Source Deduplication Doesn't Take Schemes into Account

[belenko]

SecureHeaders excessively deduplicates sources without taking schemes into account leading to removal of sources that shouldn't be removed.

I think the problem is with dedup_source_list() which relies on filesystem-like matching.

Expected Header

Content-Security-Policy: default-src 'self' wss://ws.contoso.com *.contoso.com

Actual Header

Content-Security-Policy: default-src 'self' *.contoso.com

Config

SecureHeaders::Configuration.default do |config|
  config.csp = {
    preserve_schemes: true, # this line doesn't matter, actually
    default_src: %w('self' wss://ws.contoso.com *.contoso.com)
  }
end

[oreoshake]

Welp. I'm assuming that policy mangling means your CSP is breaking functionality. The * should only apply to http/https schemes.

[belenko]

As a workaround we currently settled on %w('self' wss://*.contoso.com *.contoso.com) which works as expected, so not a deal breaker for us (though had to spend some time to figure out who eats that wss:// source :) )

[oreoshake]

I've never been a fan of the deduplication based on * anyways. Maybe we should just rip that out.

[oreoshake]

Like people trying to save a few bytes can optimize elsewhere.

[srt32]

This should be resolved by #478

[lgarron]

Source deduplication was removed in #499

Expected Header

Content-Security-Policy: default-src 'self' wss://ws.contoso.com *.contoso.com

I've confirmed that this is the case.

We also have a very similar test to prevent a regression:

secure_headers/spec/lib/secure_headers/headers/content_security_policy_spec.rb

Line 115 in 51b9845

csp = ContentSecurityPolicy.new(default_src: %w(*.example.org wss://example.example.org))