remove hpkp

Fixes #368

Author: oreoshake

lib/secure_headers.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 require "secure_headers/hash_helper"
 require "secure_headers/headers/cookie"
-require "secure_headers/headers/public_key_pins"
 require "secure_headers/headers/content_security_policy"
 require "secure_headers/headers/x_frame_options"
 require "secure_headers/headers/strict_transport_security"
@@ -18,8 +17,7 @@
 require "singleton"
 require "secure_headers/configuration"
 
-# All headers (except for hpkp) have a default value. Provide SecureHeaders::OPT_OUT
-# or ":optout_of_protection" as a config value to disable a given header
+# Provide SecureHeaders::OPT_OUT as a config value to disable a given header
 module SecureHeaders
   class NoOpHeaderConfig
     include Singleton
@@ -51,10 +49,6 @@ def opt_out?
   HTTPS = "https".freeze
   CSP = ContentSecurityPolicy
 
-  # Headers set on http requests (excludes STS and HPKP)
-  HTTPS_HEADER_CLASSES =
-    [StrictTransportSecurity, PublicKeyPins].freeze
-
   class << self
     # Public: override a given set of directives for the current request. If a
     # value already exists for a given directive, it will be overridden.
@@ -138,7 +132,7 @@ def opt_out_of_all_protection(request)
     # Public: Builds the hash of headers that should be applied base on the
     # request.
     #
-    # StrictTransportSecurity and PublicKeyPins are not applied to http requests.
+    # StrictTransportSecurity is not applied to http requests.
     # See #config_for to determine which config is used for a given request.
     #
     # Returns a hash of header names => header values. The value
@@ -151,9 +145,7 @@ def header_hash_for(request)
       headers = config.generate_headers
 
       if request.scheme != HTTPS
-        HTTPS_HEADER_CLASSES.each do |klass|
-          headers.delete(klass::HEADER_NAME)
-        end
+        headers.delete(StrictTransportSecurity::HEADER_NAME)
       end
       headers
     end

lib/secure_headers/configuration.rb

@@ -115,7 +115,6 @@ def deep_copy_if_hash(value)
       expect_certificate_transparency: ExpectCertificateTransparency,
       csp: ContentSecurityPolicy,
       csp_report_only: ContentSecurityPolicy,
-      hpkp: PublicKeyPins,
       cookies: Cookie,
     }.freeze
 
@@ -144,7 +143,6 @@ def initialize(&block)
       @clear_site_data = nil
       @csp = nil
       @csp_report_only = nil
-      @hpkp = nil
       @hsts = nil
       @x_content_type_options = nil
       @x_download_options = nil
@@ -153,7 +151,6 @@ def initialize(&block)
       @x_xss_protection = nil
       @expect_certificate_transparency = nil
 
-      self.hpkp = OPT_OUT
       self.referrer_policy = OPT_OUT
       self.csp = ContentSecurityPolicyConfig.new(ContentSecurityPolicyConfig::DEFAULT)
       self.csp_report_only = OPT_OUT
@@ -178,7 +175,6 @@ def dup
       copy.clear_site_data = @clear_site_data
       copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
-      copy.hpkp = @hpkp
       copy
     end
 
@@ -263,10 +259,5 @@ def csp_report_only=(new_csp)
         raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
     end
-
-    def hpkp_report_host
-      return nil unless @hpkp && hpkp != OPT_OUT && @hpkp[:report_uri]
-      URI.parse(@hpkp[:report_uri]).host
-    end
   end
 end

lib/secure_headers/headers/public_key_pins.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 module SecureHeaders
   class Middleware
-    HPKP_SAME_HOST_WARNING = "[WARNING] HPKP report host should not be the same as the request host. See https://github.com/twitter/secureheaders/issues/166"
-
     def initialize(app)
       @app = app
     end
@@ -13,10 +11,6 @@ def call(env)
       status, headers, response = @app.call(env)
 
       config = SecureHeaders.config_for(req)
-      if config.hpkp_report_host == req.host
-        Kernel.warn(HPKP_SAME_HOST_WARNING)
-      end
-
       flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
       headers.merge!(SecureHeaders.header_hash_for(req))
       [status, headers, response]

lib/secure_headers/middleware.rb

@@ -14,25 +14,6 @@ module SecureHeaders
       Configuration.default
     end
 
-    it "warns if the hpkp report-uri host is the same as the current host" do
-      report_host = "report-uri.io"
-      reset_config
-      Configuration.default do |config|
-        config.hpkp = {
-          max_age: 10000000,
-          pins: [
-            {sha256: "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c"},
-            {sha256: "73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f"}
-          ],
-          report_uri: "https://#{report_host}/example-hpkp"
-        }
-      end
-
-      expect(Kernel).to receive(:warn).with(Middleware::HPKP_SAME_HOST_WARNING)
-
-      middleware.call(Rack::MockRequest.env_for("https://#{report_host}", {}))
-    end
-
     it "sets the headers" do
       _, env = middleware.call(Rack::MockRequest.env_for("https://looocalhost", {}))
       expect_default_values(env)

spec/lib/secure_headers/headers/public_key_pins_spec.rb

@@ -90,16 +90,6 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = { default_src: ["example.com"], script_src: %w('self') }
           config.csp_report_only = config.csp
-          config.hpkp = {
-            report_only: false,
-            max_age: 10000000,
-            include_subdomains: true,
-            report_uri: "https://report-uri.io/example-hpkp",
-            pins: [
-              {sha256: "abc"},
-              {sha256: "123"}
-            ]
-          }
         end
         SecureHeaders.opt_out_of_all_protection(request)
         hash = SecureHeaders.header_hash_for(request)
@@ -141,23 +131,6 @@ module SecureHeaders
         expect(SecureHeaders.header_hash_for(plaintext_request)[StrictTransportSecurity::HEADER_NAME]).to be_nil
       end
 
-      it "does not set the HPKP header if request is over HTTP" do
-        plaintext_request = Rack::Request.new({})
-        Configuration.default do |config|
-          config.hpkp = {
-            max_age: 1_000_000,
-            include_subdomains: true,
-            report_uri: "//example.com/uri-directive",
-            pins: [
-              { sha256: "abc" },
-              { sha256: "123" }
-            ]
-          }
-        end
-
-        expect(SecureHeaders.header_hash_for(plaintext_request)[PublicKeyPins::HEADER_NAME]).to be_nil
-      end
-
       context "content security policy" do
         let(:chrome_request) {
           Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:chrome]))
@@ -531,14 +504,6 @@ module SecureHeaders
         end.to raise_error(ReferrerPolicyConfigError)
       end
 
-      it "validates your hpkp config upon configuration" do
-        expect do
-          Configuration.default do |config|
-            config.hpkp = "lol"
-          end
-        end.to raise_error(PublicKeyPinsConfigError)
-      end
-
       it "validates your cookies config upon configuration" do
         expect do
           Configuration.default do |config|

spec/lib/secure_headers/middleware_spec.rb

@@ -37,7 +37,6 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::ClearSiteData::HEADER_NAME]).to be_nil
   expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
-  expect(hash[SecureHeaders::PublicKeyPins::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders