Allow CSP to fallback to default-src (#1490)

* Allow content source to fallback to default-src Remove defaults for script-src, style-src, connect-src, and img-src so that they can fallback to default-src. The default for default-src has been changed from 'none' to 'self'. This seems to be a safe default especially as browsers implement prefetch-src. If stricter policies are needed they can be specified when loading this middleware. * Add support for webrtc-src, navigate-to, and prefetch-src directives
2020-03-13 17:07:34 -04:00 · 2020-03-13 17:07:34 -04:00 · c2705ce139
parent 574e5a9e3d
commit c2705ce139
2 changed files with 7 additions and 8 deletions
--- a/rack-protection/lib/rack/protection/content_security_policy.rb
+++ b/rack-protection/lib/rack/protection/content_security_policy.rb
@ -36,16 +36,15 @@ module Rack
    #          to be used in a policy.
    #
    class ContentSecurityPolicy < Base
-      default_options default_src: :none, script_src: "'self'",
-                      img_src: "'self'", style_src: "'self'",
-                      connect_src: "'self'", report_only: false
+      default_options default_src: "'self'", report_only: false

      DIRECTIVES = %i(base_uri child_src connect_src default_src
                      font_src form_action frame_ancestors frame_src
                      img_src manifest_src media_src object_src
                      plugin_types referrer reflected_xss report_to
                      report_uri require_sri_for sandbox script_src
-                      style_src worker_src).freeze
+                      style_src worker_src webrtc_src navigate_to
+                      prefetch_src).freeze

      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
                             upgrade_insecure_requests).freeze
--- a/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
+++ b/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
@ -4,7 +4,7 @@ describe Rack::Protection::ContentSecurityPolicy do
  it 'should set the Content Security Policy' do
    expect(
      get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]
-    ).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
+    ).to eq("default-src 'self'")
  end

  it 'should not set the Content Security Policy for other content types' do
@ -33,7 +33,7 @@ describe Rack::Protection::ContentSecurityPolicy do
    end

    headers = get('/', {}, 'wants' => 'text/html').headers
-    expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure-requests")
+    expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; default-src 'self'; disown-opener; upgrade-insecure-requests")
  end

  it 'should ignore CSP3 no arg directives unless they are set to true' do
@ -44,7 +44,7 @@ describe Rack::Protection::ContentSecurityPolicy do
    end

    headers = get('/', {}, 'wants' => 'text/html').headers
-    expect(headers["Content-Security-Policy"]).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
+    expect(headers["Content-Security-Policy"]).to eq("default-src 'self'")
  end

  it 'should allow changing report only' do
@ -56,7 +56,7 @@ describe Rack::Protection::ContentSecurityPolicy do

    headers = get('/', {}, 'wants' => 'text/html').headers
    expect(headers["Content-Security-Policy"]).to be_nil
-    expect(headers["Content-Security-Policy-Report-Only"]).to eq("connect-src 'self'; default-src none; img-src 'self'; report-uri /my_amazing_csp_report_parser; script-src 'self'; style-src 'self'")
+    expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; report-uri /my_amazing_csp_report_parser")
  end

  it 'should not override the header if already set' do