Rollbar.js doesn't work with SecureHeaders

[koss-lebedev]

Hello guys,

I found that Rollbar.js seems to have issues loading when SecureHeaders gem adds CSP policies. I see this error in logs:

[Rollbar] Rollbar.js could not be added because undefined method 'current_csp' for #<SecureHeaders::Configuration:0x00000006bccfe0> exception

Is there a CSP rule that has to be added, or is this a known bug? Thank you

Full details:

/home/deployer/.rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/logger.rb:452:in `error'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/logger_proxy.rb:28:in `log'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/logger_proxy.rb:22:in `error'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/notifier.rb:289:in `block (2 levels) in <class:Notifier>'
/home/deployer/.rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/forwardable.rb:183:in `log_error'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/middleware/js.rb:68:in `rescue in add_js'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/middleware/js.rb:58:in `add_js'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/middleware/js.rb:25:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/bundler/gems/griddler-ses-888cee904cc6/lib/griddler/ses/middleware.rb:16:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/bundler/gems/griddler-ses-888cee904cc6/lib/griddler/ses/middleware.rb:16:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/twilio-ruby-4.11.1/lib/rack/twilio_webhook_authentication.rb:28:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/warden-1.2.6/lib/warden/manager.rb:35:in `block in call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/warden-1.2.6/lib/warden/manager.rb:34:in `catch'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/warden-1.2.6/lib/warden/manager.rb:34:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rack-2.0.1/lib/rack/etag.rb:25:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rack-2.0.1/lib/rack/conditional_get.rb:25:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rack-2.0.1/lib/rack/head.rb:12:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rack-2.0.1/lib/rack/session/abstract/id.rb:222:in `context'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rack-2.0.1/lib/rack/session/abstract/id.rb:216:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/actionpack-5.0.0.1/lib/action_dispatch/middleware/cookies.rb:613:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/actionpack-5.0.0.1/lib/action_dispatch/middleware/callbacks.rb:38:in `block in call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/activesupport-5.0.0.1/lib/active_support/callbacks.rb:97:in `__run_callbacks__'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/activesupport-5.0.0.1/lib/active_support/callbacks.rb:750:in `_run_call_callbacks'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/activesupport-5.0.0.1/lib/active_support/callbacks.rb:90:in `run_callbacks'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/actionpack-5.0.0.1/lib/action_dispatch/middleware/callbacks.rb:36:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/actionpack-5.0.0.1/lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/middleware/rails/rollbar.rb:24:in `block in call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar.rb:145:in `scoped'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/middleware/rails/rollbar.rb:22:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/actionpack-5.0.0.1/lib/action_dispatch/middleware/debug_exceptions.rb:49:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rollbar-2.13.3/lib/rollbar/middleware/rails/show_exceptions.rb:22:in `call_with_rollbar'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/actionpack-5.0.0.1/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/logster-1.2.9/lib/logster/middleware/reporter.rb:31:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/lograge-0.9.0/lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/railties-5.0.0.1/lib/rails/rack/logger.rb:26:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/request_store-1.3.1/lib/request_store/middleware.rb:9:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/actionpack-5.0.0.1/lib/action_dispatch/middleware/request_id.rb:24:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rack-2.0.1/lib/rack/method_override.rb:22:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rack-2.0.1/lib/rack/runtime.rb:22:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/activesupport-5.0.0.1/lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/actionpack-5.0.0.1/lib/action_dispatch/middleware/executor.rb:12:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/rack-2.0.1/lib/rack/sendfile.rb:111:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/secure_headers-3.6.2/lib/secure_headers/middleware.rb:12:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/railties-5.0.0.1/lib/rails/engine.rb:522:in `call'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/unicorn-5.1.0/lib/unicorn/http_server.rb:562:in `process_client'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/unicorn-5.1.0/lib/unicorn/http_server.rb:658:in `worker_loop'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/unicorn-5.1.0/lib/unicorn/http_server.rb:508:in `spawn_missing_workers'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/unicorn-5.1.0/lib/unicorn/http_server.rb:132:in `start'
/home/deployer/servable/shared/bundle/ruby/2.2.0/gems/unicorn-5.1.0/bin/unicorn:126:in `<top (required)>'
/home/deployer/servable/shared/bundle/ruby/2.2.0/bin/unicorn:23:in `load'
/home/deployer/servable/shared/bundle/ruby/2.2.0/bin/unicorn:23:in `<top (required)>'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/cli/exec.rb:74:in `load'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/cli/exec.rb:74:in `kernel_load'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/cli/exec.rb:27:in `run'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/cli.rb:332:in `exec'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:in `invoke_command'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/vendor/thor/lib/thor.rb:359:in `dispatch'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/cli.rb:20:in `dispatch'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/vendor/thor/lib/thor/base.rb:440:in `start'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/cli.rb:11:in `start'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/exe/bundle:34:in `block in <top (required)>'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/lib/bundler/friendly_errors.rb:100:in `with_friendly_errors'
/home/deployer/.rvm/gems/ruby-2.2.2/gems/bundler-1.13.2/exe/bundle:26:in `<top (required)>'
/home/deployer/.rvm/gems/ruby-2.2.2/bin/bundle:23:in `load'
/home/deployer/.rvm/gems/ruby-2.2.2/bin/bundle:23:in `<main>'
/home/deployer/.rvm/gems/ruby-2.2.2/bin/ruby_executable_hooks:15:in `eval'
/home/deployer/.rvm/gems/ruby-2.2.2/bin/ruby_executable_hooks:15:in `<main>'

[rivkahstandig3636]

We will take a look into this, sorry for the delay!

[marunbai]

I tried a change to update

::SecureHeaders::Configuration.get.current_csp[:script_src].to_a.include?("'unsafe-inline'")

to

::SecureHeaders::Configuration.get.csp.script_src.to_a.include?("'unsafe-inline'")

but I am not sure what is the original intention to use current_csp instead of csp. I tested it in secure header version 5.0.5 and it does not have a current_csp method anymore in ::SecureHeaders::Configuration.

[koss-lebedev]

current_csp was replaced by csp about 2 years ago in version 3.4, here's the commit in which they got rid of it:

https://github.com/twitter/secure_headers/commit/893d6e9aa9a4177c24c36b87dcfac2d7c4ad8ef7

[ArturMoczulski]

The code changes to use csp instead of current_csp need to be implemented here. I'm adding this to milestone v2.17.0

[brian-kephart]

rollbar 2.16.2 secure_headers 6.0.0

Maybe or maybe not related: I'm getting the following error: [Rollbar] Rollbar.js could not be added because undefined method 'get' for SecureHeaders::Configuration:Class

I don't call get directly in my configuration file:

SecureHeaders::Configuration.default do |config|
  config.cookies = {
    secure: true,
    httponly: true,
    samesite: { lax: true } # mark all cookies as SameSite=lax
  }
  config.hsts = "max-age=#{365.days}"
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_download_options = "noopen"
  config.x_permitted_cross_domain_policies = "none"
  config.x_xss_protection = "1; mode=block"
  config.referrer_policy = 'no-referrer-when-downgrade'
  config.csp = SecureHeaders::OPT_OUT # Use config/initializers/content_security_policy.rb instead
  CT_ENFORCE = true
  config.expect_certificate_transparency = {
    enforce:    CT_ENFORCE,
    max_age:    5.minutes,
    report_uri: CT_ENFORCE ? 'https://app_name.report-uri.com/r/d/ct/enforce' : 'https://app_name.report-uri.com/r/d/ct/reportOnly'
  }
end

This seems like a different issue than the ones in the later comments, but I'm posting it here because it directly relates to the issue title. Feel free to move it to a separate issue, or to ask me to open one myself.

[brian-kephart]

Confirmed that the get method was removed in secure_headers 6.0.0. Rollbar calls that method here.