secure_headers Source Deduplication Doesn't Take Schemes into Account

SecureHeaders excessively deduplicates sources without taking schemes into account leading to removal of sources that shouldn't be removed.

I think the problem is with dedup_source_list() which relies on filesystem-like matching.

Expected Header

Content-Security-Policy: default-src 'self' wss://ws.contoso.com *.contoso.com

Actual Header

Content-Security-Policy: default-src 'self' *.contoso.com

Config

SecureHeaders::Configuration.default do |config|
  config.csp = {
    preserve_schemes: true, # this line doesn't matter, actually
    default_src: %w('self' wss://ws.contoso.com *.contoso.com)
  }
end

Mar 01 '17 15:03 belenko

Welp. I'm assuming that policy mangling means your CSP is breaking functionality. The * should only apply to http/https schemes.

Mar 01 '17 18:03 oreoshake

As a workaround we currently settled on %w('self' wss://*.contoso.com *.contoso.com) which works as expected, so not a deal breaker for us (though had to spend some time to figure out who eats that wss:// source :) )

Mar 01 '17 18:03 belenko

I've never been a fan of the deduplication based on * anyways. Maybe we should just rip that out.

Mar 01 '17 18:03 oreoshake

Like people trying to save a few bytes can optimize elsewhere.

Mar 01 '17 18:03 oreoshake

This should be resolved by https://github.com/github/secure_headers/pull/478

Jun 01 '22 21:06 srt32

Source deduplication was removed in https://github.com/github/secure_headers/pull/499

Expected Header

Content-Security-Policy: default-src 'self' wss://ws.contoso.com *.contoso.com

I've confirmed that this is the case.

We also have a very similar test to prevent a regression: https://github.com/github/secure_headers/blob/51b9845ad7cc45f44831d48b994a7e1cd6cfe900/spec/lib/secure_headers/headers/content_security_policy_spec.rb#L115

Jan 03 '23 22:01 lgarron