quick and dirty strict-dynamic support'

github · Nov 11, 2016 · e8bf322 · e8bf322
1 parent b37c6fa
commit e8bf322
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -14,6 +14,7 @@ def self.included(base)
     STAR = "*".freeze
     UNSAFE_INLINE = "'unsafe-inline'".freeze
     UNSAFE_EVAL = "'unsafe-eval'".freeze
+    STRICT_DYNAMIC = "'strict-dynamic'".freeze
 
     # leftover deprecated values that will be in common use upon upgrading.
     DEPRECATED_SOURCE_VALUES = [SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze

diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -107,6 +107,11 @@ module SecureHeaders
         expect(firefox_transitional).not_to match(/frame-src/)
       end
 
+      it "supports strict-dynamic" do
+        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
+        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
+      end
+
       context "browser sniffing" do
         let (:complex_opts) do
           (ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|