Allow CSP to fallback to default-src (#1490)

* Allow content source to fallback to default-src Remove defaults for script-src, style-src, connect-src, and img-src so that they can fallback to default-src. The default for default-src has been changed from 'none' to 'self'. This seems to be a safe default especially as browsers implement prefetch-src. If stricter policies are needed they can be specified when loading this middleware. * Add support for webrtc-src, navigate-to, and prefetch-src directives
sinatra · Mar 13, 2020 · c2705ce · c2705ce
1 parent 574e5a9
commit c2705ce
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 8 deletions.
diff --git a/rack-protection/lib/rack/protection/content_security_policy.rb b/rack-protection/lib/rack/protection/content_security_policy.rb
@@ -36,16 +36,15 @@ module Protection
     #          to be used in a policy.
     #
     class ContentSecurityPolicy < Base
-      default_options default_src: :none, script_src: "'self'",
-                      img_src: "'self'", style_src: "'self'",
-                      connect_src: "'self'", report_only: false
+      default_options default_src: "'self'", report_only: false
 
       DIRECTIVES = %i(base_uri child_src connect_src default_src
                       font_src form_action frame_ancestors frame_src
                       img_src manifest_src media_src object_src
                       plugin_types referrer reflected_xss report_to
                       report_uri require_sri_for sandbox script_src
-                      style_src worker_src).freeze
+                      style_src worker_src webrtc_src navigate_to
+                      prefetch_src).freeze
 
       NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
                              upgrade_insecure_requests).freeze

diff --git a/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb b/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
@@ -4,7 +4,7 @@
   it 'should set the Content Security Policy' do
     expect(
       get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]
-    ).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
+    ).to eq("default-src 'self'")
   end
 
   it 'should not set the Content Security Policy for other content types' do
@@ -33,7 +33,7 @@
     end
 
     headers = get('/', {}, 'wants' => 'text/html').headers
-    expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure-requests")
+    expect(headers["Content-Security-Policy"]).to eq("block-all-mixed-content; default-src 'self'; disown-opener; upgrade-insecure-requests")
   end
 
   it 'should ignore CSP3 no arg directives unless they are set to true' do
@@ -44,7 +44,7 @@
     end
 
     headers = get('/', {}, 'wants' => 'text/html').headers
-    expect(headers["Content-Security-Policy"]).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
+    expect(headers["Content-Security-Policy"]).to eq("default-src 'self'")
   end
 
   it 'should allow changing report only' do
@@ -56,7 +56,7 @@
 
     headers = get('/', {}, 'wants' => 'text/html').headers
     expect(headers["Content-Security-Policy"]).to be_nil
-    expect(headers["Content-Security-Policy-Report-Only"]).to eq("connect-src 'self'; default-src none; img-src 'self'; report-uri /my_amazing_csp_report_parser; script-src 'self'; style-src 'self'")
+    expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; report-uri /my_amazing_csp_report_parser")
   end
 
   it 'should not override the header if already set' do