#{nonce}'", "'unsafe-inline'"]
+        else
+          "'unsafe-inline'"
+        end
       else
         val
       end
@@ -258,5 +263,10 @@ def non_default_directives
     def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end
+
+    def supports_nonces?(user_agent)
+      parsed_ua = UserAgentParser.parse(user_agent)
+      ["Chrome", "Opera", "Firefox"].include?(parsed_ua.family)
+    end
   end
 end
diff --git a/lib/secure_headers/version.rb b/lib/secure_headers/version.rb
@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.1.0"
+  VERSION = "2.2.1"
 end
diff --git a/secure_headers.gemspec b/secure_headers.gemspec
@@ -19,4 +19,6 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
+  gem.add_dependency "user_agent_parser"
+  gem.post_install_message = "Warning: lambda config values will be broken until you add |controller|. e.g. :enforce => lambda { |controller| some_expression }"
 end
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -17,7 +17,8 @@ module SecureHeaders
     FIREFOX_23 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0"
     CHROME = "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
     CHROME_25 = "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
-
+    SAFARI = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
+    OPERA = "Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16"
 
     def request_for user_agent, request_uri=nil, options={:ssl => false}
       double(:ssl? => options[:ssl], :env => {'HTTP_USER_AGENT' => user_agent}, :url => (request_uri || 'http://areallylongdomainexample.com') )
@@ -76,7 +77,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
         end
 
         it "adds a @enforce and @app_name variables to the report uri" do
-          opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => lambda { 'twitter' })
+          opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => proc { 'twitter' })
           csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
           expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
         end
@@ -90,7 +91,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
         it "accepts procs for report-uris" do
           opts = {
             :default_src => 'self',
-            :report_uri => lambda { "http://lambda/result" }
+            :report_uri => proc { "http://lambda/result" }
           }
 
           csp = ContentSecurityPolicy.new(opts)
@@ -99,15 +100,29 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
         it "accepts procs for other fields" do
           opts = {
-            :default_src => lambda { "http://lambda/result" },
-            :enforce => lambda { true },
-            :disable_fill_missing => lambda { true }
+            :default_src => proc { "http://lambda/result" },
+            :enforce => proc { true },
+            :disable_fill_missing => proc { true }
           }
 
           csp = ContentSecurityPolicy.new(opts)
           expect(csp.value).to eq("default-src http://lambda/result; img-src http://lambda/result data:;")
           expect(csp.name).to match("Content-Security-Policy")
         end
+
+        it "passes a reference to the controller to the proc" do
+          controller = double
+          user = double(:beta_testing? => true)
+
+          allow(controller).to receive(:current_user).and_return(user)
+          opts = {
+            :disable_fill_missing => true,
+            :default_src => "self",
+            :enforce => lambda { |c| c.current_user.beta_testing? }
+          }
+          csp = ContentSecurityPolicy.new(opts, :controller => controller)
+          expect(csp.name).to match("Content-Security-Policy")
+        end
       end
     end
 
@@ -170,11 +185,33 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
       end
 
       context "when using a nonce" do
-        it "adds a nonce and unsafe-inline to the script-src value" do
+        it "adds a nonce and unsafe-inline to the script-src value when using chrome" do
           header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(CHROME))
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
+        it "adds a nonce and unsafe-inline to the script-src value when using firefox" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(FIREFOX))
+          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
+        end
+
+        it "adds a nonce and unsafe-inline to the script-src value when using opera" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(OPERA))
+          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
+        end
+
+        it "does not add a nonce and unsafe-inline to the script-src value when using Safari" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(SAFARI))
+          expect(header.value).to include("script-src 'self' 'unsafe-inline'")
+          expect(header.value).not_to include("nonce")
+        end
+
+        it "does not add a nonce and unsafe-inline to the script-src value when using IE" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(IE))
+          expect(header.value).to include("script-src 'self' 'unsafe-inline'")
+          expect(header.value).not_to include("nonce")
+        end
+
         it "adds a nonce and unsafe-inline to the style-src value" do
           header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce"), :request => request_for(CHROME))
           expect(header.value).to include("style-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ def request(opts = {})`
`13`	`13`	`options = opts.merge(`
`14`	`14`	`{`
`15`	`15`	`'HTTPS' => 'on',`
`16`		`- 'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"`
	`16`	`+ 'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"`
`17`	`17`	`}`
`18`	`18`	`)`
`19`	`19`