Merge branch 'master' into script-hashes-for-3.x

Author: oreoshake

README.md

@@ -15,7 +15,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
 
-It can also mark all http cookies with the secure attribute (when configured to do so).
+It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
 
 `secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
 
@@ -31,7 +31,13 @@ All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT`
 
 ```ruby
 SecureHeaders::Configuration.default do |config|
-  config.secure_cookies = true # mark all cookies as "secure"
+  config.cookies = {
+    secure: true, # mark all cookies as "Secure"
+    httponly: true, # mark all cookies as "HttpOnly"
+    samesite: {
+      strict: true # mark all cookies as SameSite=Strict
+    }
+  }
   config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
   config.x_frame_options = "DENY"
   config.x_content_type_options = "nosniff"
@@ -322,6 +328,57 @@ config.hpkp = {
 }
 ```
 
+### Cookies
+
+SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.org/html/draft-west-first-party-cookies-07) cookies. These can be defined in the form of a boolean, or as a Hash for more refined configuration.
+
+__Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
+
+#### Boolean-based configuration
+
+Boolean-based configuration is intended to globally enable or disable a specific cookie attribute.
+
+```ruby
+config.cookies = {
+  secure: true, # mark all cookies as Secure
+  httponly: false, # do not mark any cookies as HttpOnly
+}
+```
+
+#### Hash-based configuration
+
+Hash-based configuration allows for fine-grained control.
+
+```ruby
+config.cookies = {
+  secure: { except: ['_guest'] }, # mark all but the `_guest` cookie as Secure
+  httponly: { only: ['_rails_session'] }, # only mark the `_rails_session` cookie as HttpOnly
+}
+```
+
+#### SameSite cookie configuration
+
+SameSite cookies permit either `Strict` or `Lax` enforcement mode options.
+
+```ruby
+config.cookies = {
+  samesite: {
+    strict: true # mark all cookies as SameSite=Strict
+  }
+}
+```
+
+`Strict` and `Lax` enforcement modes can also be specified using a Hash.
+
+```ruby
+config.cookies = {
+  samesite: {
+    strict: { only: ['_rails_session'] },
+    lax: { only: ['_guest'] }
+  }
+}
+```
+
 ### Using with Sinatra
 
 Here's an example using SecureHeaders for Sinatra applications:

lib/secure_headers.rb

@@ -1,5 +1,6 @@
 require "secure_headers/configuration"
 require "secure_headers/hash_helper"
+require "secure_headers/headers/cookie"
 require "secure_headers/headers/public_key_pins"
 require "secure_headers/headers/content_security_policy"
 require "secure_headers/headers/x_frame_options"

lib/secure_headers/configuration.rb

@@ -104,9 +104,9 @@ def deep_copy_if_hash(value)
 
     attr_writer :hsts, :x_frame_options, :x_content_type_options,
       :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
-      :hpkp, :dynamic_csp, :secure_cookies
+      :hpkp, :dynamic_csp, :cookies
 
-    attr_reader :cached_headers, :csp, :dynamic_csp, :secure_cookies
+    attr_reader :cached_headers, :csp, :dynamic_csp, :cookies
 
     HASH_CONFIG_FILE = ENV["secure_headers_generated_hashes_file"] || "config/secure_headers_generated_hashes.yml"
     if File.exists?(HASH_CONFIG_FILE)
@@ -126,7 +126,7 @@ def initialize(&block)
     # Returns a deep-dup'd copy of this configuration.
     def dup
       copy = self.class.new
-      copy.secure_cookies = @secure_cookies
+      copy.cookies = @cookies
       copy.csp = self.class.send(:deep_copy_if_hash, @csp)
       copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp)
       copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
@@ -181,13 +181,19 @@ def validate_config!
       XDownloadOptions.validate_config!(@x_download_options)
       XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
       PublicKeyPins.validate_config!(@hpkp)
+      Cookie.validate_config!(@cookies)
+    end
+
+    def secure_cookies=(secure_cookies)
+      Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#secure_cookies=` is deprecated. Please use `#cookies=` to configure secure cookies instead."
+      @cookies = (@cookies || {}).merge(secure: secure_cookies)
     end
 
     protected
 
     def csp=(new_csp)
       if self.dynamic_csp
-        raise IllegalPolicyModificationError, "You are attempting to modify CSP settings directly. Use dynamic_csp= isntead."
+        raise IllegalPolicyModificationError, "You are attempting to modify CSP settings directly. Use dynamic_csp= instead."
       end
 
       @csp = new_csp

lib/secure_headers/headers/cookie.rb

@@ -0,0 +1,126 @@
+require 'cgi'
+require 'secure_headers/utils/cookies_config'
+
+module SecureHeaders
+  class CookiesConfigError < StandardError; end
+  class Cookie
+
+    class << self
+      def validate_config!(config)
+        CookiesConfig.new(config).validate!
+      end
+    end
+
+    attr_reader :raw_cookie, :config
+
+    def initialize(cookie, config)
+      @raw_cookie = cookie
+      @config = config
+      @attributes = {
+        httponly: nil,
+        samesite: nil,
+        secure: nil,
+      }
+
+      parse(cookie)
+    end
+
+    def to_s
+      @raw_cookie.dup.tap do |c|
+        c << "; secure" if secure?
+        c << "; HttpOnly" if httponly?
+        c << "; #{samesite_cookie}" if samesite?
+      end
+    end
+
+    def secure?
+      flag_cookie?(:secure) && !already_flagged?(:secure)
+    end
+
+    def httponly?
+      flag_cookie?(:httponly) && !already_flagged?(:httponly)
+    end
+
+    def samesite?
+      flag_samesite? && !already_flagged?(:samesite)
+    end
+
+    private
+
+    def parsed_cookie
+      @parsed_cookie ||= CGI::Cookie.parse(raw_cookie)
+    end
+
+    def already_flagged?(attribute)
+      @attributes[attribute]
+    end
+
+    def flag_cookie?(attribute)
+      case config[attribute]
+      when TrueClass
+        true
+      when Hash
+        conditionally_flag?(config[attribute])
+      else
+        false
+      end
+    end
+
+    def conditionally_flag?(configuration)
+      if(Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
+        true
+      elsif(Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
+        true
+      else
+        false
+      end
+    end
+
+    def samesite_cookie
+      if flag_samesite_lax?
+        "SameSite=Lax"
+      elsif flag_samesite_strict?
+        "SameSite=Strict"
+      end
+    end
+
+    def flag_samesite?
+      flag_samesite_lax? || flag_samesite_strict?
+    end
+
+    def flag_samesite_lax?
+      flag_samesite_enforcement?(:lax)
+    end
+
+    def flag_samesite_strict?
+      flag_samesite_enforcement?(:strict)
+    end
+
+    def flag_samesite_enforcement?(mode)
+      return unless config[:samesite]
+
+      case config[:samesite][mode]
+      when Hash
+        conditionally_flag?(config[:samesite][mode])
+      when TrueClass
+        true
+      else
+        false
+      end
+    end
+
+    def parse(cookie)
+      return unless cookie
+
+      cookie.split(/[;,]\s?/).each do |pairs|
+        name, values = pairs.split('=',2)
+        name = CGI.unescape(name)
+
+        attribute = name.downcase.to_sym
+        if @attributes.has_key?(attribute)
+          @attributes[attribute] = values || true
+        end
+      end
+    end
+  end
+end

lib/secure_headers/middleware.rb

@@ -1,7 +1,5 @@
 module SecureHeaders
   class Middleware
-    SECURE_COOKIE_REGEXP = /;\s*secure\s*(;|$)/i.freeze
-
     def initialize(app)
       @app = app
     end
@@ -12,27 +10,43 @@ def call(env)
       status, headers, response = @app.call(env)
 
       config = SecureHeaders.config_for(req)
-      flag_cookies_as_secure!(headers) if config.secure_cookies
+      flag_cookies!(headers, override_secure(env, config.cookies)) if config.cookies
       headers.merge!(SecureHeaders.header_hash_for(req))
       [status, headers, response]
     end
 
     private
 
     # inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
-    def flag_cookies_as_secure!(headers)
+    def flag_cookies!(headers, config)
       if cookies = headers['Set-Cookie']
         # Support Rails 2.3 / Rack 1.1 arrays as headers
         cookies = cookies.split("\n") unless cookies.is_a?(Array)
 
         headers['Set-Cookie'] = cookies.map do |cookie|
-          if cookie !~ SECURE_COOKIE_REGEXP
-            "#{cookie}; secure"
-          else
-            cookie
-          end
+          SecureHeaders::Cookie.new(cookie, config).to_s
         end.join("\n")
       end
     end
+
+    # disable Secure cookies for non-https requests
+    def override_secure(env, config = {})
+      if scheme(env) != 'https'
+        config.merge!(secure: false)
+      end
+
+      config
+    end
+
+    # derived from https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L119
+    def scheme(env)
+      if env['HTTPS'] == 'on' || env['HTTP_X_SSL_REQUEST'] == 'on'
+        'https'
+      elsif env['HTTP_X_FORWARDED_PROTO']
+        env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
+      else
+        env['rack.url_scheme']
+      end
+    end
   end
 end