remove nonces

2014-06-09 13:48:40 -07:00 · 2014-06-09 13:48:40 -07:00 · 0a18cc75ff
--- a/README.md
+++ b/README.md
@ -163,13 +163,6 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
      :img_src => 'http://mycdn.example.com'
    }
  }
-
-  # script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
-  # you to whitelist inline script blocks. For more information, see
-  # https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
-  :script_nonce => lambda { @script_nonce = SecureRandom.hex }
-  # which can be used to whitelist a script block:
-  # script_tag :nonce = @script_nonce { inline_script_call() }
 }
 ```

--- a/lib/secure_headers/headers/content_security_policy.rb
+++ b/lib/secure_headers/headers/content_security_policy.rb
@ -59,7 +59,6 @@ module SecureHeaders
      end

      @report_uri = @config.delete(:report_uri)
-      @script_nonce = @config.delete(:script_nonce)

      normalize_csp_options
      normalize_reporting_endpoint
@ -92,8 +91,7 @@ module SecureHeaders
        # ensure default-src is first
        build_directive(:default_src),
        generic_directives(@config),
-        report_uri_directive,
-        script_nonce_directive,
+        report_uri_directive
      ].join

      #store the value for next time
@ -180,18 +178,6 @@ module SecureHeaders
      "report-uri #{@report_uri};"
    end

-    def script_nonce_directive
-      return '' if @script_nonce.nil?
-      nonce_value = if @script_nonce.is_a?(String)
-                      @script_nonce
-                    elsif @controller
-                      @controller.instance_exec(&@script_nonce)
-                    else
-                      @script_nonce.call
-                    end
-      "script-nonce #{nonce_value};"
-    end
-
    def generic_directives(config)
      header_value = ''
      if config[:img_src]
--- a/spec/lib/secure_headers/headers/content_security_policy_spec.rb
+++ b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@ -328,33 +328,6 @@ module SecureHeaders
          end
        end
      end
-
-      context "when supplying a script nonce callback" do
-        let(:options) {
-          default_opts.merge({
-            :script_nonce => "random",
-          })
-        }
-
-        it "uses the value in the X-Webkit-CSP" do
-          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(csp.value).to match "script-nonce random;"
-        end
-
-        it "runs a dynamic nonce generator" do
-          options[:script_nonce] = lambda { 'something' }
-          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(csp.value).to match "script-nonce something;"
-        end
-
-        it "runs against the given controller context" do
-          fake_params = {}
-          options[:script_nonce] = lambda { params[:script_nonce] = 'something' }
-          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME), :controller => double(:params => fake_params))
-          expect(csp.value).to match "script-nonce something;"
-          expect(fake_params).to eq({:script_nonce => 'something'})
-        end
-      end
    end
  end
 end