Allow using nonce with report-only policy (#54)

dzbarsky · unrolled · commit 716474489ad3 · 2019-06-24T11:35:13.000-06:00
* Allow using nonce with report-only policy

* Add tests
diff --git a/.gitignore b/.gitignore
@@ -24,3 +24,4 @@ _testmain.go
 
 *.pem
 .DS_Store
+*.swp
diff --git a/csp_test.go b/csp_test.go
@@ -15,29 +15,42 @@ var cspHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 })
 
 func TestCSPNonce(t *testing.T) {
-	s := New(Options{
-		ContentSecurityPolicy: "default-src 'self' $NONCE; script-src 'strict-dynamic' $NONCE",
-	})
-
-	res := httptest.NewRecorder()
-	req, _ := http.NewRequest("GET", "/foo", nil)
-
-	s.Handler(cspHandler).ServeHTTP(res, req)
-
-	expect(t, res.Code, http.StatusOK)
-
-	csp := res.Header().Get("Content-Security-Policy")
-	expect(t, strings.Count(csp, "'nonce-"), 2)
-
-	nonce := strings.Split(strings.Split(csp, "'")[3], "-")[1]
-	// Test that the context has the CSP nonce, but only during the request.
-	expect(t, res.Body.String(), nonce)
-	expect(t, CSPNonce(req.Context()), "")
-
-	_, err := base64.RawStdEncoding.DecodeString(nonce)
-	expect(t, err, nil)
-
-	expect(t, csp, fmt.Sprintf("default-src 'self' 'nonce-%[1]s'; script-src 'strict-dynamic' 'nonce-%[1]s'", nonce))
+	csp := "default-src 'self' $NONCE; script-src 'strict-dynamic' $NONCE"
+	cases := []struct {
+		options Options
+		headers []string
+	}{
+		{Options{ContentSecurityPolicy: csp}, []string{"Content-Security-Policy"}},
+		{Options{ContentSecurityPolicyReportOnly: csp}, []string{"Content-Security-Policy-Report-Only"}},
+		{Options{ContentSecurityPolicy: csp, ContentSecurityPolicyReportOnly: csp},
+			[]string{"Content-Security-Policy", "Content-Security-Policy-Report-Only"}},
+	}
+
+	for _, c := range cases {
+		s := New(c.options)
+
+		res := httptest.NewRecorder()
+		req, _ := http.NewRequest("GET", "/foo", nil)
+
+		s.Handler(cspHandler).ServeHTTP(res, req)
+
+		expect(t, res.Code, http.StatusOK)
+
+		for _, header := range c.headers {
+			csp := res.Header().Get(header)
+			expect(t, strings.Count(csp, "'nonce-"), 2)
+
+			nonce := strings.Split(strings.Split(csp, "'")[3], "-")[1]
+			// Test that the context has the CSP nonce, but only during the request.
+			expect(t, res.Body.String(), nonce)
+			expect(t, CSPNonce(req.Context()), "")
+
+			_, err := base64.RawStdEncoding.DecodeString(nonce)
+			expect(t, err, nil)
+
+			expect(t, csp, fmt.Sprintf("default-src 'self' 'nonce-%[1]s'; script-src 'strict-dynamic' 'nonce-%[1]s'", nonce))
+		}
+	}
 }
 
 func TestWithCSPNonce(t *testing.T) {
diff --git a/secure.go b/secure.go
@@ -123,8 +123,9 @@ func New(options ...Options) *Secure {
 	}
 
 	o.ContentSecurityPolicy = strings.Replace(o.ContentSecurityPolicy, "$NONCE", "'nonce-%[1]s'", -1)
+	o.ContentSecurityPolicyReportOnly = strings.Replace(o.ContentSecurityPolicyReportOnly, "$NONCE", "'nonce-%[1]s'", -1)
 
-	o.nonceEnabled = strings.Contains(o.ContentSecurityPolicy, "%[1]s")
+	o.nonceEnabled = strings.Contains(o.ContentSecurityPolicy, "%[1]s") || strings.Contains(o.ContentSecurityPolicyReportOnly, "%[1]s")
 
 	s := &Secure{
 		opt:            o,

Original file line number	Diff line number	Diff line change
`@@ -24,3 +24,4 @@ _testmain.go`
`24`	`24`
`25`	`25`	`*.pem`
`26`	`26`	`.DS_Store`
	`27`	`+*.swp`
Original file line number	Diff line number	Diff line change
`@@ -123,8 +123,9 @@ func New(options ...Options) *Secure {`
`123`	`123`	`}`
`124`	`124`
`125`	`125`	`o.ContentSecurityPolicy = strings.Replace(o.ContentSecurityPolicy, "$NONCE", "'nonce-%[1]s'", -1)`
	`126`	`+ o.ContentSecurityPolicyReportOnly = strings.Replace(o.ContentSecurityPolicyReportOnly, "$NONCE", "'nonce-%[1]s'", -1)`
`126`	`127`
`127`		`- o.nonceEnabled = strings.Contains(o.ContentSecurityPolicy, "%[1]s")`
	`128`	`+ o.nonceEnabled = strings.Contains(o.ContentSecurityPolicy, "%[1]s") \|\| strings.Contains(o.ContentSecurityPolicyReportOnly, "%[1]s")`
`128`	`129`
`129`	`130`	`s := &Secure{`
`130`	`131`	`opt: o,`