Merge pull request #339 from carlosantoniodasilva/manifest-src

Update directives to add `manifest-src` to Chrome/Firefox

.ruby-version

@@ -1 +1 @@
-2.3.3
+2.4.1

.travis.yml

@@ -2,8 +2,8 @@ language: ruby
 
 rvm:
   - ruby-head
-  - 2.4.0
-  - 2.3.3
+  - 2.4.1
+  - 2.3.4
   - 2.2
   - jruby-head
 

README.md

@@ -91,6 +91,7 @@ SecureHeaders::Configuration.default do |config|
     form_action: %w('self' github.com),
     frame_ancestors: %w('none'),
     img_src: %w(mycdn.com data:),
+    manifest_src: %w('self'),
     media_src: %w(utoob.com),
     object_src: %w('self'),
     plugin_types: %w(application/x-shockwave-flash),

lib/secure_headers/headers/content_security_policy_config.rb

@@ -31,7 +31,6 @@ def initialize(hash)
       @object_src = nil
       @plugin_types = nil
       @preserve_schemes = nil
-      @reflected_xss = nil
       @report_only = nil
       @report_uri = nil
       @sandbox = nil

lib/secure_headers/headers/policy_management.rb

@@ -63,22 +63,15 @@ def self.included(base)
 
     # All the directives currently under consideration for CSP level 3.
     # https://w3c.github.io/webappsec/specs/CSP2/
+    BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
     MANIFEST_SRC = :manifest_src
-    REFLECTED_XSS = :reflected_xss
+    UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
     DIRECTIVES_3_0 = [
       DIRECTIVES_2_0,
-      MANIFEST_SRC,
-      REFLECTED_XSS
-    ].flatten.freeze
-
-    # All the directives that are not currently in a formal spec, but have
-    # been implemented somewhere.
-    BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
-    UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
-    DIRECTIVES_DRAFT = [
       BLOCK_ALL_MIXED_CONTENT,
+      MANIFEST_SRC,
       UPGRADE_INSECURE_REQUESTS
-    ].freeze
+    ].flatten.freeze
 
     EDGE_DIRECTIVES = DIRECTIVES_1_0
     SAFARI_DIRECTIVES = DIRECTIVES_1_0
@@ -100,18 +93,18 @@ def self.included(base)
     ].freeze
 
     FIREFOX_DIRECTIVES = (
-      DIRECTIVES_2_0 + DIRECTIVES_DRAFT - FIREFOX_UNSUPPORTED_DIRECTIVES
+      DIRECTIVES_3_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
     ).freeze
 
     FIREFOX_46_DIRECTIVES = (
-      DIRECTIVES_2_0 + DIRECTIVES_DRAFT - FIREFOX_46_UNSUPPORTED_DIRECTIVES - FIREFOX_46_DEPRECATED_DIRECTIVES
+      DIRECTIVES_3_0 - FIREFOX_46_UNSUPPORTED_DIRECTIVES - FIREFOX_46_DEPRECATED_DIRECTIVES
     ).freeze
 
     CHROME_DIRECTIVES = (
-      DIRECTIVES_2_0 + DIRECTIVES_DRAFT
+      DIRECTIVES_3_0
     ).freeze
 
-    ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT).uniq.sort
+    ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0).uniq.sort
 
     # Think of default-src and report-uri as the beginning and end respectively,
     # everything else is in between.
@@ -157,7 +150,6 @@ def self.included(base)
       MEDIA_SRC                 => :source_list,
       OBJECT_SRC                => :source_list,
       PLUGIN_TYPES              => :source_list,
-      REFLECTED_XSS             => :string,
       REPORT_URI                => :source_list,
       SANDBOX                   => :source_list,
       SCRIPT_SRC                => :source_list,

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -120,30 +120,29 @@ module SecureHeaders
           end.merge({
             block_all_mixed_content: true,
             upgrade_insecure_requests: true,
-            reflected_xss: "block",
             script_src: %w(script-src.com),
             script_nonce: 123456
           })
         end
 
         it "does not filter any directives for Chrome" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "does not filter any directives for Opera" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
 
         it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
@@ -165,7 +164,7 @@ module SecureHeaders
           ua = USER_AGENTS[:firefox].dup
           allow(ua).to receive(:version).and_return(nil)
           policy = ContentSecurityPolicy.new(complex_opts, ua)
-          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
         end
       end
     end

spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -28,6 +28,7 @@ module SecureHeaders
           connect_src: %w(wss:),
           font_src: %w('self' data:),
           img_src: %w(mycdn.com data:),
+          manifest_src: %w(manifest.com),
           media_src: %w(utoob.com),
           object_src: %w('self'),
           script_src: %w('self'),