prevent the ability to muck with original CSP settings when using a dynamic policy

/cc @ptoomey3

Author: oreoshake

lib/secure_headers.rb

@@ -49,7 +49,7 @@ class << self
     def override_content_security_policy_directives(request, additions)
       config = config_for(request)
       if config.current_csp == OPT_OUT
-        config.csp = config.dynamic_csp = {}
+        config.dynamic_csp = {}
       end
 
       config.dynamic_csp = config.current_csp.merge(additions)

lib/secure_headers/configuration.rb

@@ -3,6 +3,7 @@ class Configuration
     DEFAULT_CONFIG = :default
     NOOP_CONFIGURATION = "secure_headers_noop_config"
     class NotYetConfiguredError < StandardError; end
+    class IllegalPolicyModificationError < StandardError; end
     class << self
       # Public: Set the global default configuration.
       #
@@ -23,12 +24,12 @@ def default(&block)
       # if no value is supplied.
       #
       # Returns: the newly created config
-      def override(name, base = DEFAULT_CONFIG)
+      def override(name, base = DEFAULT_CONFIG, &block)
         unless get(base)
           raise NotYetConfiguredError, "#{base} policy not yet supplied"
         end
         override = @configurations[base].dup
-        yield(override)
+        override.instance_eval &block if block_given?
         add_configuration(name, override)
       end
 
@@ -99,7 +100,7 @@ def deep_copy_if_hash(value)
     end
 
     attr_writer :hsts, :x_frame_options, :x_content_type_options,
-      :x_xss_protection, :csp, :x_download_options, :x_permitted_cross_domain_policies,
+      :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
       :hpkp, :dynamic_csp, :secure_cookies
 
     attr_reader :cached_headers, :csp, :dynamic_csp, :secure_cookies
@@ -166,6 +167,14 @@ def validate_config!
 
     protected
 
+    def csp=(new_csp)
+      if self.dynamic_csp
+        raise IllegalPolicyModificationError, "You are attempting to modify CSP settings directly. Use dynamic_csp= isntead."
+      end
+
+      @csp = new_csp
+    end
+
     def cached_headers=(headers)
       @cached_headers = headers
     end

spec/lib/secure_headers/configuration_spec.rb

@@ -36,7 +36,7 @@ module SecureHeaders
 
       config = Configuration.get(:test_override)
       noop = Configuration.get(Configuration::NOOP_CONFIGURATION)
-      [:csp, :dynamic_csp].each do |key|
+      [:csp, :dynamic_csp, :secure_cookies].each do |key|
         expect(config.send(key)).to eq(noop.send(key)), "Value not copied: #{key}."
       end
     end

spec/lib/secure_headers_spec.rb

@@ -129,6 +129,24 @@ module SecureHeaders
           SecureHeaders.header_hash_for(request)
         end
 
+        it "doesn't allow you to muck with csp configs when a dynamic policy is in use" do
+          default_config = Configuration.default
+          expect { default_config.csp = {} }.to raise_error(NoMethodError)
+
+          # config is frozen
+          expect { default_config.send(:csp=, {}) }.to raise_error(RuntimeError)
+
+          SecureHeaders.append_content_security_policy_directives(request, script_src: %w(anothercdn.com))
+          new_config = SecureHeaders.config_for(request)
+          expect { new_config.send(:csp=, {}) }.to raise_error(Configuration::IllegalPolicyModificationError)
+
+          expect do
+            new_config.instance_eval do
+              new_config.csp = {}
+            end
+          end.to raise_error(Configuration::IllegalPolicyModificationError)
+        end
+
         it "overrides individual directives" do
           Configuration.default do |config|
             config.csp = {