Add support for Expect-CT HTTP header
#322
Conversation
Adds the `ExpectCt` class and it's associated validation of the header syntax
|
I've got this running in our CI suite at the moment and it's all 💚 here |
There was a problem hiding this comment.
Thanks @jacobbednarz! I've got a few nits (and I'm still digesting the spec). I think we should spell out the name of the spec even if the actual header value uses the abbreviated version.
lib/secure_headers.rb
Outdated
| @@ -51,6 +52,7 @@ def opt_out? | |||
| CSP = ContentSecurityPolicy | |||
|
|
|||
| ALL_HEADER_CLASSES = [ | |||
| ExpectCt, | |||
There was a problem hiding this comment.
I prefer to spell out the full name of the header spec.
There was a problem hiding this comment.
Good call! Fixed via 8e528e2
lib/secure_headers/configuration.rb
Outdated
| @@ -116,7 +116,7 @@ def deep_copy_if_hash(value) | |||
|
|
|||
| attr_writer :hsts, :x_frame_options, :x_content_type_options, | |||
| :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies, | |||
| :referrer_policy, :clear_site_data | |||
| :referrer_policy, :clear_site_data, :expect_ct | |||
There was a problem hiding this comment.
I prefer to spell out the full name of the header spec.
| class ExpectCt | ||
| HEADER_NAME = 'Expect-CT'.freeze | ||
| CONFIG_KEY = :expect_ct | ||
| INVALID_CONFIGURATION_ERROR = 'config must be a hash.'.freeze |
There was a problem hiding this comment.
Oh my! What caveman would ever commit files with mixed quotes?!?! 😛 Fixed in 8ef3f80
| def enforced_directive | ||
| # Unfortunately `if @enforced` isn't enough here in case someone | ||
| # passes in a random string so let's be specific with it to prevent | ||
| # accidental enforcement. |
| end | ||
|
|
||
| def report_uri_directive | ||
| "report-uri=\"#{@report_uri}\"" if @report_uri |
There was a problem hiding this comment.
report-uri is quoted. Interesting.
There was a problem hiding this comment.
This did strike me as odd too but, you know, specs? ¯\_(ツ)_/¯
jacobbednarz
force-pushed
the
add-expect-ct-directive
branch
from
2061fd7
to
558ba2c
Compare
jacobbednarz
force-pushed
the
add-expect-ct-directive
branch
from
558ba2c
to
5837227
Compare
|
whoops, can you add an assertion here that says this header is not applied by default. |
|
Of course! Added in c265600. |
|
We've been running this for over a week now and all is looking good on our front 👍 |
|
This is pending release from one of the browser vendors to test the functionality confirms to the outlined spec. My comment above was merely, "this isn't blowing up our application with memory leaks or such". |
|
Looks like this is coming in Chrome 61!
https://blog.chromium.org/2017/08/chrome-61-beta-javascript-modules.html
|
* Update README with example usage for `Expect-CT` * Add some tests for the expected API * Add classes and loading to main entrypoints * Add `ExpectCt` class Adds the `ExpectCt` class and it's associated validation of the header syntax * Use full name of specification instead * Use consistent double quotes * Update README example to use correct naming for Expect-CT * Set defaults for Expect-CT via helper * Add missing comma in README example * Add frozen string literal
|
Released in 3.7.0 |
Expect-CTis a new security header that performs a request to acertificate transparency log endpoint that will check whether the
presented certificate adhears to the UA's certificate transparency
policy.
Whilst building this out, I made the decision to use the hash
configuration syntax (similar to CSP) instead of the string based syntax
(like HSTS) to ensure we could validate and build various parts of the
value without needing to perform horrible regexes across it.
Fixes #321