Skip to content

Commit

Permalink
Merge pull request #303 from twitter/strict-dynamic
Browse files Browse the repository at this point in the history
quick and dirty strict-dynamic support'
  • Loading branch information
oreoshake authored Nov 11, 2016
2 parents ec4a1c8 + e8bf322 commit 8007c4f
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/secure_headers/headers/policy_management.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ def self.included(base)
STAR = "*".freeze
UNSAFE_INLINE = "'unsafe-inline'".freeze
UNSAFE_EVAL = "'unsafe-eval'".freeze
STRICT_DYNAMIC = "'strict-dynamic'".freeze

# leftover deprecated values that will be in common use upon upgrading.
DEPRECATED_SOURCE_VALUES = [SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,11 @@ module SecureHeaders
expect(firefox_transitional).not_to match(/frame-src/)
end

it "supports strict-dynamic" do
csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
end

context "browser sniffing" do
let (:complex_opts) do
(ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
Expand Down

0 comments on commit 8007c4f

Please sign in to comment.