Skip to content

Commit

Permalink
Merge pull request #148 from twitter/pass-reference-to-controller
Browse files Browse the repository at this point in the history
Pass reference to controller to CSP callable config values
  • Loading branch information
oreoshake committed Jun 18, 2015
2 parents df60b59 + abd16ca commit ccaa65c
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 6 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ This gem makes a few assumptions about how you will use some features. For exam
config.x_permitted_cross_domain_policies = 'none'
config.csp = {
:default_src => "https: self",
:enforce => proc {|controller| contoller.current_user.enforce_csp? }
:frame_src => "https: http:.twimg.com http://itunes.apple.com",
:img_src => "https:",
:report_uri => '//example.com/uri-directive'
Expand Down
2 changes: 1 addition & 1 deletion lib/secure_headers/headers/content_security_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ def initialize(config=nil, options={})

# Config values can be string, array, or lamdba values
@config = config.inject({}) do |hash, (key, value)|
config_val = value.respond_to?(:call) ? value.call : value
config_val = value.respond_to?(:call) ? value.call(@controller) : value

if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
config_val = config_val.split if config_val.is_a? String
Expand Down
24 changes: 19 additions & 5 deletions spec/lib/secure_headers/headers/content_security_policy_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
end

it "adds a @enforce and @app_name variables to the report uri" do
opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => lambda { 'twitter' })
opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => proc { 'twitter' })
csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
end
Expand All @@ -90,7 +90,7 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}
it "accepts procs for report-uris" do
opts = {
:default_src => 'self',
:report_uri => lambda { "http://lambda/result" }
:report_uri => proc { "http://lambda/result" }
}

csp = ContentSecurityPolicy.new(opts)
Expand All @@ -99,15 +99,29 @@ def request_for user_agent, request_uri=nil, options={:ssl => false}

it "accepts procs for other fields" do
opts = {
:default_src => lambda { "http://lambda/result" },
:enforce => lambda { true },
:disable_fill_missing => lambda { true }
:default_src => proc { "http://lambda/result" },
:enforce => proc { true },
:disable_fill_missing => proc { true }
}

csp = ContentSecurityPolicy.new(opts)
expect(csp.value).to eq("default-src http://lambda/result; img-src http://lambda/result data:;")
expect(csp.name).to match("Content-Security-Policy")
end

it "passes a reference to the controller to the proc" do
controller = double
user = double(:beta_testing? => true)

allow(controller).to receive(:current_user).and_return(user)
opts = {
:disable_fill_missing => true,
:default_src => "self",
:enforce => lambda { |c| c.current_user.beta_testing? }
}
csp = ContentSecurityPolicy.new(opts, :controller => controller)
expect(csp.name).to match("Content-Security-Policy")
end
end
end

Expand Down

0 comments on commit ccaa65c

Please sign in to comment.