Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow CSP to fallback to default-src #1490

Merged
merged 3 commits into from Mar 13, 2020
Merged

Allow CSP to fallback to default-src #1490

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4758d5f
Allow content source to fallback to default-src
jkowens Nov 4, 2018
c4485fb
Add support for webrtc-src, navigate-to, and prefetch-src directives
jkowens Nov 4, 2018
7c055f2
Merge branch 'master' into master
jkowens Mar 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 3 additions & 4 deletions rack-protection/lib/rack/protection/content_security_policy.rb
View file
Open in desktop
Expand Up @@ -36,16 +36,15 @@ module Protection
# to be used in a policy.
#
class ContentSecurityPolicy < Base
default_options default_src: :none, script_src: "'self'",
img_src: "'self'", style_src: "'self'",
connect_src: "'self'", report_only: false
default_options default_src: "'self'", report_only: false

DIRECTIVES = %i(base_uri child_src connect_src default_src
font_src form_action frame_ancestors frame_src
img_src manifest_src media_src object_src
plugin_types referrer reflected_xss report_to
report_uri require_sri_for sandbox script_src
style_src worker_src).freeze
style_src worker_src webrtc_src navigate_to
prefetch_src).freeze

NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
upgrade_insecure_requests).freeze
Expand Down
8 changes: 4 additions & 4 deletions rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
View file
Open in desktop
Expand Up @@ -4,7 +4,7 @@
it 'should set the Content Security Policy' do
expect(
get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]
).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
).to eq("default-src 'self'")
end

it 'should not set the Content Security Policy for other content types' do
Expand Down Expand Up @@ -33,7 +33,7 @@
end

headers = get('/', {}, 'wants' => 'text/html').headers
expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure-requests")
expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; default-src 'self'; disown-opener; upgrade-insecure-requests")
end

it 'should ignore CSP3 no arg directives unless they are set to true' do
Expand All @@ -44,7 +44,7 @@
end

headers = get('/', {}, 'wants' => 'text/html').headers
expect(headers["Content-Security-Policy"]).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
expect(headers["Content-Security-Policy"]).to eq("default-src 'self'")
end

it 'should allow changing report only' do
Expand All @@ -56,7 +56,7 @@

headers = get('/', {}, 'wants' => 'text/html').headers
expect(headers["Content-Security-Policy"]).to be_nil
expect(headers["Content-Security-Policy-Report-Only"]).to eq("connect-src 'self'; default-src none; img-src 'self'; report-uri /my_amazing_csp_report_parser; script-src 'self'; style-src 'self'")
expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; report-uri /my_amazing_csp_report_parser")
end

it 'should not override the header if already set' do
Expand Down