Skip to content

Commit

Permalink
Merge pull request #478 from keithamus/do-not-dedupe-alternate-schema…
Browse files Browse the repository at this point in the history
…-source-expresions

do not dedupe alternate schema source expresions
  • Loading branch information
JackMc authored Jun 15, 2022
2 parents 034c8b6 + 78cb949 commit 0dc7fee
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/secure_headers/headers/content_security_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -155,9 +155,10 @@ def dedup_source_list(sources)
wild_sources = sources.select { |source| source =~ STAR_REGEXP }

if wild_sources.any?
schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
sources.reject do |source|
!wild_sources.include?(source) &&
wild_sources.any? { |pattern| File.fnmatch(pattern, source) }
wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
end
else
sources
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,11 @@ module SecureHeaders
expect(csp.value).to eq("default-src example.org")
end

it "does not deduplicate non-matching schema source expressions" do
csp = ContentSecurityPolicy.new(default_src: %w(*.example.org wss://example.example.org))
expect(csp.value).to eq("default-src *.example.org wss://example.example.org")
end

it "creates maximally strict sandbox policy when passed no sandbox token values" do
csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
expect(csp.value).to eq("default-src example.org; sandbox")
Expand Down

0 comments on commit 0dc7fee

Please sign in to comment.