Merge branch 'master' into BL/nonce

github · May 3, 2017 · db2bd21 · db2bd21
2 parents fe624b8 + 0966fb9
commit db2bd21
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 3.6.4
+
+Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: https://github.com/twitter/secureheaders/pull/325
+
 ## 3.6.3
 
 Remove deprecation warning when setting `frame-src`. It is no longer deprecated.

diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -277,12 +277,26 @@ def populate_fetch_source_with_default!(original, additions)
           if !original[directive]
             inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
             unless original[inferred_directive] || NON_FETCH_SOURCES.include?(inferred_directive)
-              original[inferred_directive] = original[:default_src]
+              original[inferred_directive] = default_for(directive, original)
             end
           end
         end
       end
-
+
+      def default_for(directive, original)
+        return original[FRAME_SRC] if directive == CHILD_SRC && original[FRAME_SRC]
+        return original[CHILD_SRC] if directive == FRAME_SRC && original[CHILD_SRC]
+        original[DEFAULT_SRC]
+      end
+
+      def nonce_added?(original, additions)
+        [:script_nonce, :style_nonce].each do |nonce|
+          if additions[nonce] && !original[nonce]
+            return true
+          end
+        end
+      end
+
       def source_list?(directive)
         DIRECTIVE_VALUE_TYPES[directive] == :source_list
       end

diff --git a/secure_headers.gemspec b/secure_headers.gemspec
@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.6.3"
+  gem.version       = "3.6.4"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Manages application of security headers with many safe defaults.'

diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb
@@ -173,6 +173,33 @@ module SecureHeaders
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
 
+        it "appends child-src to frame-src" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              frame_src: %w(frame_src.com)
+            }
+          end
+
+          SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
+          hash = SecureHeaders.header_hash_for(chrome_request)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
+        end
+
+        it "appends frame-src to child-src" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              child_src: %w(child_src.com)
+            }
+          end
+
+          safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
+          SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
+          hash = SecureHeaders.header_hash_for(safari_request)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
+        end
+
         it "supports named appends" do
           Configuration.default do |config|
             config.csp = {