Skip to content

Add report-to CSP directive #529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
loremotta33 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add report-to CSP directive #529

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4b07344
Add report-to CSP directive
loremotta33 Oct 17, 2024
f2cd70b
Add Reporting-Endpoints header support
loremotta33 Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add report-to CSP directive
  • Loading branch information
@loremotta33
loremotta33 committed Oct 18, 2024
commit 4b07344f929b2c8b22da039f16f3207f3345d5ba
6 changes: 4 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,12 +81,14 @@ SecureHeaders::Configuration.default do |config|
style_src_attr: %w('unsafe-inline'),
worker_src: %w('self'),
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
report_uri: %w(https://report-uri.io/example-csp)
report_uri: %w(https://report-uri.io/example-csp),
report_to: %w(example-csp)
}
# This is available only from 3.5.0; use the `report_only: true` setting for 3.4.1 and below.
config.csp_report_only = config.csp.merge({
img_src: %w(somewhereelse.com),
report_uri: %w(https://report-uri.io/example-csp-report-only)
report_uri: %w(https://report-uri.io/example-csp-report-only),
report_to: %w(example-csp-report-only)
})
end
```
Expand Down
7 changes: 4 additions & 3 deletions lib/secure_headers/headers/content_security_policy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,8 @@ def value
private

# Private: converts the config object into a string representing a policy.
# Places default-src at the first directive and report-uri as the last. All
# others are presented in alphabetical order.
# Places default-src at the first directive, report-uri second to last and report-to as the
# last. All others are presented in alphabetical order.
#
# Returns a content security policy header value.
def build_value
Expand Down Expand Up @@ -130,7 +130,7 @@ def minify_source_list(directive, source_list)
source_list = populate_nonces(directive, source_list)
source_list = reject_all_values_if_none(source_list)

unless directive == REPORT_URI || @preserve_schemes
unless [REPORT_URI, REPORT_TO].include?(directive) || @preserve_schemes
source_list = strip_source_schemes(source_list)
end
source_list.uniq
Expand Down Expand Up @@ -185,6 +185,7 @@ def directives
DEFAULT_SRC,
BODY_DIRECTIVES,
REPORT_URI,
REPORT_TO
].flatten
end

Expand Down
9 changes: 6 additions & 3 deletions lib/secure_headers/headers/policy_management.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ def self.included(base)
SCRIPT_SRC_ATTR = :script_src_attr
STYLE_SRC_ELEM = :style_src_elem
STYLE_SRC_ATTR = :style_src_attr
REPORT_TO = :report_to

DIRECTIVES_3_0 = [
DIRECTIVES_2_0,
Expand All @@ -93,7 +94,8 @@ def self.included(base)
SCRIPT_SRC_ELEM,
SCRIPT_SRC_ATTR,
STYLE_SRC_ELEM,
STYLE_SRC_ATTR
STYLE_SRC_ATTR,
REPORT_TO
].flatten.freeze

# Experimental directives - these vary greatly in support
Expand All @@ -110,9 +112,9 @@ def self.included(base)

ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_EXPERIMENTAL).uniq.sort

# Think of default-src and report-uri as the beginning and end respectively,
# Think of default-src as the beginning, report-uri and report-to as the end,
# everything else is in between.
BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI, REPORT_TO]

DIRECTIVE_VALUE_TYPES = {
BASE_URI => :source_list,
Expand All @@ -131,6 +133,7 @@ def self.included(base)
PLUGIN_TYPES => :media_type_list,
REQUIRE_SRI_FOR => :require_sri_for_list,
REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
REPORT_TO => :source_list,
REPORT_URI => :source_list,
PREFETCH_SRC => :source_list,
SANDBOX => :sandbox_list,
Expand Down
5 changes: 5 additions & 0 deletions spec/lib/secure_headers/headers/content_security_policy_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,11 @@ module SecureHeaders
expect(csp.value).to eq("default-src https:; report-uri https://example.org")
end

it "does not remove schemes from report-to values" do
csp = ContentSecurityPolicy.new(default_src: %w(https:), report_to: %w(https://example.org))
expect(csp.value).to eq("default-src https:; report-to https://example.org")
end

it "does not remove schemes when :preserve_schemes is true" do
csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), preserve_schemes: true)
expect(csp.value).to eq("default-src https://example.org")
Expand Down
1 change: 1 addition & 0 deletions spec/lib/secure_headers/headers/policy_management_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ module SecureHeaders
style_src_attr: %w(example.com),
trusted_types: %w(abcpolicy),

report_to: %w(https://example.com/uri-directive),
report_uri: %w(https://example.com/uri-directive),
}

Expand Down