alphabetize and rubocop lint

Author: KyFaSt

lib/secure_headers.rb

@@ -209,7 +209,7 @@ def raise_on_unknown_target(target)
 
     def config_and_target(request, target)
       config = config_for(request)
-      target = guess_target(config) unless target
+      target ||= guess_target(config)
       raise_on_unknown_target(target)
       [config, target]
     end

lib/secure_headers/headers/policy_management.rb

@@ -131,11 +131,11 @@ def self.included(base)
       NAVIGATE_TO               => :source_list,
       OBJECT_SRC                => :source_list,
       PLUGIN_TYPES              => :media_type_list,
+      PREFETCH_SRC              => :source_list,
+      REPORT_TO                 => :report_to_endpoint,
+      REPORT_URI                => :source_list,
       REQUIRE_SRI_FOR           => :require_sri_for_list,
       REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
-      REPORT_URI                => :source_list,
-      REPORT_TO                 => :report_to_endpoint,
-      PREFETCH_SRC              => :source_list,
       SANDBOX                   => :sandbox_list,
       SCRIPT_SRC                => :source_list,
       SCRIPT_SRC_ELEM           => :source_list,
@@ -161,8 +161,8 @@ def self.included(base)
       FORM_ACTION,
       FRAME_ANCESTORS,
       NAVIGATE_TO,
-      REPORT_URI,
       REPORT_TO,
+      REPORT_URI,
     ]
 
     FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES - NON_SOURCE_LIST_SOURCES

spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -3,7 +3,7 @@
 
 module SecureHeaders
   describe ContentSecurityPolicy do
-    let (:default_opts) do
+    let(:default_opts) do
       {
         default_src: %w(https:),
         img_src: %w(https: data:),
@@ -167,75 +167,74 @@ module SecureHeaders
       end
 
       it "supports strict-dynamic" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
+        csp = ContentSecurityPolicy.new({ default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456 })
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
       end
 
       it "supports strict-dynamic and opting out of the appended 'unsafe-inline'" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456, disable_nonce_backwards_compatibility: true })
+        csp = ContentSecurityPolicy.new({ default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456, disable_nonce_backwards_compatibility: true })
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
       end
 
       it "supports script-src-elem directive" do
-        csp = ContentSecurityPolicy.new({script_src: %w('self'), script_src_elem: %w('self')})
+        csp = ContentSecurityPolicy.new({ script_src: %w('self'), script_src_elem: %w('self') })
         expect(csp.value).to eq("script-src 'self'; script-src-elem 'self'")
       end
 
       it "supports script-src-attr directive" do
-        csp = ContentSecurityPolicy.new({script_src: %w('self'), script_src_attr: %w('self')})
+        csp = ContentSecurityPolicy.new({ script_src: %w('self'), script_src_attr: %w('self') })
         expect(csp.value).to eq("script-src 'self'; script-src-attr 'self'")
       end
 
       it "supports style-src-elem directive" do
-        csp = ContentSecurityPolicy.new({style_src: %w('self'), style_src_elem: %w('self')})
+        csp = ContentSecurityPolicy.new({ style_src: %w('self'), style_src_elem: %w('self') })
         expect(csp.value).to eq("style-src 'self'; style-src-elem 'self'")
       end
 
       it "supports style-src-attr directive" do
-        csp = ContentSecurityPolicy.new({style_src: %w('self'), style_src_attr: %w('self')})
+        csp = ContentSecurityPolicy.new({ style_src: %w('self'), style_src_attr: %w('self') })
         expect(csp.value).to eq("style-src 'self'; style-src-attr 'self'")
       end
 
       it "supports trusted-types directive" do
-        csp = ContentSecurityPolicy.new({trusted_types: %w(blahblahpolicy)})
+        csp = ContentSecurityPolicy.new({ trusted_types: %w(blahblahpolicy) })
         expect(csp.value).to eq("trusted-types blahblahpolicy")
       end
 
       it "supports trusted-types directive with 'none'" do
-        csp = ContentSecurityPolicy.new({trusted_types: %w('none')})
+        csp = ContentSecurityPolicy.new({ trusted_types: %w('none') })
         expect(csp.value).to eq("trusted-types 'none'")
       end
 
       it "allows duplicate policy names in trusted-types directive" do
-        csp = ContentSecurityPolicy.new({trusted_types: %w(blahblahpolicy 'allow-duplicates')})
+        csp = ContentSecurityPolicy.new({ trusted_types: %w(blahblahpolicy 'allow-duplicates') })
         expect(csp.value).to eq("trusted-types blahblahpolicy 'allow-duplicates'")
       end
 
       it "supports report-to directive with endpoint name" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self'), report_to: "csp-endpoint"})
+        csp = ContentSecurityPolicy.new({ default_src: %w('self'), report_to: "csp-endpoint" })
         expect(csp.value).to eq("default-src 'self'; report-to csp-endpoint")
       end
 
       it "includes report-to before report-uri in alphabetical order" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self'), report_uri: %w(/csp_report), report_to: "csp-endpoint"})
+        csp = ContentSecurityPolicy.new({ default_src: %w('self'), report_uri: %w(/csp_report), report_to: "csp-endpoint" })
         expect(csp.value).to eq("default-src 'self'; report-to csp-endpoint; report-uri /csp_report")
       end
 
       it "does not add report-to if the endpoint name is empty" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self'), report_to: ""})
+        csp = ContentSecurityPolicy.new({ default_src: %w('self'), report_to: "" })
         expect(csp.value).to eq("default-src 'self'")
       end
 
       it "does not add report-to if not provided" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self')})
+        csp = ContentSecurityPolicy.new({ default_src: %w('self') })
         expect(csp.value).not_to include("report-to")
       end
 
       it "supports report-to without report-uri" do
-        csp = ContentSecurityPolicy.new({default_src: %w('self'), report_to: "reporting-endpoint-name"})
+        csp = ContentSecurityPolicy.new({ default_src: %w('self'), report_to: "reporting-endpoint-name" })
         expect(csp.value).to eq("default-src 'self'; report-to reporting-endpoint-name")
       end
     end
   end
 end
-

spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -8,7 +8,7 @@ module SecureHeaders
       Configuration.default
     end
 
-    let (:default_opts) do
+    let(:default_opts) do
       {
         default_src: %w(https:),
         img_src: %w(https: data:),

spec/lib/secure_headers_spec.rb

@@ -54,7 +54,7 @@ module SecureHeaders
     describe "#header_hash_for" do
       it "allows you to opt out of individual headers via API" do
         Configuration.default do |config|
-          config.csp = { default_src: %w('self'), script_src: %w('self')}
+          config.csp = { default_src: %w('self'), script_src: %w('self') }
           config.csp_report_only = config.csp
         end
         SecureHeaders.opt_out_of_header(request, :csp)
@@ -174,11 +174,11 @@ module SecureHeaders
           end
 
           Configuration.named_append(:moar_default_sources) do |request|
-            { default_src: %w(https:), style_src: %w('self')}
+            { default_src: %w(https:), style_src: %w('self') }
           end
 
           Configuration.named_append(:how_about_a_script_src_too) do |request|
-            { script_src: %w('unsafe-inline')}
+            { script_src: %w('unsafe-inline') }
           end
 
           SecureHeaders.use_content_security_policy_named_append(request, :moar_default_sources)
@@ -318,7 +318,7 @@ module SecureHeaders
                 default_src: %w('self'),
                 script_src: %w('self')
               }
-              config.csp_report_only = config.csp.merge({script_src: %w(foo.com)})
+              config.csp_report_only = config.csp.merge({ script_src: %w(foo.com) })
             end
 
             hash = SecureHeaders.header_hash_for(request)
@@ -342,42 +342,42 @@ module SecureHeaders
           end
 
           it "allows appending to the enforced policy" do
-            SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :enforced)
+            SecureHeaders.append_content_security_policy_directives(request, { script_src: %w(anothercdn.com) }, :enforced)
             hash = SecureHeaders.header_hash_for(request)
             expect(hash["content-security-policy"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
             expect(hash["content-security-policy-report-only"]).to eq("default-src 'self'; script-src 'self'")
           end
 
           it "allows appending to the report only policy" do
-            SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :report_only)
+            SecureHeaders.append_content_security_policy_directives(request, { script_src: %w(anothercdn.com) }, :report_only)
             hash = SecureHeaders.header_hash_for(request)
             expect(hash["content-security-policy"]).to eq("default-src 'self'; script-src 'self'")
             expect(hash["content-security-policy-report-only"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
           end
 
           it "allows appending to both policies" do
-            SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :both)
+            SecureHeaders.append_content_security_policy_directives(request, { script_src: %w(anothercdn.com) }, :both)
             hash = SecureHeaders.header_hash_for(request)
             expect(hash["content-security-policy"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
             expect(hash["content-security-policy-report-only"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
           end
 
           it "allows overriding the enforced policy" do
-            SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :enforced)
+            SecureHeaders.override_content_security_policy_directives(request, { script_src: %w(anothercdn.com) }, :enforced)
             hash = SecureHeaders.header_hash_for(request)
             expect(hash["content-security-policy"]).to eq("default-src 'self'; script-src anothercdn.com")
             expect(hash["content-security-policy-report-only"]).to eq("default-src 'self'; script-src 'self'")
           end
 
           it "allows overriding the report only policy" do
-            SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :report_only)
+            SecureHeaders.override_content_security_policy_directives(request, { script_src: %w(anothercdn.com) }, :report_only)
             hash = SecureHeaders.header_hash_for(request)
             expect(hash["content-security-policy"]).to eq("default-src 'self'; script-src 'self'")
             expect(hash["content-security-policy-report-only"]).to eq("default-src 'self'; script-src anothercdn.com")
           end
 
           it "allows overriding both policies" do
-            SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :both)
+            SecureHeaders.override_content_security_policy_directives(request, { script_src: %w(anothercdn.com) }, :both)
             hash = SecureHeaders.header_hash_for(request)
             expect(hash["content-security-policy"]).to eq("default-src 'self'; script-src anothercdn.com")
             expect(hash["content-security-policy-report-only"]).to eq("default-src 'self'; script-src anothercdn.com")
@@ -392,7 +392,7 @@ module SecureHeaders
                   script_src: %w('self')
                 }
               end
-              SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
+              SecureHeaders.append_content_security_policy_directives(request, { script_src: %w(anothercdn.com) })
 
               hash = SecureHeaders.header_hash_for(request)
               expect(hash["content-security-policy"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
@@ -408,7 +408,7 @@ module SecureHeaders
                   script_src: %w('self')
                 }
               end
-              SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
+              SecureHeaders.append_content_security_policy_directives(request, { script_src: %w(anothercdn.com) })
 
               hash = SecureHeaders.header_hash_for(request)
               expect(hash["content-security-policy-report-only"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
@@ -427,7 +427,7 @@ module SecureHeaders
                   script_src: %w('self')
                 }
               end
-              SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
+              SecureHeaders.append_content_security_policy_directives(request, { script_src: %w(anothercdn.com) })
 
               hash = SecureHeaders.header_hash_for(request)
               expect(hash["content-security-policy"]).to eq("default-src enforced.com; script-src 'self' anothercdn.com")
@@ -670,4 +670,3 @@ module SecureHeaders
     end
   end
 end
-