From 91ded1afd0a50a1df526605417e3412c06472f8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Tue, 18 Aug 2020 22:14:35 -0400 Subject: [PATCH] Add test to exercise override opting out without default_src On secure_headers 5.x it was possible to override the CSP directives when optin out without having to define a default_src. Now on 6.x it is required to set the default_src when overriding other directives. It is not clear in the CHANGELOG/upgrade guide if this change is by design or if it is just a side effect of other changes. I could not find anyting in the spec that says that default_src is required or not, so I decided to open a PR with a test to get feedback on that. If this is undesirable behavior I'm willing to change this PR to fix the problem. Let me know what are the next steps. Thanks. --- spec/lib/secure_headers_spec.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb index be608c74..61be4265 100644 --- a/spec/lib/secure_headers_spec.rb +++ b/spec/lib/secure_headers_spec.rb @@ -117,6 +117,17 @@ module SecureHeaders expect(hash[XFrameOptions::HEADER_NAME]).to eq(XFrameOptions::SAMEORIGIN) end + it "allows you to override opting out without default_src" do + Configuration.default do |config| + config.csp = OPT_OUT + end + + SecureHeaders.override_content_security_policy_directives(request, { frame_ancestors: %w('none') }, :enforced) + + hash = SecureHeaders.header_hash_for(request) + expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src https:; script-src 'self'") + end + it "produces a hash of headers with default config" do Configuration.default hash = SecureHeaders.header_hash_for(request)