Merge pull request #220 from twitter/upgrade-insecure-requests

oreoshake · oreoshake · commit eeb09da12aa3 · 2016-02-26T08:17:47.000-10:00
Add support for CSP upgrade-insecure-requests source expression
diff --git a/README.md b/README.md
@@ -56,6 +56,7 @@ SecureHeaders::Configuration.default do |config|
     frame_ancestors: %w('none'),
     plugin_types: %w(application/x-shockwave-flash),
     block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
+    upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
     report_uri: %w(https://example.com/uri-directive)
   }
   config.hpkp = {
diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -77,8 +77,10 @@ class ContentSecurityPolicy
     # All the directives that are not currently in a formal spec, but have
     # been implemented somewhere.
     BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
+    UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
     DIRECTIVES_DRAFT = [
-      BLOCK_ALL_MIXED_CONTENT
+      BLOCK_ALL_MIXED_CONTENT,
+      UPGRADE_INSECURE_REQUESTS
     ].freeze
 
     SAFARI_DIRECTIVES = DIRECTIVES_1_0
@@ -90,7 +92,7 @@ class ContentSecurityPolicy
     ].freeze
 
     FIREFOX_DIRECTIVES = (
-      DIRECTIVES_2_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
+      DIRECTIVES_2_0 + DIRECTIVES_DRAFT - FIREFOX_UNSUPPORTED_DIRECTIVES
     ).freeze
 
     CHROME_DIRECTIVES = (
@@ -114,25 +116,26 @@ class ContentSecurityPolicy
     OTHER = "Other".freeze
 
     DIRECTIVE_VALUE_TYPES = {
-      BASE_URI                => :source_list,
-      BLOCK_ALL_MIXED_CONTENT => :boolean,
-      CHILD_SRC               => :source_list,
-      CONNECT_SRC             => :source_list,
-      DEFAULT_SRC             => :source_list,
-      FONT_SRC                => :source_list,
-      FORM_ACTION             => :source_list,
-      FRAME_ANCESTORS         => :source_list,
-      FRAME_SRC               => :source_list,
-      IMG_SRC                 => :source_list,
-      MANIFEST_SRC            => :source_list,
-      MEDIA_SRC               => :source_list,
-      OBJECT_SRC              => :source_list,
-      PLUGIN_TYPES            => :source_list,
-      REFLECTED_XSS           => :string,
-      REPORT_URI              => :source_list,
-      SANDBOX                 => :string,
-      SCRIPT_SRC              => :source_list,
-      STYLE_SRC               => :source_list
+      BASE_URI                  => :source_list,
+      BLOCK_ALL_MIXED_CONTENT   => :boolean,
+      CHILD_SRC                 => :source_list,
+      CONNECT_SRC               => :source_list,
+      DEFAULT_SRC               => :source_list,
+      FONT_SRC                  => :source_list,
+      FORM_ACTION               => :source_list,
+      FRAME_ANCESTORS           => :source_list,
+      FRAME_SRC                 => :source_list,
+      IMG_SRC                   => :source_list,
+      MANIFEST_SRC              => :source_list,
+      MEDIA_SRC                 => :source_list,
+      OBJECT_SRC                => :source_list,
+      PLUGIN_TYPES              => :source_list,
+      REFLECTED_XSS             => :string,
+      REPORT_URI                => :source_list,
+      SANDBOX                   => :string,
+      SCRIPT_SRC                => :source_list,
+      STYLE_SRC                 => :source_list,
+      UPGRADE_INSECURE_REQUESTS => :boolean
     }.freeze
 
     CONFIG_KEY = :csp
@@ -196,7 +199,7 @@ def idempotent_additions?(config, additions)
       #
       # raises an error if the original config is OPT_OUT
       #
-      # 1. for non-source-list values (report_only, block_all_mixed_content),
+      # 1. for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),
       # additions will overwrite the original value.
       # 2. if a value in additions does not exist in the original config, the
       # default-src value is included to match original behavior.
diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -46,6 +46,7 @@ module SecureHeaders
           frame_ancestors: %w('none'),
           plugin_types: %w(application/x-shockwave-flash),
           block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
+          upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
           report_uri: %w(https://example.com/uri-directive)
         }
 
@@ -76,6 +77,12 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
+      it "requires :upgrade_insecure_requests to be a boolean value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(upgrade_insecure_requests: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
+
       it "requires all source lists to be an array of strings" do
         expect do
           CSP.validate_config!(default_src: "steve")
@@ -214,27 +221,33 @@ module SecureHeaders
 
       context "browser sniffing" do
         let (:complex_opts) do
-          ContentSecurityPolicy::ALL_DIRECTIVES.each_with_object({}) { |directive, hash| hash[directive] = %w('self') }
-            .merge(block_all_mixed_content: true, reflected_xss: "block")
-            .merge(script_src: %w('self'), script_nonce: 123456)
+          ContentSecurityPolicy::ALL_DIRECTIVES.each_with_object({}) do |directive, hash|
+            hash[directive] = %w('self')
+          end.merge({
+            block_all_mixed_content: true,
+            upgrade_insecure_requests: true,
+            reflected_xss: "block",
+            script_src: %w('self'),
+            script_nonce: 123456
+          })
         end
 
         it "does not filter any directives for Chrome" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
 
         it "does not filter any directives for Opera" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
 
         it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
-          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
 
-        it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
+        it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
           expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri 'self'")
         end

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,7 @@ SecureHeaders::Configuration.default do \|config\|`
`56`	`56`	`frame_ancestors: %w('none'),`
`57`	`57`	`plugin_types: %w(application/x-shockwave-flash),`
`58`	`58`	`block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)`
	`59`	`+ upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/`
`59`	`60`	`report_uri: %w(https://example.com/uri-directive)`
`60`	`61`	`}`
`61`	`62`	`config.hpkp = {`