jacobbednarz
commented
6 years ago I think there are a couple more ways we might want to further break this down for discussion. I would propose looking at policy shrinking vs. policy compatibility. For instance, we could probably just output an info log entry for things like wildcard overriding matching hosts (which while annoying to duplicate might not actually break things) whereas things like removing protocols could be treated as a compatibility issue, primarily Safari, since they have the power to cause a massive influx of traffic for your reporting endpoint.
If evaluating how to shrink the policy is something this library would like to assist with, perhaps a separate rake task or gem could help? I did start something like this a while back (jacobbednarz/csp-validator) which didn't get too far since at that job the focus switched from CSP to other internal initiatives but I'm sure we could achieve something far more in depth with the help of yourself and other users.
oreoshake
One of the features of secure_headers is that it will do a lot to shrink the size of a complicated policy:
But most of all, it leads to confusing output that sometimes actually prevents you from using CSP correctly.
What are the motivations for policy minifying?
I know Scott Helme recently published a blog post about twitter's monstrous CSP and how it could be minified. I think it's the place of this library to suggest improvements but not magically manipulate them with a few hundred lines of ruby code (no matter how well commented :smile).
So, how about modifying policies we can turn on some sort of dynamic linting, maybe that logs or raises exceptions in dev/test but is turned off in prod?