remove nonces

github · Jun 9, 2014 · 0a18cc7 · 0a18cc7
1 parent 637bdec
commit 0a18cc7
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 49 deletions.
diff --git a/README.md b/README.md
@@ -163,13 +163,6 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
       :img_src => 'http://mycdn.example.com'
     }
   }
-
-  # script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
-  # you to whitelist inline script blocks. For more information, see
-  # https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
-  :script_nonce => lambda { @script_nonce = SecureRandom.hex }
-  # which can be used to whitelist a script block:
-  # script_tag :nonce = @script_nonce { inline_script_call() }
 }
 ```
 

diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -59,7 +59,6 @@ def configure(config)
       end
 
       @report_uri = @config.delete(:report_uri)
-      @script_nonce = @config.delete(:script_nonce)
 
       normalize_csp_options
       normalize_reporting_endpoint
@@ -92,8 +91,7 @@ def build_value
         # ensure default-src is first
         build_directive(:default_src),
         generic_directives(@config),
-        report_uri_directive,
-        script_nonce_directive,
+        report_uri_directive
       ].join
 
       #store the value for next time
@@ -180,18 +178,6 @@ def report_uri_directive
       "report-uri #{@report_uri};"
     end
 
-    def script_nonce_directive
-      return '' if @script_nonce.nil?
-      nonce_value = if @script_nonce.is_a?(String)
-                      @script_nonce
-                    elsif @controller
-                      @controller.instance_exec(&@script_nonce)
-                    else
-                      @script_nonce.call
-                    end
-      "script-nonce #{nonce_value};"
-    end
-
     def generic_directives(config)
       header_value = ''
       if config[:img_src]

diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -328,33 +328,6 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
           end
         end
       end
-
-      context "when supplying a script nonce callback" do
-        let(:options) {
-          default_opts.merge({
-            :script_nonce => "random",
-          })
-        }
-
-        it "uses the value in the X-Webkit-CSP" do
-          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(csp.value).to match "script-nonce random;"
-        end
-
-        it "runs a dynamic nonce generator" do
-          options[:script_nonce] = lambda { 'something' }
-          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(csp.value).to match "script-nonce something;"
-        end
-
-        it "runs against the given controller context" do
-          fake_params = {}
-          options[:script_nonce] = lambda { params[:script_nonce] = 'something' }
-          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME), :controller => double(:params => fake_params))
-          expect(csp.value).to match "script-nonce something;"
-          expect(fake_params).to eq({:script_nonce => 'something'})
-        end
-      end
     end
   end
 end