Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

support paths in report-uris as intentional

  • Loading branch information...
commit 588609ce5c08d384397d80f5ad9b1e838c8fe05d 1 parent 9d75956
@oreoshake oreoshake authored
View
2  Guardfile
@@ -2,7 +2,7 @@ guard 'spork', :aggressive_kill => false do
watch('spec/spec_helper.rb') { :rspec }
end
-guard 'rspec', :cli => "--color --drb", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
+guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
watch(%r{^spec/.+_spec\.rb$})
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
View
4 lib/secure_headers/headers/content_security_policy.rb
@@ -177,7 +177,9 @@ def translate_inline_or_eval val
# we need to forward the request for Firefox.
def normalize_reporting_endpoint
return unless browser_strategy.normalize_reporting_endpoint?
- return unless !same_origin? || URI.parse(report_uri).host.nil?
+ if same_origin? || report_uri.nil? || URI.parse(report_uri).host.nil?
+ return
+ end
if forward_endpoint
@report_uri = FF_CSP_ENDPOINT
View
8 spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -165,9 +165,9 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
csp.report_uri.should == FF_CSP_ENDPOINT
end
- it "doesn't set report-uri if no forward_endpoint is supplied" do
- csp = ContentSecurityPolicy.new({:report_uri => "https://another.example.com"}, :request => request_for(FIREFOX, "https://anexample.com"))
- csp.report_uri.should be_nil
+ it "doesn't change report-uri if a path supplied" do
+ csp = ContentSecurityPolicy.new({:report_uri => "/csp_reports"}, :request => request_for(FIREFOX, "https://anexample.com"))
+ csp.report_uri.should == "/csp_reports"
end
it "forwards if the request_uri is set to a non-matching value" do
@@ -224,7 +224,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
context "X-Content-Security-Policy" do
it "builds a csp header for firefox" do
csp = ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX))
- csp.value.should == "allow https://*; options inline-script eval-script; img-src data:; script-src https://* data:; style-src https://* chrome-extension: about:;"
+ csp.value.should == "allow https://*; options inline-script eval-script; img-src data:; script-src https://* data:; style-src https://* chrome-extension: about:; report-uri /csp_report;"
end
it "copies connect-src values to xhr_src values" do
Please sign in to comment.
Something went wrong with that request. Please try again.