fix source dedup breaking with port wildcards

Author: machisuji

lib/secure_headers/headers/content_security_policy.rb

@@ -154,10 +154,10 @@ def reject_all_values_if_none(source_list)
     # e.g. *.github.jpy.wang asdf.github.com becomes *.github.jpy.wang
     def dedup_source_list(sources)
       sources = sources.uniq
-      wild_sources = sources.select { |source| source =~ STAR_REGEXP }
+      wild_sources = sources.select { |source| source =~ DOMAIN_WILDCARD_REGEX }
 
       if wild_sources.any?
-        schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
+        schemes = sources.map { |source| [source, source_scheme(source)] }.to_h
         sources.reject do |source|
           !wild_sources.include?(source) &&
             wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
@@ -212,5 +212,9 @@ def strip_source_schemes(source_list)
     def symbol_to_hyphen_case(sym)
       sym.to_s.tr("_", "-")
     end
+
+    def source_scheme(source)
+      URI(source.sub(PORT_WILDCARD_REGEX, '')).scheme
+    end
   end
 end

lib/secure_headers/headers/policy_management.rb

@@ -152,7 +152,8 @@ def self.included(base)
 
     FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES - NON_SOURCE_LIST_SOURCES
 
-    STAR_REGEXP = Regexp.new(Regexp.escape(STAR))
+    DOMAIN_WILDCARD_REGEX = /(?<=\A|[^:])\*/
+    PORT_WILDCARD_REGEX = /:\*/
     HTTP_SCHEME_REGEX = %r{\Ahttps?://}
 
     WILDCARD_SOURCES = [

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -56,6 +56,11 @@ module SecureHeaders
         expect(csp.value).to eq("default-src *.example.org")
       end
 
+      it "allows for port wildcards" do
+        csp = ContentSecurityPolicy.new(connect_src: %w(ws://localhost:*))
+        expect(csp.value).to eq("connect-src ws://localhost:*")
+      end
+
       it "removes http/s schemes from hosts" do
         csp = ContentSecurityPolicy.new(default_src: %w(https://example.org))
         expect(csp.value).to eq("default-src example.org")