more cleanup from stricter config settings

Author: oreoshake

lib/secure_headers/headers/content_security_policy.rb

@@ -68,6 +68,7 @@ module Constants
       ).freeze
 
       ALL_DIRECTIVES = [DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT].flatten.sort.uniq
+      ALL_CONFIGS = [:enforce, :app_name, :script_hash_middleware] + ALL_DIRECTIVES
       CONFIG_KEY = :csp
     end
 
@@ -147,7 +148,7 @@ def initialize(config=nil, options={})
       # Config values can be string, array, or lamdba values
       @config = config.inject({}) do |hash, (key, value)|
         config_val = value.respond_to?(:call) ? value.call(@controller) : value
-        if ([:enforce, :app_name] + ContentSecurityPolicy::ALL_DIRECTIVES).include?(key.to_sym) # directives need to be normalized to arrays of strings
+        if ContentSecurityPolicy::ALL_CONFIGS.include?(key.to_sym) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|

lib/secure_headers/view_helper.rb

@@ -27,7 +27,6 @@ def hashed_javascript_tag(raise_error_on_unrecognized_hash = false, &block)
           if raise_error_on_unrecognized_hash
             raise UnexpectedHashedScriptException.new(message)
           else
-            puts message
             request.env[HASHES_ENV_KEY] = (request.env[HASHES_ENV_KEY] || []) << hash_value
           end
         end

spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb

@@ -10,7 +10,6 @@ module SecureHeaders
 
     let(:default_config) do
       {
-        :disable_fill_missing => true,
         :default_src => 'https://*',
         :report_uri => '/csp_report',
         :script_src => "'unsafe-inline' 'unsafe-eval' https://* data:",

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -59,7 +59,6 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
     it "exports a policy to JSON" do
       policy = ContentSecurityPolicy.new(default_opts)
-      puts default_opts
       expected = %({"default-src":["https:"],"img-src":["https:","data:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"report-uri":["/csp_report"]})
       expect(policy.to_json).to eq(expected)
     end

spec/lib/secure_headers_spec.rb

@@ -166,7 +166,7 @@ def expect_default_values(hash)
     end
 
     it "produces a hash of headers given a hash as config" do
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
       expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
       expect_default_values(hash)
     end
@@ -186,7 +186,7 @@ def expect_default_values(hash)
         }
       end
 
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
       ::SecureHeaders::Configuration.configure do |config|
         config.hsts = nil
         config.hpkp = nil