-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add test to exercise override opting out without default_src #444
base: main
Are you sure you want to change the base?
Conversation
On secure_headers 5.x it was possible to override the CSP directives when optin out without having to define a default_src. Now on 6.x it is required to set the default_src when overriding other directives. It is not clear in the CHANGELOG/upgrade guide if this change is by design or if it is just a side effect of other changes. I could not find anyting in the spec that says that default_src is required or not, so I decided to open a PR with a test to get feedback on that. If this is undesirable behavior I'm willing to change this PR to fix the problem. Let me know what are the next steps. Thanks.
👋 hello, thanks for raising this.
It appears to have been fixed as a side effect of other changes, not exactly sure when. |
That makes sense. So maybe |
I think that behavior would be a little surprising. Declaring This feels a bit edge casey so I'm trying to keep an open mind. It seems in the example provided, the "fix" to get the desired policy isn't too burdensome to add and would be obvious/self-documenting. I'd be curious to see what others think. |
I think the problem with asking the override the define This requires your code to have to check if In other words, my method call in the app needs now to be something like: if SecureHeaders.config_for(request).csp['default_src']
SecureHeaders.override_content_security_policy_directives(request, { frame_ancestors: %w('none') }, :enforced)
else
SecureHeaders.override_content_security_policy_directives(request, { frame_ancestors: %w('none'), default_src: %w('self' https:), script_src: %w(https:) }, :enforced)
end |
Interesting! I see your point. Can you describe your use a little more? Or does this about sum it up:
That's an interesting strategy and but I will not say it's wrong. That being said, I still don't think adding the surprise default CSP that can change over time is the right answer. I'll have to think on it some more but I'm not seeing an obvious path forward. Did you have anything in mind? |
Adding this as a public commitment to resolve this issue in the near future. |
On secure_headers 5.x it was possible to override the CSP directives when optin out without having to define a default_src.
Now on 6.x it is required to set the default_src when overriding other directives.
It is not clear in the CHANGELOG/upgrade guide if this change is by design or if it is just a side effect of other changes.
I could not find anything in the spec that says that default_src is required or not, so I decided to open a PR with a test to get feedback on that.
If this is undesirable behavior I'm willing to change this PR to fix the problem.
Let me know what are the next steps.
Thanks.