Merge pull request #495 from github/lgarron/trusted-types-quoted-script

lgarron · web-flow · commit c8e58c3f0b77 · 2022-08-12T12:38:34.000-07:00
Trusted types: Use single-quoted `'script'`.
diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -189,7 +189,7 @@ def self.included(base)
     ].freeze
 
     REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
-    REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w(script))
+    REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w('script'))
 
     module ClassMethods
       # Public: generate a header name, value array that is user-agent-aware.
@@ -393,7 +393,7 @@ def validate_require_sri_source_expression!(directive, require_sri_for_expressio
 
       # Private: validates that a require trusted types for expression:
       # 1. is an array of strings
-      # 2. is a subset of ["script"]
+      # 2. is a subset of ["'script'"]
       def validate_require_trusted_types_for_source_expression!(directive, require_trusted_types_for_expression)
         ensure_array_of_strings!(directive, require_trusted_types_for_expression)
         unless require_trusted_types_for_expression.to_set.subset?(REQUIRE_TRUSTED_TYPES_FOR_VALUES)
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -197,8 +197,8 @@ module SecureHeaders
       end
 
       it "supports trusted-types directive with 'none'" do
-        csp = ContentSecurityPolicy.new({trusted_types: %w(none)})
-        expect(csp.value).to eq("trusted-types none")
+        csp = ContentSecurityPolicy.new({trusted_types: %w('none')})
+        expect(csp.value).to eq("trusted-types 'none'")
       end
 
       it "allows duplicate policy names in trusted-types directive" do
diff --git a/spec/lib/secure_headers/headers/policy_management_spec.rb b/spec/lib/secure_headers/headers/policy_management_spec.rb
@@ -45,7 +45,7 @@ module SecureHeaders
           plugin_types: %w(application/x-shockwave-flash),
           prefetch_src: %w(fetch.com),
           require_sri_for: %w(script style),
-          require_trusted_types_for: %w(script),
+          require_trusted_types_for: %w('script'),
           script_src: %w('self'),
           style_src: %w('unsafe-inline'),
           upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
