just enough to get the trusted types directive into the csp, I think

KyFaSt · web-flow · commit e78ae24e2527 · 2022-06-28T13:29:06.000Z
diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -61,10 +61,20 @@ def build_value
           build_sandbox_list_directive(directive_name)
         when :media_type_list
           build_media_type_list_directive(directive_name)
+        when :require_trusted_types_for_list
+          build_trusted_type_list_directive(directive_name)
         end
       end.compact.join("; ")
     end
 
+    def build_trusted_type_list_directive(directive)
+      source_list = @config.directive_value(directive)
+      if source_list && !source_list.empty?
+        escaped_source_list = source_list.gsub(/[\n;]/, " ")
+        [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
+      end
+    end
+
     def build_sandbox_list_directive(directive)
       return unless sandbox_list = @config.directive_value(directive)
       max_strict_policy = case sandbox_list
diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -286,7 +286,8 @@ def list_directive?(directive)
         source_list?(directive) ||
           sandbox_list?(directive) ||
           media_type_list?(directive) ||
-          require_sri_for_list?(directive)
+          require_sri_for_list?(directive) ||
+          require_trusted_types_for_list?(directive)
       end
 
       # For each directive in additions that does not exist in the original config,
@@ -324,6 +325,10 @@ def require_sri_for_list?(directive)
         DIRECTIVE_VALUE_TYPES[directive] == :require_sri_for_list
       end
 
+      def require_trusted_types_for_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :require_trusted_types_for_list
+      end
+
       # Private: Validates that the configuration has a valid type, or that it is a valid
       # source expression.
       def validate_directive!(directive, value)
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -147,8 +147,8 @@ module SecureHeaders
       end
 
       it "supports require-trusted-types-for directive" do
-        csp = ContentSecurityPolicy.new({require_trusted_types_for: %(script)})
-        expect(csp.value).to eq("require-trusted-types-for script")
+        csp = ContentSecurityPolicy.new(default_src: %w('self'), require_trusted_types_for: %(script))
+        expect(csp.value).to eq("default-src 'self'; require-trusted-types-for script")
       end
 
       it "does not support style for require-trusted-types-for directive" do
