support paths in report-uris as intentional

github · Feb 20, 2013 · 588609c · 588609c
1 parent 9d75956
commit 588609c
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/Guardfile b/Guardfile
@@ -2,7 +2,7 @@ guard 'spork', :aggressive_kill => false do
   watch('spec/spec_helper.rb') { :rspec }
 end
 
-guard 'rspec', :cli => "--color --drb", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
+guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
   watch(%r{^spec/.+_spec\.rb$})
   watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
   watch(%r{^app/controllers/(.+)\.rb$})     { |m| "spec/controllers/#{m[1]}_spec.rb" }

diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -177,7 +177,9 @@ def translate_inline_or_eval val
     # we need to forward the request for Firefox.
     def normalize_reporting_endpoint
       return unless browser_strategy.normalize_reporting_endpoint?
-      return unless !same_origin? || URI.parse(report_uri).host.nil?
+      if same_origin? || report_uri.nil? || URI.parse(report_uri).host.nil?
+        return
+      end
 
       if forward_endpoint
         @report_uri = FF_CSP_ENDPOINT

diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -165,9 +165,9 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
           csp.report_uri.should == FF_CSP_ENDPOINT
         end
 
-        it "doesn't set report-uri if no forward_endpoint is supplied" do
-          csp = ContentSecurityPolicy.new({:report_uri => "https://another.example.com"}, :request => request_for(FIREFOX, "https://anexample.com"))
-          csp.report_uri.should be_nil
+        it "doesn't change report-uri if a path supplied" do
+          csp = ContentSecurityPolicy.new({:report_uri => "/csp_reports"}, :request => request_for(FIREFOX, "https://anexample.com"))
+          csp.report_uri.should == "/csp_reports"
         end
 
         it "forwards if the request_uri is set to a non-matching value" do
@@ -224,7 +224,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
       context "X-Content-Security-Policy" do
         it "builds a csp header for firefox" do
           csp = ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX))
-          csp.value.should == "allow https://*; options inline-script eval-script; img-src data:; script-src https://* data:; style-src https://* chrome-extension: about:;"
+          csp.value.should == "allow https://*; options inline-script eval-script; img-src data:; script-src https://* data:; style-src https://* chrome-extension: about:; report-uri /csp_report;"
         end
 
         it "copies connect-src values to xhr_src values" do