Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make "none" a keyword in content security policy #1594

Closed
wants to merge 1 commit into from
Closed

Make "none" a keyword in content security policy #1594

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion rack-protection/lib/rack/protection/content_security_policy.rb
View file
Open in desktop
Expand Up @@ -36,7 +36,7 @@ module Protection
# to be used in a policy.
#
class ContentSecurityPolicy < Base
default_options default_src: :none, script_src: "'self'",
default_options default_src: "'none'", script_src: "'self'",
img_src: "'self'", style_src: "'self'",
connect_src: "'self'", report_only: false

Expand Down
8 changes: 4 additions & 4 deletions rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
View file
Open in desktop
Expand Up @@ -4,7 +4,7 @@
it 'should set the Content Security Policy' do
expect(
get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]
).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
).to eq("connect-src 'self'; default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'")
end

it 'should not set the Content Security Policy for other content types' do
Expand Down Expand Up @@ -33,7 +33,7 @@
end

headers = get('/', {}, 'wants' => 'text/html').headers
expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure_requests")
expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; connect-src 'self'; default-src 'none'; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure_requests")
end

it 'should ignore CSP3 no arg directives unless they are set to true' do
Expand All @@ -44,7 +44,7 @@
end

headers = get('/', {}, 'wants' => 'text/html').headers
expect(headers["Content-Security-Policy"]).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
expect(headers["Content-Security-Policy"]).to eq("connect-src 'self'; default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'")
end

it 'should allow changing report only' do
Expand All @@ -56,7 +56,7 @@

headers = get('/', {}, 'wants' => 'text/html').headers
expect(headers["Content-Security-Policy"]).to be_nil
expect(headers["Content-Security-Policy-Report-Only"]).to eq("connect-src 'self'; default-src none; img-src 'self'; report-uri /my_amazing_csp_report_parser; script-src 'self'; style-src 'self'")
expect(headers["Content-Security-Policy-Report-Only"]).to eq("connect-src 'self'; default-src 'none'; img-src 'self'; report-uri /my_amazing_csp_report_parser; script-src 'self'; style-src 'self'")
end

it 'should not override the header if already set' do
Expand Down