Add the "FirefoxTransitional" CSP variation

This ensures it can be cached.
github · Jun 27, 2016 · 697f5a9 · 697f5a9
1 parent 9a6c913
commit 697f5a9
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 7 deletions.
diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb
@@ -203,7 +203,7 @@ def csp=(new_csp)
         raise IllegalPolicyModificationError, "You are attempting to modify CSP settings directly. Use dynamic_csp= instead."
       end
 
-      @csp = new_csp
+      @csp = self.class.send(:deep_copy_if_hash, new_csp)
     end
 
     def cookies=(cookies)
@@ -215,7 +215,7 @@ def cached_headers=(headers)
     end
 
     def hpkp=(hpkp)
-      @hpkp = hpkp
+      @hpkp = self.class.send(:deep_copy_if_hash, hpkp)
     end
 
     def hpkp_report_host=(hpkp_report_host)

diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -10,8 +10,7 @@ class ContentSecurityPolicy
     VERSION_46 = ::UserAgent::Version.new("46")
 
     def initialize(config = nil, user_agent = OTHER)
-      config = Configuration.deep_copy(DEFAULT_CONFIG) unless config
-      @config = config
+      @config = Configuration.send(:deep_copy, config || DEFAULT_CONFIG)
       @parsed_ua = if user_agent.is_a?(UserAgent::Browsers::Base)
         user_agent
       else
@@ -50,7 +49,7 @@ def value
     # frame-src is deprecated, child-src is being implemented. They are
     # very similar and in most cases, the same value can be used for both.
     def normalize_child_frame_src
-      Kernel.warn("#{Kernel.caller.first}: [DEPRECATION] :frame_src is deprecated, use :child_src instead. Provided: #{}") if @config[:frame_src]
+      Kernel.warn("#{Kernel.caller.first}: [DEPRECATION] :frame_src is deprecated, use :child_src instead. Provided: #{@config[:frame_src]}") if @config[:frame_src]
 
       child_src = @config[:child_src] || @config[:frame_src]
       if child_src
@@ -188,7 +187,7 @@ def strip_source_schemes!(source_list)
     def supported_directives
       @supported_directives ||= if VARIATIONS[@parsed_ua.browser]
         if @parsed_ua.browser == "Firefox" && @parsed_ua.version >= VERSION_46
-          FIREFOX_46_DIRECTIVES
+          VARIATIONS["FirefoxTransitional"]
         else
           VARIATIONS[@parsed_ua.browser]
         end

diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -131,6 +131,7 @@ def self.included(base)
       "Chrome" => CHROME_DIRECTIVES,
       "Opera" => CHROME_DIRECTIVES,
       "Firefox" => FIREFOX_DIRECTIVES,
+      "FirefoxTransitional" => FIREFOX_46_DIRECTIVES,
       "Safari" => SAFARI_DIRECTIVES,
       "Edge" => EDGE_DIRECTIVES,
       "Other" => CHROME_DIRECTIVES

diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -114,6 +114,11 @@ module SecureHeaders
           expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
 
+        it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
+          policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
+        end
+
         it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:edge])
           expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri 'self'")

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -12,7 +12,8 @@
 
 USER_AGENTS = {
   edge: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
-  firefox: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
+  firefox: "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1",
+  firefox46: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0",
   chrome: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
   ie: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
   opera: 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',