From 4758d5fde0279ddc4d05b4526cfc0a32fab0eadd Mon Sep 17 00:00:00 2001 From: Jordan Owens Date: Sun, 4 Nov 2018 12:32:55 -0500 Subject: [PATCH 1/2] Allow content source to fallback to default-src Remove defaults for script-src, style-src, connect-src, and img-src so that they can fallback to default-src. The default for default-src has been changed from 'none' to 'self'. This seems to be a safe default especially as browsers implement prefetch-src. If stricter policies are needed they can be specified when loading this middleware. --- .../lib/rack/protection/content_security_policy.rb | 4 +--- .../lib/rack/protection/content_security_policy_spec.rb | 8 ++++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/rack-protection/lib/rack/protection/content_security_policy.rb b/rack-protection/lib/rack/protection/content_security_policy.rb index 60e6b99bca..b1a6f8bf1c 100644 --- a/rack-protection/lib/rack/protection/content_security_policy.rb +++ b/rack-protection/lib/rack/protection/content_security_policy.rb @@ -36,9 +36,7 @@ module Protection # to be used in a policy. # class ContentSecurityPolicy < Base - default_options default_src: :none, script_src: "'self'", - img_src: "'self'", style_src: "'self'", - connect_src: "'self'", report_only: false + default_options default_src: "'self'", report_only: false DIRECTIVES = %i(base_uri child_src connect_src default_src font_src form_action frame_ancestors frame_src diff --git a/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb b/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb index 2683a184de..bcc8393c36 100644 --- a/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb +++ b/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb @@ -4,7 +4,7 @@ it 'should set the Content Security Policy' do expect( get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"] - ).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'") + ).to eq("default-src 'self'") end it 'should not set the Content Security Policy for other content types' do @@ -33,7 +33,7 @@ end headers = get('/', {}, 'wants' => 'text/html').headers - expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure_requests") + expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; default-src 'self'; disown-opener; upgrade-insecure_requests") end it 'should ignore CSP3 no arg directives unless they are set to true' do @@ -44,7 +44,7 @@ end headers = get('/', {}, 'wants' => 'text/html').headers - expect(headers["Content-Security-Policy"]).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'") + expect(headers["Content-Security-Policy"]).to eq("default-src 'self'") end it 'should allow changing report only' do @@ -56,7 +56,7 @@ headers = get('/', {}, 'wants' => 'text/html').headers expect(headers["Content-Security-Policy"]).to be_nil - expect(headers["Content-Security-Policy-Report-Only"]).to eq("connect-src 'self'; default-src none; img-src 'self'; report-uri /my_amazing_csp_report_parser; script-src 'self'; style-src 'self'") + expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; report-uri /my_amazing_csp_report_parser") end it 'should not override the header if already set' do From c4485fb2d5d82c19dcd43d0e52e90b9a12e96109 Mon Sep 17 00:00:00 2001 From: Jordan Owens Date: Sun, 4 Nov 2018 12:55:59 -0500 Subject: [PATCH 2/2] Add support for webrtc-src, navigate-to, and prefetch-src directives --- rack-protection/lib/rack/protection/content_security_policy.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rack-protection/lib/rack/protection/content_security_policy.rb b/rack-protection/lib/rack/protection/content_security_policy.rb index b1a6f8bf1c..1d40f67d06 100644 --- a/rack-protection/lib/rack/protection/content_security_policy.rb +++ b/rack-protection/lib/rack/protection/content_security_policy.rb @@ -43,7 +43,8 @@ class ContentSecurityPolicy < Base img_src manifest_src media_src object_src plugin_types referrer reflected_xss report_to report_uri require_sri_for sandbox script_src - style_src worker_src).freeze + style_src worker_src webrtc_src navigate_to + prefetch_src).freeze NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener upgrade_insecure_requests).freeze