Merge pull request #334 from ptoomey3/clear-site-data-spec-change

Update Clear-Site-Data to use the current spec format.

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.6.5
+
+Update clear-site-data header to use current format specified by the specification.
+
 ## 3.6.4
 
 Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: https://github.com/twitter/secureheaders/pull/325

README.md

@@ -18,7 +18,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
 - Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
-- Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://www.w3.org/TR/clear-site-data/).
+- Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
 

lib/secure_headers/headers/clear_site_data.rb

@@ -2,7 +2,6 @@ module SecureHeaders
   class ClearSiteDataConfigError < StandardError; end
   class ClearSiteData
     HEADER_NAME = "Clear-Site-Data".freeze
-    TYPES = "types".freeze
 
     # Valid `types`
     CACHE = "cache".freeze
@@ -22,9 +21,9 @@ def make_header(config=nil)
         when nil, OPT_OUT, []
           # noop
         when Array
-          [HEADER_NAME, JSON.dump(TYPES => config)]
+          [HEADER_NAME, make_header_value(config)]
         when true
-          [HEADER_NAME, JSON.dump(TYPES => ALL_TYPES)]
+          [HEADER_NAME, make_header_value(ALL_TYPES)]
         end
       end
 
@@ -36,16 +35,20 @@ def validate_config!(config)
           unless config.all? { |t| t.is_a?(String) }
             raise ClearSiteDataConfigError.new("types must be Strings")
           end
-
-          begin
-            JSON.dump(config)
-          rescue JSON::GeneratorError, Encoding::UndefinedConversionError
-            raise ClearSiteDataConfigError.new("types must serializable by JSON")
-          end
         else
           raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
         end
       end
+
+      # Public: Transform a Clear-Site-Data config (an Array of Strings) into a
+      # String that can be used as the value for the Clear-Site-Data header.
+      #
+      # types - An Array of String of types of data to clear.
+      #
+      # Returns a String of quoted values that are comma separated.
+      def make_header_value(types)
+        types.map { |t| "\"#{t}\""}.join(", ")
+      end
     end
   end
 end

secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.6.4"
+  gem.version       = "3.6.5"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Manages application of security headers with many safe defaults.'

spec/lib/secure_headers/headers/clear_site_data_spec.rb

@@ -19,30 +19,16 @@ module SecureHeaders
         name, value = described_class.make_header(true)
 
         expect(name).to eq(ClearSiteData::HEADER_NAME)
-        expect(value).to eq(normalize_json(<<-HERE))
-          {
-            "types": [
-              "cache",
-              "cookies",
-              "storage",
-              "executionContexts"
-            ]
-          }
-        HERE
+        expect(value).to eq(
+          %("cache", "cookies", "storage", "executionContexts")
+        )
       end
 
       it "returns specified types" do
         name, value = described_class.make_header(["foo", "bar"])
 
         expect(name).to eq(ClearSiteData::HEADER_NAME)
-        expect(value).to eq(normalize_json(<<-HERE))
-          {
-            "types": [
-              "foo",
-              "bar"
-            ]
-          }
-        HERE
+        expect(value).to eq(%("foo", "bar"))
       end
     end
 
@@ -83,21 +69,18 @@ module SecureHeaders
         end.to raise_error(ClearSiteDataConfigError)
       end
 
-      it "fails for non-serializable config" do
-        expect do
-          described_class.validate_config!(["hi \255"])
-        end.to raise_error(ClearSiteDataConfigError)
-      end
-
       it "fails for other types of config" do
         expect do
           described_class.validate_config!(:cookies)
         end.to raise_error(ClearSiteDataConfigError)
       end
     end
 
-    def normalize_json(json)
-      JSON.dump(JSON.parse(json))
+    describe "make_header_value" do
+      it "returns a string of quoted values that are comma separated" do
+        value = described_class.make_header_value(["foo", "bar"])
+        expect(value).to eq(%("foo", "bar"))
+      end
     end
   end
 end