Allow CSP to fallback to default-src (#1490)
* Allow content source to fallback to default-src Remove defaults for script-src, style-src, connect-src, and img-src so that they can fallback to default-src. The default for default-src has been changed from 'none' to 'self'. This seems to be a safe default especially as browsers implement prefetch-src. If stricter policies are needed they can be specified when loading this middleware. * Add support for webrtc-src, navigate-to, and prefetch-src directives
This commit is contained in:
parent
574e5a9e3d
commit
c2705ce139
|
@ -36,16 +36,15 @@ module Rack
|
|||
# to be used in a policy.
|
||||
#
|
||||
class ContentSecurityPolicy < Base
|
||||
default_options default_src: :none, script_src: "'self'",
|
||||
img_src: "'self'", style_src: "'self'",
|
||||
connect_src: "'self'", report_only: false
|
||||
default_options default_src: "'self'", report_only: false
|
||||
|
||||
DIRECTIVES = %i(base_uri child_src connect_src default_src
|
||||
font_src form_action frame_ancestors frame_src
|
||||
img_src manifest_src media_src object_src
|
||||
plugin_types referrer reflected_xss report_to
|
||||
report_uri require_sri_for sandbox script_src
|
||||
style_src worker_src).freeze
|
||||
style_src worker_src webrtc_src navigate_to
|
||||
prefetch_src).freeze
|
||||
|
||||
NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
|
||||
upgrade_insecure_requests).freeze
|
||||
|
|
|
@ -4,7 +4,7 @@ describe Rack::Protection::ContentSecurityPolicy do
|
|||
it 'should set the Content Security Policy' do
|
||||
expect(
|
||||
get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]
|
||||
).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
|
||||
).to eq("default-src 'self'")
|
||||
end
|
||||
|
||||
it 'should not set the Content Security Policy for other content types' do
|
||||
|
@ -33,7 +33,7 @@ describe Rack::Protection::ContentSecurityPolicy do
|
|||
end
|
||||
|
||||
headers = get('/', {}, 'wants' => 'text/html').headers
|
||||
expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure-requests")
|
||||
expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; default-src 'self'; disown-opener; upgrade-insecure-requests")
|
||||
end
|
||||
|
||||
it 'should ignore CSP3 no arg directives unless they are set to true' do
|
||||
|
@ -44,7 +44,7 @@ describe Rack::Protection::ContentSecurityPolicy do
|
|||
end
|
||||
|
||||
headers = get('/', {}, 'wants' => 'text/html').headers
|
||||
expect(headers["Content-Security-Policy"]).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
|
||||
expect(headers["Content-Security-Policy"]).to eq("default-src 'self'")
|
||||
end
|
||||
|
||||
it 'should allow changing report only' do
|
||||
|
@ -56,7 +56,7 @@ describe Rack::Protection::ContentSecurityPolicy do
|
|||
|
||||
headers = get('/', {}, 'wants' => 'text/html').headers
|
||||
expect(headers["Content-Security-Policy"]).to be_nil
|
||||
expect(headers["Content-Security-Policy-Report-Only"]).to eq("connect-src 'self'; default-src none; img-src 'self'; report-uri /my_amazing_csp_report_parser; script-src 'self'; style-src 'self'")
|
||||
expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; report-uri /my_amazing_csp_report_parser")
|
||||
end
|
||||
|
||||
it 'should not override the header if already set' do
|
||||
|
|
Loading…
Reference in New Issue