Problem with CSP reverting to report-only mode

[spdawson]

Strange problem, which I probably don't understand well enough to explain...

CSP configured with enforce: true; works well until I pull in a third-party JavaScript that injects an iframe into the page. With the JavaScript in place, the first request after an app restart correctly enforces CSP; all subsequent requests however, return a Content-Security-Policy-Report-Only: header.

I'm struggling to understand how injecting an iframe into the page can be causing secure_headers apparently to ignore my configured enforce: true for the CSP.

Any help greatly appreciated.

[oreoshake]

That's very strange and I can't say I have a clue as to what is going on. Are you overriding the global settings at all? Overrides are stored as class instance variables so I could see a path where one request can affect others, but you'd have to be using secure_headers in an unsupported fashion which isn't exactly easy to stumble upon.

[spdawson]

Thanks for your reply. I don't think I'm doing anything particularly exotic. I can reproduce this in a newly-created Rails application, as follows.

• Create a new Rails app
• Add a welcome controller, with an index action; set the default route to welcome#index
• Add gem 'secure_headers' to Gemfile; run bundle
• Call ensure_security_headers in ApplicationController
• Add initializer for secure_headers, as follows

::SecureHeaders::Configuration.configure do |config|
  config.csp = {
    enforce: true,
    default_src: [
      "*",
      "'unsafe-inline'",
      "'unsafe-eval'",
    ]
  }
end

So far, so good. This next part is what causes the problem.

• In the application layout, add the following to the <head>

  <%= javascript_include_tag "//#{my_domain_name_here}.groovehq.com/widgets/#{my_groove_app_id_here}/ticket.js", async: true %>

• Start the rails server with bundle exec rails s
• Load app in browser; fine
• Refresh page: JavaScript console contains warning about CSP in report-only mode but with no report URI configured

[oreoshake]

Thanks, I can reproduce this. Ugh, this is a nasty regression. I'll have a fix shortly and release a new gem when I figure out how far back this goes.

[oreoshake]

OK this is only an issue with 2.4.1

[oreoshake]

I just pushed 2.4.2. Thanks for reporting this!

[spdawson]

Wow, that's great. Thanks very much. Tested with version 2.4.2, and the problem is indeed resolved.