Need Lucky::SecureHeaders::ContentSecurityPolicy

[BrucePerens]

Lucky needs to deal with Content Security Policy rather than some of the X-... headers currently in Lucky::SecureHeaders. I wrote a not-sufficiently-generalized version for my own application, here it is for your inspiration.

Some of the CSP headers are still in flux, I think the report-to format has changed in a recent RFC.

Context: the application has a separate static and dynamic site, the static site is presently on Wasabi, which won't let me set its CSP headers so they end up in <meta ...> tags.

config/content_security_policy.cr

ContentSecurityPolicy.configure do |s|
  # Don't use double-quotes, they are used to surround this in the meta tag.
  # FIX: Remove the development report path.
  s.report_to = <<-END
    {
      'group': 'csp-report',
      'max_age': 10886400,
      'endpoints': [
        { 'url': '/api/csp/report' }, 
        { 'url': 'https://dynamic.MY.SITE/api/csp/report' }
      ]
    }
  END

  # NONCE will be replaced the the current nonce.
  # Don't use double-quotes, they are used to surround this in the
  # meta tag.
  s.policy_static = <<-END
    default-src https://MY.SITE/ https://MY-SITE.cdn.ampproject.org/;
    style-src 'unsafe-inline';
    img-src *;
    media-src *;
    frame-src *;
    frame-ancestors 'none';
    object-src 'none';
    connect-src https://www.google-analytics.com/ https://cdn.ampproject.org/;
    report-to csp-report;
    script-src https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/
  END

  s.policy_dynamic = <<-END
    default-src https://dynamic.MY.SITE/;
    style-src https://MY.SITE/ 'unsafe-inline';
    img-src *;
    media-src *;
    frame-src *;
    frame-ancestors 'none';
    object-src 'none';
    connect-src https://dynamic.MY.SITE/ https://us-west-1.wasabisys.com/MY.SITE/;
    report-to csp-report;
    script-src https://dynamic.MY.SITE/ https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ NONCE;
  END

  s.policy_development = <<-END
    default-src 'self';
    style-src 'self' 'unsafe-inline';
    img-src *;
    media-src *;
    frame-src *;
    object-src 'none';
    connect-src 'self' https://us-west-1.wasabisys.com/MY.SITE/;
    report-to csp-report;
    script-src 'self' https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ NONCE;
  END
end

src/models/content_security_policy.cr

class ContentSecurityPolicy
  @@nonce : String  = "InvalidNonceValue"
  @@policy_static : String? = nil
  @@policy_dynamic : String? = nil
  @@policy_development : String? = nil
  @@report_to : String? = nil

  Habitat.create do
    setting policy_static : String
    setting policy_dynamic : String
    setting policy_development : String
    setting report_to : String
  end

  private def self.translate(s)
    s.gsub(/[\n\r\t ]+/, " ").gsub(/NONCE/, "'nonce-#{nonce}'");
  end

  def self.policy(static : Bool = false)
    if static
      pol = @@policy_static || (@@policy_static = translate(settings.policy_static))
    elsif (e = ENV["LUCKY_ENV"]?).nil? || e == "development"
      pol = @@policy_development || (@@policy_development = translate(settings.policy_development))
    else
      pol = @@policy_dynamic || (@@policy_dynamic = translate(settings.policy_dynamic))
    end
    
    pol;
  end

  def self.nonce
    @@nonce
  end

  def self.report_to
    @@report_to || (@@report_to = translate(settings.report_to))
  end

  def self.new_nonce
    @@nonce = Random::Secure.base64
    @@policy_static = @@policy_dynamic = @@policy_development = nil
  end
end

fragments from main layout:
Definition of the <script> wrapper:

 def script(s)
    raw "<script nonce='#{ContentSecurityPolicy.nonce}'>#{s}</script>"
  end

Use of the <script> wrapper:

script <<-END
   arbitrary javascript here...
END

CSP headers in the <head> block. static? tells me if the site being rendered gets the static site policy, or the dynamic site policy.

raw %Q[<meta http-equiv="Report-To", content="#{ContentSecurityPolicy.report_to}">]
raw %Q[<meta http-equiv="Content-Security-Policy", content="#{ContentSecurityPolicy.policy(static?)}">]

[jwoertink]

I like this idea. Thanks for putting all this together! Maybe this could be a shard to start out?

One suggestion for the tags:

def csp_meta_tags(static : Bool = false)
  meta "http-equiv": "Report-To", content: ContentSecurityPolicy.report_to
  meta "http-equiv": "Content-Security-Policy", content: ContentSecurityPolicy.policy(static)
end

def csp_script(js : String)
  script nonce: ContentSecurityPolicy.nonce do
    raw js
  end
end

I've never used CSP before, so I'm not sure if there's ever cases of additional configuration needed, or like in the case of the script tag if you'd also use nonce with a src. My thought is that if this works out great as a shard, then we could eventually make a lucky shard for security type stuff. Then you just include and configure when you need it.