secure_headers
secure_headers copied to clipboard
github
URI::InvalidURIError: Invalid data URI
Bugs
Getting URI::InvalidURIError: Invalid data URI with the lastest 6.3.4 release, works in 6.3.3.
Expected outcome
Accept all URLs including data:.
Actual outcome
Fails in def dedup_source_list(sources) on line schemes = sources.map { |source| [source, URI(source).scheme] }.to_h when sources array variable contains "data:" item.
URI("data:").scheme
URI::InvalidURIError: Invalid data URI
Config
img_src: %w(
'self'
https:
data:
www.googletagmanager.com
maps.gstatic.com *.googleapis.com *.ggpht.com
https://www.google-analytics.com
),
Generated headers
N/A
Puma caught this error: bad URI(is not URI?): "blob: rylan.test" (URI::InvalidURIError)
ruby-2.7.6/lib/ruby/2.7.0/uri/rfc3986_parser.rb:67:in `split'
ruby-2.7.6/lib/ruby/2.7.0/uri/rfc3986_parser.rb:73:in `parse'
ruby-2.7.6/lib/ruby/2.7.0/uri/common.rb:234:in `parse'
ruby-2.7.6/lib/ruby/2.7.0/uri/common.rb:737:in `URI'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:162:in `block in dedup_source_list'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:162:in `map'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:162:in `dedup_source_list'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:136:in `minify_source_list'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:111:in `build_source_list_directive'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:59:in `block in build_value'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:54:in `map'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:54:in `build_value'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/content_security_policy.rb:40:in `value'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/headers/policy_management.rb:202:in `make_header'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/configuration.rb:211:in `block in generate_headers'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/configuration.rb:209:in `each'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/configuration.rb:209:in `generate_headers'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers.rb:145:in `header_hash_for'
ruby/2.7.6/gems/secure_headers-6.4.0/lib/secure_headers/middleware.rb:15:in `call'
ruby/2.7.6/gems/rack-mini-profiler-3.0.0/lib/mini_profiler/profiler.rb:393:in `call'
ruby/2.7.6/gems/webpacker-5.4.3/lib/webpacker/dev_server_proxy.rb:25:in `perform_request'
ruby/2.7.6/gems/rack-proxy-0.7.0/lib/rack/proxy.rb:63:in `call'
ruby/2.7.6/gems/railties-6.0.5.1/lib/rails/engine.rb:527:in `call'
ruby/2.7.6/gems/puma-5.6.4/lib/puma/configuration.rb:252:in `call'
ruby/2.7.6/gems/puma-5.6.4/lib/puma/request.rb:77:in `block in handle_request'
ruby/2.7.6/gems/puma-5.6.4/lib/puma/thread_pool.rb:340:in `with_force_shutdown'
ruby/2.7.6/gems/puma-5.6.4/lib/puma/request.rb:76:in `handle_request'
ruby/2.7.6/gems/puma-5.6.4/lib/puma/server.rb:441:in `process_client'
ruby/2.7.6/gems/puma-5.6.4/lib/puma/thread_pool.rb:147:in `block in spawn_thread'
From a block for local development:
if Rails.env.development?
config.csp[:connect_src] << 'http://localhost:3035'
config.csp[:connect_src] << 'ws://localhost:3035'
config.csp[:style_src] << 'blob: rylan.test'
config.x_frame_options = 'SAMEORIGIN'
config.csp[:frame_src] << 'localhost:5000'
config.csp[:frame_src] << 'rylan.test:5000'
end
I added the blob: rylan.test awhile back to fix local development issues, but not sure why it broke on updating to secure_headers (6.4.0) yesterday.
