clean up deprecation warnings

oreoshake · oreoshake · commit e6e25a5fe472 · 2015-10-01T08:30:06.000-10:00
diff --git a/README.md b/README.md
@@ -165,7 +165,7 @@ This configuration will likely work for most applications without modification.
 
 # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
 :csp => {
-  :default_src => 'self',
+  :default_src => "'self'",
   :img_src => '*',
   :object_src => ['media1.com', 'media2.com', '*.cdn.com'],
   # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
@@ -204,8 +204,8 @@ Setting a nonce will also set 'unsafe-inline' for browsers that don't support no
 
 ```ruby
 :csp => {
-  :default_src => 'self',
-  :script_src => 'self nonce'
+  :default_src => "'self'",
+  :script_src => "'self' nonce"
 }
 ```
 
@@ -251,7 +251,7 @@ If you only have a few hashes, you can hardcode them for the entire app:
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => 'self'
+    :script_src => "'self'"
     :script_hashes => ['sha1-abc', 'sha1-qwe']
   }
 ```
@@ -261,7 +261,7 @@ The following will work as well, but may not be as clear:
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => "self 'sha1-qwe'"
+    :script_src => "'self' 'sha1-qwe'"
   }
 ```
 
@@ -276,7 +276,7 @@ use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
 ```ruby
   config.csp = {
     :default_src => "https:",
-    :script_src => 'self',
+    :script_src => "'self'",
     :script_hash_middleware => true
   }
 ```
diff --git a/fixtures/rails_3_2_22/config/initializers/secure_headers.rb b/fixtures/rails_3_2_22/config/initializers/secure_headers.rb
@@ -5,8 +5,8 @@
   config.x_xss_protection = {:value => 1, :mode => 'block'}
   config.x_permitted_cross_domain_policies = 'none'
   csp = {
-    :default_src => "self",
-    :script_src => "self nonce",
+    :default_src => "'self'",
+    :script_src => "'self' nonce",
     :report_uri => 'somewhere',
     :script_hash_middleware => true,
     :enforce => false # false means warnings only
diff --git a/fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb b/fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb
@@ -1,5 +1,5 @@
 class OtherThingsController < ApplicationController
-  ensure_security_headers :csp => {:default_src => 'self'}
+  ensure_security_headers :csp => {:default_src => "'self'"}
   def index
 
   end
@@ -11,7 +11,7 @@ def other_action
   def secure_header_options_for(header, options)
     if params[:action] == "other_action"
       if header == :csp
-        options.merge(:style_src => 'self')
+        options.merge(:style_src => "'self'")
       end
     else
       options
diff --git a/fixtures/rails_4_1_8/config/initializers/secure_headers.rb b/fixtures/rails_4_1_8/config/initializers/secure_headers.rb
@@ -5,8 +5,8 @@
   config.x_xss_protection = {:value => 0}
   config.x_permitted_cross_domain_policies = 'none'
   csp = {
-    :default_src => "self",
-    :script_src => "self nonce",
+    :default_src => "'self'",
+    :script_src => "'self' nonce",
     :report_uri => 'somewhere',
     :script_hash_middleware => true,
     :enforce => false # false means warnings only
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -82,7 +82,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
     describe "#normalize_csp_options" do
       before(:each) do
-        default_opts[:script_src] << ' self none'
+        default_opts[:script_src] <<  " 'self' 'none'"
         @opts = default_opts
       end
 
@@ -106,7 +106,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
         it "accepts procs for report-uris" do
           opts = {
-            :default_src => 'self',
+            :default_src => "'self'",
             :report_uri => proc { "http://lambda/result" }
           }
 
@@ -131,7 +131,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
           allow(controller).to receive(:current_user).and_return(user)
           opts = {
-            :default_src => "self",
+            :default_src => "'self'",
             :enforce => lambda { |c| c.current_user.beta_testing? }
           }
           csp = ContentSecurityPolicy.new(opts, :controller => controller)
@@ -150,22 +150,22 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
       context "auto-whitelists data: uris for img-src" do
         it "sets the value if no img-src specified" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self'}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "appends the value if img-src is specified" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self'}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self'"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "doesn't add a duplicate data uri if img-src specifies it already" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self data:'}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self' data:"}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "allows the user to disable img-src data: uris auto-whitelisting" do
-          csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_img_src_data_uri => true}, :request => request_for(CHROME))
+          csp = ContentSecurityPolicy.new({:default_src => "'self'", :img_src => "'self'", :disable_img_src_data_uri => true}, :request => request_for(CHROME))
           expect(csp.value).to eq("default-src 'self'; img-src 'self';")
         end
       end
@@ -191,47 +191,47 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
       context "when using a nonce" do
         it "adds a nonce and unsafe-inline to the script-src value when using chrome" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(CHROME), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds a nonce and unsafe-inline to the script-src value when using firefox" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(FIREFOX), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(FIREFOX), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds a nonce and unsafe-inline to the script-src value when using opera" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(OPERA), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(OPERA), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "does not add a nonce and unsafe-inline to the script-src value when using Safari" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(SAFARI), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(SAFARI), :controller => controller)
           expect(header.value).to include("script-src 'self' 'unsafe-inline'")
           expect(header.value).not_to include("nonce")
         end
 
         it "does not add a nonce and unsafe-inline to the script-src value when using IE" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(IE), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce"), :request => request_for(IE), :controller => controller)
           expect(header.value).to include("script-src 'self' 'unsafe-inline'")
           expect(header.value).not_to include("nonce")
         end
 
         it "adds a nonce and unsafe-inline to the style-src value" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce"), :request => request_for(CHROME), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("style-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
 
         it "adds an identical nonce to the style and script-src directives" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce", :script_src => "self nonce"), :request => request_for(CHROME), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "'self' nonce", :script_src => "'self' nonce"), :request => request_for(CHROME), :controller => controller)
           nonce = header.nonce
           value = header.value
           expect(value).to include("style-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
           expect(value).to include("script-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
         end
 
         it "does not add 'unsafe-inline' twice" do
-          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce 'unsafe-inline'"), :request => request_for(CHROME), :controller => controller)
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "'self' nonce 'unsafe-inline'"), :request => request_for(CHROME), :controller => controller)
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline';")
         end
       end
@@ -279,7 +279,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
 
         describe ".add_to_env" do
           let(:controller) { double }
-          let(:config) { {:default_src => 'self'} }
+          let(:config) { {:default_src => "'self'"} }
           let(:options) { {:controller => controller} }
 
           it "adds metadata to env" do
