ensure that the deprecated way of using the report_only header still …

…works :)
github · Aug 18, 2016 · dc1bbac · dc1bbac
1 parent 8e14907
commit dc1bbac
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb
@@ -184,7 +184,9 @@ def csp=(new_csp)
         @csp = new_csp.dup
       else
         if new_csp[:report_only]
+          # Deprecated configuration implies that CSPRO should be set, CSP should not - so opt out
           Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
+          @csp = OPT_OUT
           self.csp_report_only = new_csp
         else
           @csp = ContentSecurityPolicyConfig.new(new_csp)

diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb
@@ -226,6 +226,24 @@ module SecureHeaders
           expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
         end
 
+        it "supports the deprecated `report_only: true` format" do
+          expect(Kernel).to receive(:warn).once
+
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              report_only: true
+            }
+          end
+
+          expect(Configuration.get.csp).to eq(OPT_OUT)
+          expect(Configuration.get.csp_report_only).to be_a(ContentSecurityPolicyReportOnlyConfig)
+
+          hash = SecureHeaders.header_hash_for(request)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to be_nil
+          expect(hash[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to eq("default-src 'self'")
+        end
+
         context "setting two headers" do
           before(:each) do
             Configuration.default do |config|