From 4893fe048c556a196c146b074fc2fb45b55734df Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Tue, 13 Aug 2013 21:50:45 -0700
Subject: [PATCH 1/4] Package for security-related http headers.

---
 docs/client/docs.js                           |   4 +-
 docs/client/packages.html                     |   2 +
 docs/client/packages/browser-policy.html      | 126 +++++++++++
 .../packages/starter-browser-policy.html      |  25 +++
 packages/browser-policy/.gitignore            |   1 +
 packages/browser-policy/browser-policy.js     | 200 ++++++++++++++++++
 packages/browser-policy/package.js            |   9 +
 packages/starter-browser-policy/.gitignore    |   1 +
 packages/starter-browser-policy/package.js    |   8 +
 .../starter-browser-policy.js                 |  13 ++
 packages/webapp/webapp_server.js              |  40 +++-
 tools/app.html.in                             |   4 +-
 12 files changed, 419 insertions(+), 14 deletions(-)
 create mode 100644 docs/client/packages/browser-policy.html
 create mode 100644 docs/client/packages/starter-browser-policy.html
 create mode 100644 packages/browser-policy/.gitignore
 create mode 100644 packages/browser-policy/browser-policy.js
 create mode 100644 packages/browser-policy/package.js
 create mode 100644 packages/starter-browser-policy/.gitignore
 create mode 100644 packages/starter-browser-policy/package.js
 create mode 100644 packages/starter-browser-policy/starter-browser-policy.js

diff --git a/docs/client/docs.js b/docs/client/docs.js
index c057ef71bd..036ed23c89 100644
--- a/docs/client/docs.js
+++ b/docs/client/docs.js
@@ -344,7 +344,9 @@ var toc = [
     "spiderable",
     "stylus",
     "showdown",
-    "underscore"
+    "underscore",
+    "browser-policy",
+    "starter-browser-policy"
   ] ],
 
   "Command line", [ [
diff --git a/docs/client/packages.html b/docs/client/packages.html
index 0ee701bbe8..ac344171cd 100644
--- a/docs/client/packages.html
+++ b/docs/client/packages.html
@@ -32,6 +32,8 @@ and removed with:
 {{> pkg_stylus}}
 {{> pkg_showdown}}
 {{> pkg_underscore}}
+{{> pkg_browser_policy}}
+{{> pkg_starter_browser_policy}}
 
 {{/better_markdown}}
 </template>
diff --git a/docs/client/packages/browser-policy.html b/docs/client/packages/browser-policy.html
new file mode 100644
index 0000000000..b2da7d5117
--- /dev/null
+++ b/docs/client/packages/browser-policy.html
@@ -0,0 +1,126 @@
+<template name="pkg_browser_policy">
+{{#better_markdown}}
+## `browser-policy`
+
+The `browser-policy` package lets you set security-related policies that will be
+enforced by newer browsers. These policies help you prevent and mitigate common
+attacks like cross-site scripting and clickjacking.
+
+`browser-policy` lets you configure the HTTP headers X-Frame-Options and
+Content-Security-Policy. X-Frame-Options tells the browser which websites are
+allowed to frame your app. You should only let trusted websites frame your app,
+because malicious sites could harm your users
+with <a href="https://www.owasp.org/index.php/Clickjacking">clickjacking
+attacks</a>.
+<a href="https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy">Content-Security-Policy</a>
+tells the browser where your app can load content from, which encourages safe
+practices and mitigates the damage of a cross-site-scripting attack.
+
+For most apps, we recommend that you use the `starter-browser-policy` package to
+enable reasonable policies, and then use the functions below to tighten or relax
+the policies as necessary. For example, an app that only loads content from its
+own origin and that doesn't use inline Javascript should use
+`starter-browser-policy` and then call `BrowserPolicy.disallowInlineScripts()`
+to gain additional security against cross-site scripting attacks.
+
+You can use the following functions to specify which websites are allowed to
+frame your app:
+<dl class="callbacks">
+{{#dtdd "BrowserPolicy.disallowFraming()"}}
+Your app will never render inside a frame or iframe.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.allowFramingByOrigin(origin)"}}
+Your app will only render inside frames loaded by `origin` (such as
+http://meteor.com). You can only call this function once with a single origin,
+and cannot specify multiple origins that are allowed to frame your app. (This is
+a limitation of the X-Frame-Options header.)
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.allowFramingBySameOrigin()"}}
+Your app will only render inside frames loaded by webpages on the same origin as
+your app.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.allowFramingByAnyOrigin()"}}
+Your app can be framed by any website.
+{{/dtdd}}
+</dl>
+
+You can use these functions to tighten or relax restrictions on where Javascript
+and CSS can be run:
+
+<dl class="callbacks">
+{{#dtdd "BrowserPolicy.allowInlineScripts()"}}
+Allows inline `<script>` tags, `javascript:` URLs, and inline event handlers.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.disallowInlineScripts()"}}
+Disallows inline Javascript. Calling this function results in an extra
+round-trip on page load to retrieve Meteor runtime configuration that is usually
+part of an inline script tag.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.allowEval()"}}
+Allows the creation of Javascript code from strings using function such as `eval()`.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.disallowEval()"}}
+Disallows eval and related functions.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.allowInlineStyles()"}}
+Allows inline style tags and style attributes.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.disallowInlineStyles()"}}
+Disallows inline CSS.
+{{/dtdd}}
+</dl>
+
+Finally, you can configure a whitelist of allowed requests that various types of
+content can make. Examples:
+
+* `BrowserPolicy.disallowObject()` causes the browser to disallow all
+`<object>` tags.
+* `BrowserPolicy.allowImageOrigin("https://example.com")`
+allows images to have their `src` attributes point to images served from
+`https://example.com`.
+* `BrowserPolicy.allowConnectOrigin("https://example.com")` allows XMLHttpRequest
+and WebSocket connections to `https://example.com`.
+
+The following functions are defined for the content types
+script, object, image, media, font, and connect.
+
+<dl class="callbacks">
+{{#dtdd "BrowserPolicy.allow&lt;ContentType&gt;Origin(origin)"}}
+Allows this type of content to be loaded from the given origin. `origin` is a
+string and can include an optional scheme (such as `http` or `https`), an
+optional wildcard at the beginning, and an optional port which can be a
+wildcard. Examples include `example.com`, `https://*.example.com`, and
+`example.com:*`. You can call these functions multiple times with different
+origins to specify a whitelist of allowed origins.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.allow&lt;ContentType&gt;DataUrl()"}}
+Allows this type of content to be loaded from a `data:` URL.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.allow&lt;ContentType&gt;SameOrigin()"}}
+Allows this type of content to be loaded from the same origin as your app.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.disallow&lt;ContentType&gt;()"}}
+Disallows this type of content on your app.
+{{/dtdd}}
+</dl>
+
+These functions are also defined for the content type `AllContent`, which sets
+defaults for content types that you haven't configured using one of the above
+functions. For example, if you want to allow all content to be loaded from your
+app's origin but you want to disable `<object>` tags, you can simply call
+`BrowserPolicy.allowAllContentSameOrigin()` followed by
+`BrowserPolicy.disallowObject()`.
+
+{{/better_markdown}}
+</template>
diff --git a/docs/client/packages/starter-browser-policy.html b/docs/client/packages/starter-browser-policy.html
new file mode 100644
index 0000000000..bb1118fc0d
--- /dev/null
+++ b/docs/client/packages/starter-browser-policy.html
@@ -0,0 +1,25 @@
+<template name="pkg_starter_browser_policy">
+{{#better_markdown}}
+## `starter-browser-policy`
+
+The `starter-browser-policy` package provides a recommended configuration for the
+`browser-policy` package. When you add `starter-browser-policy` to your app, the
+following policies will be enforced by browsers that support the X-Frame-Options
+and Content-Security-Policy headers:
+
+* Only webpages on the same origin as your app can frame your app.
+* Your app can only load content (images, scripts, fonts, etc.) from its own
+origin, except that XMLHttpRequests and WebSocket connections can go to any
+origin.
+* Your app's client code cannot use functions such as `eval()` that convert
+strings to Javascript code.
+
+If your app does not need any inline Javascript such as inline `<script>` tags,
+we recommend that you modify this policy by calling
+`BrowserPolicy.disallowInlineScripts()` on the server. This will result in one
+extra round trip when your app is loaded, but will help prevent cross-site
+scripting attacks by disabling all scripts except those loaded from a `script
+src` attribute.
+
+{{/better_markdown}}
+</template>
diff --git a/packages/browser-policy/.gitignore b/packages/browser-policy/.gitignore
new file mode 100644
index 0000000000..677a6fc263
--- /dev/null
+++ b/packages/browser-policy/.gitignore
@@ -0,0 +1 @@
+.build*
diff --git a/packages/browser-policy/browser-policy.js b/packages/browser-policy/browser-policy.js
new file mode 100644
index 0000000000..3d9d8e330c
--- /dev/null
+++ b/packages/browser-policy/browser-policy.js
@@ -0,0 +1,200 @@
+// We recommend that you use the starter-browser-policy package to enable the
+// following default policy:
+// 1.) Only the same origin can frame the app.
+// 2.) No eval or other string-to-code, and content can only be loaded from the
+// same origin as the app (except for XHRs and websocket connections, which can
+// go to any origin).
+//
+// Apps should call BrowserPolicy.disallowInlineScripts() if they are not using
+// any inline script tags and are willing to accept an extra round trip on page
+// load.
+//
+// BrowserPolicy functions for tweaking CSP:
+// allowInlineScripts()
+// disallowInlineScripts(): adds extra round-trip to page load time
+// allowInlineStyles()
+// disallowInlineStyles()
+// allowEval()
+// disallowEval()
+//
+// For each type of content (script, object, image, media, font, connect,
+// style), there are the following functions:
+// allow<content type>Origin(origin): allows the type of content to be loaded
+// from the given origin
+// allow<content type>DataUrl(): allows the content to be loaded from data: URLs
+// allow<content type>SameOrigin(): allows the content to be loaded from the
+// same origin
+// disallow<content type>(): disallows this type of content all together (can't
+// be called for script)
+//
+// The following functions allow you to set defaults for where content can be
+// loaded from when no other rules have been specified for that type of content:
+// allowAllContentOrigin(origin)
+// allowAllContentDataUrl()
+// allowAllContentSameOrigin()
+// disallowAllContent()
+//
+//
+// For controlling which origins can frame this app,
+// BrowserPolicy.disallowFraming()
+// BrowserPolicy.allowFramingByOrigin(origin)
+// BrowserPolicy.allowFramingBySameOrigin()
+// BrowserPolicy.allowFramingByAnyOrigin();
+
+var xFrameOptions;
+var cspSrcs;
+
+// CSP keywords have to be single-quoted.
+var unsafeInline = "'unsafe-inline'";
+var unsafeEval = "'unsafe-eval'";
+var selfKeyword = "'self'";
+var noneKeyword = "'none'";
+
+var constructCsp = function () {
+  _.each(_.keys(cspSrcs), function (directive) {
+    if (_.isEmpty(cspSrcs[directive]))
+      delete cspSrcs[directive];
+  });
+
+  var header = _.map(cspSrcs, function (srcs, directive) {
+    return directive + " " + srcs.join(" ") + ";";
+  }).join(" ");
+
+  return header;
+};
+
+var parseCsp = function (csp) {
+  var policies = csp.split("; ");
+  var result = {};
+  _.each(policies, function (policy) {
+    if (policy[policy.length-1] === ";")
+      policy = policy.substring(0, policy.length - 1);
+    var srcs = policy.split(" ");
+    var directive = srcs[0];
+    result[directive] = srcs.slice(1);
+  });
+  return result;
+};
+
+var removeCspSrc = function (directive, src) {
+  cspSrcs[directive] = _.without(cspSrcs[directive] || [], src);
+};
+
+var ensureDirective = function (directive) {
+  if (! _.has(cspSrcs, directive))
+    cspSrcs[directive] = [];
+};
+
+WebApp.connectHandlers.use(function (req, res, next) {
+  if (xFrameOptions)
+    res.setHeader("X-Frame-Options", xFrameOptions);
+  if (cspSrcs)
+    res.setHeader("Content-Security-Policy", constructCsp());
+  next();
+});
+
+BrowserPolicy = {
+  allowFramingBySameOrigin: function () {
+    xFrameOptions = "SAMEORIGIN";
+  },
+  disallowFraming: function () {
+    xFrameOptions = "DENY";
+  },
+  allowFramingByOrigin: function (origin) {
+    if (xFrameOptions.indexOf("ALLOW-FROM") === 0)
+      throw new Error("You can only specify one origin that is allowed to" +
+                      " frame this app.");
+    xFrameOptions = "ALLOW-FROM " + origin;
+  },
+  allowFramingByAnyOrigin: function () {
+    xFrameOptions = null;
+  },
+
+  setContentSecurityPolicy: function (csp) {
+    cspSrcs = parseCsp(csp);
+  },
+
+  // Helpers for creating content security policies
+
+  // Used by webapp to determine whether we need an extra round trip for
+  // __meteor_runtime_config__.
+  inlineScriptsAllowed: function () {
+    ensureDirective("script-src");
+    return (_.indexOf(cspSrcs["script-src"], unsafeInline) !== -1);
+  },
+
+  allowInlineScripts: function () {
+    ensureDirective("script-src");
+    cspSrcs["script-src"].push(unsafeInline);
+  },
+  disallowInlineScripts: function () {
+    ensureDirective("script-src");
+    removeCspSrc("script-src", unsafeInline);
+  },
+  allowEval: function () {
+    ensureDirective("script-src");
+    cspSrcs["script-src"].push(unsafeEval);
+  },
+  disallowEval: function () {
+    ensureDirective("script-src");
+    removeCspSrc("script-src", unsafeEval);
+  },
+  allowInlineStyles: function () {
+    ensureDirective("style-src");
+    cspSrcs["style-src"].push(unsafeInline);
+  },
+  disallowInlineStyles: function () {
+    ensureDirective("style-src");
+    removeCspSrc("style-src", unsafeInline);
+  },
+
+  // Functions for setting defaults
+  allowAllContentSameOrigin: function () {
+    ensureDirective("default-src");
+    cspSrcs["default-src"].push(selfKeyword);
+  },
+  allowAllContentDataUrl: function () {
+    ensureDirective("default-src");
+    cspSrcs["default-src"].push("data:");
+  },
+  allowAllContentOrigin: function (origin) {
+    ensureDirective("default-src");
+    cspSrcs["default-src"].push(origin);
+  },
+  disallowAllContent: function () {
+    cspSrcs["default-src"] = [noneKeyword];
+  }
+};
+
+// allow<Resource>Origin, allow<Resource>Data, allow<Resource>self, and
+// disallow<Resource> methods for each type of resource.
+_.each(["script", "object", "img", "media",
+        "font", "connect", "style"],
+       function (resource) {
+         var directive = resource + "-src";
+         var methodResource;
+         if (resource !== "img") {
+           methodResource = resource.charAt(0).toUpperCase() +
+             resource.slice(1);
+         } else {
+           methodResource = "Image";
+         }
+         var allowMethodName = "allow" + methodResource + "Origin";
+         var disallowMethodName = "disallow" + methodResource;
+         var allowDataMethodName = "allow" + methodResource + "DataUrl";
+         var allowSelfMethodName = "allow" + methodResource + "SameOrigin";
+
+         BrowserPolicy[allowMethodName] = function (src) {
+           ensureDirective(directive);
+           cspSrcs[directive].push(src);
+         };
+         if (resource !== "script") {
+           BrowserPolicy[disallowMethodName] = function () {
+             cspSrcs[directive] = [noneKeyword];
+           };
+         }
+         BrowserPolicy[allowDataMethodName] = function () {
+           ensureDirective(directive);
+           cspSrcs[directive].push("data:");
+         };
+       });
diff --git a/packages/browser-policy/package.js b/packages/browser-policy/package.js
new file mode 100644
index 0000000000..c90f070623
--- /dev/null
+++ b/packages/browser-policy/package.js
@@ -0,0 +1,9 @@
+Package.describe({
+  summary: "Configure security policies enforced by the browser"
+});
+
+Package.on_use(function (api) {
+  api.use(["underscore", "webapp"], "server");
+  api.add_files("browser-policy.js", "server");
+  api.export("BrowserPolicy", "server");
+});
diff --git a/packages/starter-browser-policy/.gitignore b/packages/starter-browser-policy/.gitignore
new file mode 100644
index 0000000000..677a6fc263
--- /dev/null
+++ b/packages/starter-browser-policy/.gitignore
@@ -0,0 +1 @@
+.build*
diff --git a/packages/starter-browser-policy/package.js b/packages/starter-browser-policy/package.js
new file mode 100644
index 0000000000..6a7bc6d95f
--- /dev/null
+++ b/packages/starter-browser-policy/package.js
@@ -0,0 +1,8 @@
+Package.describe({
+  summary: "Basic browser security policies"
+});
+
+Package.on_use(function (api) {
+  api.use("browser-policy", "server");
+  api.add_files("starter-browser-policy.js", "server");
+});
diff --git a/packages/starter-browser-policy/starter-browser-policy.js b/packages/starter-browser-policy/starter-browser-policy.js
new file mode 100644
index 0000000000..4d7650878d
--- /dev/null
+++ b/packages/starter-browser-policy/starter-browser-policy.js
@@ -0,0 +1,13 @@
+BrowserPolicy.allowFramingBySameOrigin();
+
+// By default, unsafe inline scripts and styles are allowed, since we expect
+// many apps will use them for analytics, etc. Unsafe eval is disallowed, and
+// the only allowable content source is the same origin or data, except for
+// connect which allows anything (since meteor.com apps make websocket
+// connections to a lot of different origins).
+
+BrowserPolicy.setContentSecurityPolicy("default-src 'self'; " +
+                                       "script-src 'self' 'unsafe-inline'; " +
+                                       "connect-src *; " +
+                                       "img-src data: 'self'; " +
+                                       "style-src 'self' 'unsafe-inline';");
diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js
index af716d5d3a..3380ab81d2 100644
--- a/packages/webapp/webapp_server.js
+++ b/packages/webapp/webapp_server.js
@@ -147,7 +147,6 @@ var appUrl = function (url) {
   return true;
 };
 
-
 var runWebAppServer = function () {
   // read the control for the client we'll be serving up
   var clientJsonPath = path.join(__meteor_bootstrap__.serverDir,
@@ -231,6 +230,17 @@ var runWebAppServer = function () {
       next();
       return;
     }
+
+    if (Package["browser-policy"] &&
+        ! Package["browser-policy"].BrowserPolicy.inlineScriptsAllowed() &&
+        pathname === "/meteor_runtime_config.js") {
+      res.writeHead(200, { 'Content-type': 'application/javascript' });
+      res.write("__meteor_runtime_config__ = " +
+                JSON.stringify(__meteor_runtime_config__) + ";");
+      res.end();
+      return;
+    }
+
     if (!_.has(staticFiles, pathname)) {
       next();
       return;
@@ -387,15 +397,25 @@ var runWebAppServer = function () {
     argv = optimist(argv).boolean('keepalive').argv;
 
     var boilerplateHtmlPath = path.join(clientDir, clientJson.page);
-    boilerplateHtml =
-      fs.readFileSync(boilerplateHtmlPath, 'utf8')
-      .replace(
-        "// ##RUNTIME_CONFIG##",
-        "__meteor_runtime_config__ = " +
-          JSON.stringify(__meteor_runtime_config__) + ";")
-      .replace(
-          /##ROOT_URL_PATH_PREFIX##/g,
-        __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || "");
+    boilerplateHtml = fs.readFileSync(boilerplateHtmlPath, 'utf8');
+
+    // Include __meteor_runtime_config__ in the app html, as an inline script if
+    // it's not forbidden by CSP.
+    if (! Package["browser-policy"] ||
+        Package["browser-policy"].BrowserPolicy.inlineScriptsAllowed()) {
+      boilerplateHtml = boilerplateHtml.replace(
+          /##RUNTIME_CONFIG##/,
+        "<script type='text/javascript'>__meteor_runtime_config__ = " +
+          JSON.stringify(__meteor_runtime_config__) + ";</script>");
+    } else {
+      boilerplateHtml = boilerplateHtml.replace(
+        /##RUNTIME_CONFIG##/,
+        "<script type='text/javascript' src='##ROOT_URL_PATH_PREFIX##/meteor_runtime_config.js'></script>"
+      );
+    }
+    boilerplateHtml = boilerplateHtml.replace(
+        /##ROOT_URL_PATH_PREFIX##/g,
+      __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || "");
 
     // only start listening after all the startup code has run.
     var localPort = parseInt(process.env.PORT) || 0;
diff --git a/tools/app.html.in b/tools/app.html.in
index bf821f6054..e2bc250d0f 100644
--- a/tools/app.html.in
+++ b/tools/app.html.in
@@ -4,9 +4,7 @@
 {{#each stylesheets}}  <link rel="stylesheet" href="##ROOT_URL_PATH_PREFIX##{{this}}">
 {{/each}}
 
-<script type="text/javascript">
-// ##RUNTIME_CONFIG##
-</script>
+##RUNTIME_CONFIG##
 
 {{#each scripts}}  <script type="text/javascript" src="##ROOT_URL_PATH_PREFIX##{{this}}"></script>
 {{/each}}

From e6300461b1c0b1c53344882ef5d75c450a923f00 Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Fri, 30 Aug 2013 18:32:20 -0700
Subject: [PATCH 2/4] Reorganize browser-policy docs a bit.

Addressing Nick's suggestions. Haven't decided yet about combining
browser-policy and starter-browser-policy docs.
---
 docs/client/docs.js                           |  6 +--
 docs/client/packages.html                     |  4 +-
 docs/client/packages/browser-policy.html      | 45 ++++++++++---------
 .../packages/starter-browser-policy.html      |  8 ++--
 packages/browser-policy/browser-policy.js     |  1 +
 packages/webapp/package.js                    |  3 ++
 6 files changed, 37 insertions(+), 30 deletions(-)

diff --git a/docs/client/docs.js b/docs/client/docs.js
index 036ed23c89..dc489c7cb5 100644
--- a/docs/client/docs.js
+++ b/docs/client/docs.js
@@ -335,6 +335,7 @@ var toc = [
     "audit-argument-checks",
     "backbone",
     "bootstrap",
+    "browser-policy",
     "coffeescript",
     "d3",
     "force-ssl",
@@ -344,9 +345,8 @@ var toc = [
     "spiderable",
     "stylus",
     "showdown",
-    "underscore",
-    "browser-policy",
-    "starter-browser-policy"
+    "starter-browser-policy",
+    "underscore"
   ] ],
 
   "Command line", [ [
diff --git a/docs/client/packages.html b/docs/client/packages.html
index ac344171cd..c891bbc5cd 100644
--- a/docs/client/packages.html
+++ b/docs/client/packages.html
@@ -22,6 +22,7 @@ and removed with:
 {{> pkg_audit_argument_checks}}
 {{> pkg_backbone}}
 {{> pkg_bootstrap}}
+{{> pkg_browser_policy}}
 {{> pkg_coffeescript}}
 {{> pkg_d3}}
 {{> pkg_force_ssl}}
@@ -31,9 +32,8 @@ and removed with:
 {{> pkg_spiderable}}
 {{> pkg_stylus}}
 {{> pkg_showdown}}
-{{> pkg_underscore}}
-{{> pkg_browser_policy}}
 {{> pkg_starter_browser_policy}}
+{{> pkg_underscore}}
 
 {{/better_markdown}}
 </template>
diff --git a/docs/client/packages/browser-policy.html b/docs/client/packages/browser-policy.html
index b2da7d5117..efc4c2c275 100644
--- a/docs/client/packages/browser-policy.html
+++ b/docs/client/packages/browser-policy.html
@@ -16,12 +16,13 @@ attacks</a>.
 tells the browser where your app can load content from, which encourages safe
 practices and mitigates the damage of a cross-site-scripting attack.
 
-For most apps, we recommend that you use the `starter-browser-policy` package to
-enable reasonable policies, and then use the functions below to tighten or relax
-the policies as necessary. For example, an app that only loads content from its
-own origin and that doesn't use inline Javascript should use
-`starter-browser-policy` and then call `BrowserPolicy.disallowInlineScripts()`
-to gain additional security against cross-site scripting attacks.
+For most apps, we recommend that you use the
+[`starter-browser-policy`](#starterbrowserpolicy) package to enable reasonable
+policies, and then use the functions below to tighten or relax the policies as
+necessary. For example, an app that only loads content from its own origin and
+that doesn't use inline Javascript should use `starter-browser-policy` and then
+call `BrowserPolicy.disallowInlineScripts()` to gain additional security against
+cross-site scripting attacks.
 
 You can use the following functions to specify which websites are allowed to
 frame your app:
@@ -31,10 +32,11 @@ Your app will never render inside a frame or iframe.
 {{/dtdd}}
 
 {{#dtdd "BrowserPolicy.allowFramingByOrigin(origin)"}}
-Your app will only render inside frames loaded by `origin` (such as
-http://meteor.com). You can only call this function once with a single origin,
-and cannot specify multiple origins that are allowed to frame your app. (This is
-a limitation of the X-Frame-Options header.)
+Your app will only render inside frames loaded by `origin`. You can only call
+this function once with a single origin, and cannot use wildcards or specify
+multiple origins that are allowed to frame your app. (This is a limitation of
+the X-Frame-Options header.) Example values of `origin` include
+"http://example.com" and "https://foo.example.com".
 {{/dtdd}}
 
 {{#dtdd "BrowserPolicy.allowFramingBySameOrigin()"}}
@@ -79,17 +81,7 @@ Disallows inline CSS.
 </dl>
 
 Finally, you can configure a whitelist of allowed requests that various types of
-content can make. Examples:
-
-* `BrowserPolicy.disallowObject()` causes the browser to disallow all
-`<object>` tags.
-* `BrowserPolicy.allowImageOrigin("https://example.com")`
-allows images to have their `src` attributes point to images served from
-`https://example.com`.
-* `BrowserPolicy.allowConnectOrigin("https://example.com")` allows XMLHttpRequest
-and WebSocket connections to `https://example.com`.
-
-The following functions are defined for the content types
+content can make. The following functions are defined for the content types
 script, object, image, media, font, and connect.
 
 <dl class="callbacks">
@@ -122,5 +114,16 @@ app's origin but you want to disable `<object>` tags, you can simply call
 `BrowserPolicy.allowAllContentSameOrigin()` followed by
 `BrowserPolicy.disallowObject()`.
 
+Other examples of using the `BrowserPolicy` API:
+
+* `BrowserPolicy.disallowObject()` causes the browser to disallow all
+`<object>` tags.
+* `BrowserPolicy.allowImageOrigin("https://example.com")`
+allows images to have their `src` attributes point to images served from
+`https://example.com`.
+* `BrowserPolicy.allowConnectOrigin("https://example.com")` allows XMLHttpRequest
+and WebSocket connections to `https://example.com`.
+
+
 {{/better_markdown}}
 </template>
diff --git a/docs/client/packages/starter-browser-policy.html b/docs/client/packages/starter-browser-policy.html
index bb1118fc0d..71ff88911a 100644
--- a/docs/client/packages/starter-browser-policy.html
+++ b/docs/client/packages/starter-browser-policy.html
@@ -2,10 +2,10 @@
 {{#better_markdown}}
 ## `starter-browser-policy`
 
-The `starter-browser-policy` package provides a recommended configuration for the
-`browser-policy` package. When you add `starter-browser-policy` to your app, the
-following policies will be enforced by browsers that support the X-Frame-Options
-and Content-Security-Policy headers:
+The `starter-browser-policy` package provides a recommended configuration for
+the [`browser-policy`](#browserpolicy) package. When you add
+`starter-browser-policy` to your app, the following policies will be enforced by
+browsers that support the X-Frame-Options and Content-Security-Policy headers:
 
 * Only webpages on the same origin as your app can frame your app.
 * Your app can only load content (images, scripts, fonts, etc.) from its own
diff --git a/packages/browser-policy/browser-policy.js b/packages/browser-policy/browser-policy.js
index 3d9d8e330c..5f54c8d6d3 100644
--- a/packages/browser-policy/browser-policy.js
+++ b/packages/browser-policy/browser-policy.js
@@ -81,6 +81,7 @@ var removeCspSrc = function (directive, src) {
 };
 
 var ensureDirective = function (directive) {
+  cspSrcs = cspSrcs || {};
   if (! _.has(cspSrcs, directive))
     cspSrcs[directive] = [];
 };
diff --git a/packages/webapp/package.js b/packages/webapp/package.js
index 0f89553822..c451f2086a 100644
--- a/packages/webapp/package.js
+++ b/packages/webapp/package.js
@@ -12,6 +12,9 @@ Package.on_use(function (api) {
   api.use(['application-configuration'], {
     unordered: true
   });
+  api.use(['browser-policy'], {
+    unordered: true
+  });
   api.export(['WebApp', 'main', 'WebAppInternals'], 'server');
   api.add_files('webapp_server.js', 'server');
 });

From a102872a963e367962f91291a37b0fff7df1e38e Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Tue, 10 Sep 2013 17:08:42 -0700
Subject: [PATCH 3/4] Rework browser-policy to make API more intuitive.

- Remove starter-browser-policy and replace it with
  BrowserPolicy.enableContentSecurityPolicy(), which gives you the starter
  policy and allows you to use the other BrowserPolicy functions to configure
  it. This is motivated by the fact that the API isn't very intuitive without a
  well-defined starting policy. ex: if the package starts off without a policy,
  and then the user calls allowAllContentSameOrigin(), that will result in
  turning off inline scripts, which is probably not what they wanted.
- AllContent functions do more of what you'd expect now;
  i.e. BrowserPolicy.disallowAllContent() actually disallows all content,
  instead of setting default-src to 'none', which will allow other types of
  content that have previously had srcs set for them.
- Add some tests
---
 docs/client/docs.js                           |   1 -
 docs/client/packages.html                     |   1 -
 docs/client/packages/browser-policy.html      |  53 +++++--
 .../packages/starter-browser-policy.html      |  25 ---
 .../browser-policy/browser-policy-test.js     | 123 +++++++++++++++
 packages/browser-policy/browser-policy.js     | 148 +++++++++++++-----
 packages/browser-policy/package.js            |   5 +
 packages/starter-browser-policy/.gitignore    |   1 -
 packages/starter-browser-policy/package.js    |   8 -
 .../starter-browser-policy.js                 |  13 --
 10 files changed, 277 insertions(+), 101 deletions(-)
 delete mode 100644 docs/client/packages/starter-browser-policy.html
 create mode 100644 packages/browser-policy/browser-policy-test.js
 delete mode 100644 packages/starter-browser-policy/.gitignore
 delete mode 100644 packages/starter-browser-policy/package.js
 delete mode 100644 packages/starter-browser-policy/starter-browser-policy.js

diff --git a/docs/client/docs.js b/docs/client/docs.js
index dc489c7cb5..3ac001e554 100644
--- a/docs/client/docs.js
+++ b/docs/client/docs.js
@@ -345,7 +345,6 @@ var toc = [
     "spiderable",
     "stylus",
     "showdown",
-    "starter-browser-policy",
     "underscore"
   ] ],
 
diff --git a/docs/client/packages.html b/docs/client/packages.html
index c891bbc5cd..077e4f1cd1 100644
--- a/docs/client/packages.html
+++ b/docs/client/packages.html
@@ -32,7 +32,6 @@ and removed with:
 {{> pkg_spiderable}}
 {{> pkg_stylus}}
 {{> pkg_showdown}}
-{{> pkg_starter_browser_policy}}
 {{> pkg_underscore}}
 
 {{/better_markdown}}
diff --git a/docs/client/packages/browser-policy.html b/docs/client/packages/browser-policy.html
index efc4c2c275..5b8e31354e 100644
--- a/docs/client/packages/browser-policy.html
+++ b/docs/client/packages/browser-policy.html
@@ -16,13 +16,26 @@ attacks</a>.
 tells the browser where your app can load content from, which encourages safe
 practices and mitigates the damage of a cross-site-scripting attack.
 
-For most apps, we recommend that you use the
-[`starter-browser-policy`](#starterbrowserpolicy) package to enable reasonable
-policies, and then use the functions below to tighten or relax the policies as
-necessary. For example, an app that only loads content from its own origin and
-that doesn't use inline Javascript should use `starter-browser-policy` and then
-call `BrowserPolicy.disallowInlineScripts()` to gain additional security against
-cross-site scripting attacks.
+For most apps, we recommend that you take the following steps when using
+`browser-policy`:
+
+* Call `BrowserPolicy.enableContentSecurityPolicy()` to enable a starter policy
+for your app. With this starter policy, your app's client code will be able to
+load content (images, scripts, fonts, etc.) only from its own origin, except
+that XMLHttpRequests and WebSocket connections can go to any origin. Further,
+your app's client code will not be able to use functions such as `eval()` that
+convert strings to code.
+* You can use the functions described below to customize the content
+security policy. If your app does not need any inline Javascript such as inline
+`<script>` tags, we recommend that you modify the policy by calling
+`BrowserPolicy.disallowInlineScripts()` in server code. This will result in one
+extra round trip when your app is loaded, but will help prevent cross-site
+scripting attacks by disabling all scripts except those loaded from a `script
+src` attribute.
+* If your app does not need to be framed by other websites, call
+`BrowserPolicy.allowFramingBySameOrigin()` to help prevent clickjacking attacks.
+
+#### Frame options
 
 You can use the following functions to specify which websites are allowed to
 frame your app:
@@ -36,7 +49,9 @@ Your app will only render inside frames loaded by `origin`. You can only call
 this function once with a single origin, and cannot use wildcards or specify
 multiple origins that are allowed to frame your app. (This is a limitation of
 the X-Frame-Options header.) Example values of `origin` include
-"http://example.com" and "https://foo.example.com".
+"http://example.com" and "https://foo.example.com". Note that this value of the
+X-Frame-Options header is not yet supported in Chrome or Safari and will be
+ignored in those browsers.
 {{/dtdd}}
 
 {{#dtdd "BrowserPolicy.allowFramingBySameOrigin()"}}
@@ -49,8 +64,16 @@ Your app can be framed by any website.
 {{/dtdd}}
 </dl>
 
-You can use these functions to tighten or relax restrictions on where Javascript
-and CSS can be run:
+#### Content options
+
+You can use the functions in this section to control how different types of
+content can be loaded on your site. In order to use any of these functions, you
+must first call `BrowserPolicy.enableContentSecurityPolicy()`, which enables the
+starter policy described above. This section covers additional functions that
+you can use to tighten or relax what content your app can use.
+
+You can use the following functions to tighten or relax restrictions on where
+Javascript and CSS can be run:
 
 <dl class="callbacks">
 {{#dtdd "BrowserPolicy.allowInlineScripts()"}}
@@ -107,11 +130,11 @@ Disallows this type of content on your app.
 {{/dtdd}}
 </dl>
 
-These functions are also defined for the content type `AllContent`, which sets
-defaults for content types that you haven't configured using one of the above
-functions. For example, if you want to allow all content to be loaded from your
-app's origin but you want to disable `<object>` tags, you can simply call
-`BrowserPolicy.allowAllContentSameOrigin()` followed by
+These functions are also defined for the content type `AllContent`, which is a
+shorthand for calling one of the above functions once for each content type.
+For example, if you want to allow the origin `https://foo.com` for all types of
+content but you want to disable `<object>` tags, you can call
+`BrowserPolicy.allowAllContentOrigin("https://foo.com")` followed by
 `BrowserPolicy.disallowObject()`.
 
 Other examples of using the `BrowserPolicy` API:
diff --git a/docs/client/packages/starter-browser-policy.html b/docs/client/packages/starter-browser-policy.html
deleted file mode 100644
index 71ff88911a..0000000000
--- a/docs/client/packages/starter-browser-policy.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<template name="pkg_starter_browser_policy">
-{{#better_markdown}}
-## `starter-browser-policy`
-
-The `starter-browser-policy` package provides a recommended configuration for
-the [`browser-policy`](#browserpolicy) package. When you add
-`starter-browser-policy` to your app, the following policies will be enforced by
-browsers that support the X-Frame-Options and Content-Security-Policy headers:
-
-* Only webpages on the same origin as your app can frame your app.
-* Your app can only load content (images, scripts, fonts, etc.) from its own
-origin, except that XMLHttpRequests and WebSocket connections can go to any
-origin.
-* Your app's client code cannot use functions such as `eval()` that convert
-strings to Javascript code.
-
-If your app does not need any inline Javascript such as inline `<script>` tags,
-we recommend that you modify this policy by calling
-`BrowserPolicy.disallowInlineScripts()` on the server. This will result in one
-extra round trip when your app is loaded, but will help prevent cross-site
-scripting attacks by disabling all scripts except those loaded from a `script
-src` attribute.
-
-{{/better_markdown}}
-</template>
diff --git a/packages/browser-policy/browser-policy-test.js b/packages/browser-policy/browser-policy-test.js
new file mode 100644
index 0000000000..875a6323eb
--- /dev/null
+++ b/packages/browser-policy/browser-policy-test.js
@@ -0,0 +1,123 @@
+var cspsEqual = function (csp1, csp2) {
+  var cspToObj = function (csp) {
+    csp = csp.substring(0, csp.length - 1);
+    var parts = _.map(csp.split("; "), function (part) {
+      return part.split(" ");
+    });
+    var keys = _.map(parts, _.first);
+    var values = _.map(parts, _.rest);
+    _.each(values, function (value) {
+      value.sort();
+    });
+    return _.object(keys, values);
+  };
+
+  return EJSON.equals(cspToObj(csp1), cspToObj(csp2));
+};
+
+Tinytest.add("browser-policy - csp", function (test) {
+  var defaultCsp = "default-src 'self'; script-src 'self' 'unsafe-inline'; " +
+        "connect-src * 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline';"
+  BrowserPolicy.enableContentSecurityPolicy();
+
+  // Default policy
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(), defaultCsp));
+  test.isTrue(BrowserPolicy.inlineScriptsAllowed());
+
+  // Redundant whitelisting (inline scripts already allowed in default policy)
+  BrowserPolicy.allowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(), defaultCsp));
+
+  // Disallow inline scripts
+  BrowserPolicy.disallowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'self'; script-src 'self'; " +
+                        "connect-src * 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline';"));
+  test.isFalse(BrowserPolicy.inlineScriptsAllowed());
+
+  // Allow eval
+  BrowserPolicy.allowEval();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(), "default-src 'self'; script-src 'self' 'unsafe-eval'; " +
+                        "connect-src * 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline';"));
+
+  // Disallow inline styles
+  BrowserPolicy.disallowInlineStyles();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(), "default-src 'self'; script-src 'self' 'unsafe-eval'; " +
+                        "connect-src * 'self'; img-src data: 'self'; style-src 'self';"));
+
+  // Allow data: urls everywhere
+  BrowserPolicy.allowAllContentDataUrl();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'self' data:; script-src 'self' 'unsafe-eval' data:; " +
+                        "connect-src * data: 'self'; img-src data: 'self'; style-src 'self' data:;"));
+
+  // Disallow everything
+  BrowserPolicy.disallowAllContent();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(), "default-src 'none';"));
+  test.isFalse(BrowserPolicy.inlineScriptsAllowed());
+
+  // Put inline scripts back in
+  BrowserPolicy.allowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'none'; script-src 'unsafe-inline';"));
+  test.isTrue(BrowserPolicy.inlineScriptsAllowed());
+
+  // Add 'self' to all content types
+  BrowserPolicy.allowAllContentSameOrigin();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'self'; script-src 'self' 'unsafe-inline';"));
+  test.isTrue(BrowserPolicy.inlineScriptsAllowed());
+
+  // Disallow all content except same-origin scripts
+  BrowserPolicy.disallowAllContent();
+  BrowserPolicy.allowScriptSameOrigin();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'none'; script-src 'self';"));
+  test.isFalse(BrowserPolicy.inlineScriptsAllowed());
+
+  // Starting with all content same origin, disallowScript() and then allow
+  // inline scripts. Result should be that that only inline scripts can execute,
+  // not same-origin scripts.
+  BrowserPolicy.disallowAllContent();
+  BrowserPolicy.allowAllContentSameOrigin();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(), "default-src 'self';"));
+  BrowserPolicy.disallowScript();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'self'; script-src 'none';"));
+  BrowserPolicy.allowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'self'; script-src 'unsafe-inline';"));
+
+  // Starting with all content same origin, allow inline scripts. (Should result
+  // in both same origin and inline scripts allowed.)
+  BrowserPolicy.disallowAllContent();
+  BrowserPolicy.allowAllContentSameOrigin();
+  BrowserPolicy.allowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'self'; script-src 'self' 'unsafe-inline';"));
+  BrowserPolicy.disallowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'self'; script-src 'self';"));
+
+  // Allow same origin for all content, then disallow object entirely.
+  BrowserPolicy.disallowAllContent();
+  BrowserPolicy.allowAllContentSameOrigin();
+  BrowserPolicy.disallowObject();
+  test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
+                        "default-src 'self'; object-src 'none';"));
+});
+
+Tinytest.add("browser-policy - x-frame-options", function (test) {
+  BrowserPolicy._reset();
+  BrowserPolicy.disallowFraming();
+  test.equal(BrowserPolicy._constructXFrameOptions(), "DENY");
+  BrowserPolicy.allowFramingBySameOrigin();
+  test.equal(BrowserPolicy._constructXFrameOptions(), "SAMEORIGIN");
+  BrowserPolicy.allowFramingByOrigin("foo.com");
+  test.equal(BrowserPolicy._constructXFrameOptions(), "ALLOW-FROM foo.com");
+  test.throws(function () {
+    BrowserPolicy.allowFramingByOrigin("bar.com");
+  });
+  BrowserPolicy.allowFramingByAnyOrigin();
+  test.isFalse(BrowserPolicy._constructXFrameOptions());
+});
diff --git a/packages/browser-policy/browser-policy.js b/packages/browser-policy/browser-policy.js
index 5f54c8d6d3..40588dc536 100644
--- a/packages/browser-policy/browser-policy.js
+++ b/packages/browser-policy/browser-policy.js
@@ -1,10 +1,13 @@
-// We recommend that you use the starter-browser-policy package to enable the
-// following default policy:
-// 1.) Only the same origin can frame the app.
-// 2.) No eval or other string-to-code, and content can only be loaded from the
+// To enable CSP, call BrowserPolicy.enableContentSecurityPolicy(). This enables
+// the following default policy:
+// No eval or other string-to-code, and content can only be loaded from the
 // same origin as the app (except for XHRs and websocket connections, which can
 // go to any origin).
 //
+// Apps should call BrowserPolicy.allowFramingBySameOrigin() to allow only
+// same-origin pages to frame their apps, if they don't explicitly want to be
+// framed by third-party sites.
+//
 // Apps should call BrowserPolicy.disallowInlineScripts() if they are not using
 // any inline script tags and are willing to accept an extra round trip on page
 // load.
@@ -27,8 +30,8 @@
 // disallow<content type>(): disallows this type of content all together (can't
 // be called for script)
 //
-// The following functions allow you to set defaults for where content can be
-// loaded from when no other rules have been specified for that type of content:
+// The following functions allow you to set rules for all types of content at
+// once:
 // allowAllContentOrigin(origin)
 // allowAllContentDataUrl()
 // allowAllContentSameOrigin()
@@ -43,6 +46,7 @@
 
 var xFrameOptions;
 var cspSrcs;
+//var cspUnsafeAllowed;
 
 // CSP keywords have to be single-quoted.
 var unsafeInline = "'unsafe-inline'";
@@ -50,30 +54,56 @@ var unsafeEval = "'unsafe-eval'";
 var selfKeyword = "'self'";
 var noneKeyword = "'none'";
 
-var constructCsp = function () {
-  _.each(_.keys(cspSrcs), function (directive) {
-    if (_.isEmpty(cspSrcs[directive]))
-      delete cspSrcs[directive];
-  });
+var cspEnabled = false;
+
+BrowserPolicy = {};
+
+// Exported for tests.
+var constructXFrameOptions = BrowserPolicy._constructXFrameOptions =
+      function () {
+        return xFrameOptions;
+      };
+
+var constructCsp = BrowserPolicy._constructCsp = function () {
+  if (! cspEnabled)
+    return null;
+
+  cspSrcs = cspSrcs || {};
 
   var header = _.map(cspSrcs, function (srcs, directive) {
-    return directive + " " + srcs.join(" ") + ";";
-  }).join(" ");
+    srcs = srcs || [];
+    if (_.isEmpty(srcs))
+      srcs = [noneKeyword];
+    var directiveCsp = _.uniq(srcs).join(" ");
+    return directive + " " + directiveCsp + ";";
+  });
 
+  header = header.join(" ");
   return header;
 };
 
 var parseCsp = function (csp) {
   var policies = csp.split("; ");
-  var result = {};
+  cspSrcs = {};
   _.each(policies, function (policy) {
-    if (policy[policy.length-1] === ";")
+    if (policy[policy.length - 1] === ";")
       policy = policy.substring(0, policy.length - 1);
     var srcs = policy.split(" ");
     var directive = srcs[0];
-    result[directive] = srcs.slice(1);
+    if (_.indexOf(srcs, noneKeyword) !== -1)
+      cspSrcs[directive] = null;
+    else
+      cspSrcs[directive] = srcs.slice(1);
+  });
+
+  if (cspSrcs["default-src"] === undefined)
+    throw new Error("Content Security Policies used with " +
+                    "browser-policy must specify a default-src.");
+
+  // Copy default-src sources to other directives.
+  _.each(cspSrcs, function (sources, directive) {
+    cspSrcs[directive] = _.union(sources || [], cspSrcs["default-src"] || []);
   });
-  return result;
 };
 
 var removeCspSrc = function (directive, src) {
@@ -81,28 +111,45 @@ var removeCspSrc = function (directive, src) {
 };
 
 var ensureDirective = function (directive) {
+  throwIfNotEnabled();
   cspSrcs = cspSrcs || {};
   if (! _.has(cspSrcs, directive))
-    cspSrcs[directive] = [];
+    cspSrcs[directive] = _.clone(cspSrcs["default-src"]);
+};
+
+var throwIfNotEnabled = function () {
+  if (! cspEnabled)
+    throw new Error("Enable this function by calling "+
+                    "BrowserPolicy.enableContentSecurityPolicy().");
 };
 
 WebApp.connectHandlers.use(function (req, res, next) {
   if (xFrameOptions)
-    res.setHeader("X-Frame-Options", xFrameOptions);
-  if (cspSrcs)
+    res.setHeader("X-Frame-Options", constructXFrameOptions());
+  if (cspEnabled)
     res.setHeader("Content-Security-Policy", constructCsp());
   next();
 });
 
-BrowserPolicy = {
+BrowserPolicy = _.extend(BrowserPolicy, {
+  _reset: function () {
+    xFrameOptions = null;
+    cspSrcs = null;
+    cspEnabled = false;
+  },
+
   allowFramingBySameOrigin: function () {
     xFrameOptions = "SAMEORIGIN";
   },
   disallowFraming: function () {
     xFrameOptions = "DENY";
   },
+  // ALLOW-FROM not supported in Chrome or Safari.
   allowFramingByOrigin: function (origin) {
-    if (xFrameOptions.indexOf("ALLOW-FROM") === 0)
+    // Trying to specify two allow-from throws to prevent users from
+    // accidentally overwriting an allow-from origin when they think they are
+    // adding multiple origins.
+    if (xFrameOptions && xFrameOptions.indexOf("ALLOW-FROM") === 0)
       throw new Error("You can only specify one origin that is allowed to" +
                       " frame this app.");
     xFrameOptions = "ALLOW-FROM " + origin;
@@ -111,17 +158,38 @@ BrowserPolicy = {
     xFrameOptions = null;
   },
 
+  enableContentSecurityPolicy: function () {
+    // By default, unsafe inline scripts and styles are allowed, since we expect
+    // many apps will use them for analytics, etc. Unsafe eval is disallowed, and
+    // the only allowable content source is the same origin or data, except for
+    // connect which allows anything (since meteor.com apps make websocket
+    // connections to a lot of different origins).
+    cspEnabled = true;
+    cspSrcs = {};
+    BrowserPolicy.setContentSecurityPolicy("default-src 'self'; " +
+                                           "script-src 'self' 'unsafe-inline'; " +
+                                           "connect-src *; " +
+                                           "img-src data: 'self'; " +
+                                           "style-src 'self' 'unsafe-inline';");
+  },
+
   setContentSecurityPolicy: function (csp) {
-    cspSrcs = parseCsp(csp);
+    throwIfNotEnabled();
+    parseCsp(csp);
   },
 
   // Helpers for creating content security policies
 
+  _keywordAllowed: function (directive, keyword) {
+    return ! cspEnabled ||
+      (cspSrcs[directive] &&
+       _.indexOf(cspSrcs[directive], keyword) !== -1);
+  },
+
   // Used by webapp to determine whether we need an extra round trip for
   // __meteor_runtime_config__.
   inlineScriptsAllowed: function () {
-    ensureDirective("script-src");
-    return (_.indexOf(cspSrcs["script-src"], unsafeInline) !== -1);
+    return BrowserPolicy._keywordAllowed("script-src", unsafeInline);
   },
 
   allowInlineScripts: function () {
@@ -151,21 +219,24 @@ BrowserPolicy = {
 
   // Functions for setting defaults
   allowAllContentSameOrigin: function () {
-    ensureDirective("default-src");
-    cspSrcs["default-src"].push(selfKeyword);
+    BrowserPolicy.allowAllContentOrigin(selfKeyword);
   },
   allowAllContentDataUrl: function () {
-    ensureDirective("default-src");
-    cspSrcs["default-src"].push("data:");
+    BrowserPolicy.allowAllContentOrigin("data:");
   },
   allowAllContentOrigin: function (origin) {
     ensureDirective("default-src");
-    cspSrcs["default-src"].push(origin);
+    _.each(_.keys(cspSrcs), function (directive) {
+      cspSrcs[directive].push(origin);
+    });
   },
   disallowAllContent: function () {
-    cspSrcs["default-src"] = [noneKeyword];
+    throwIfNotEnabled();
+    cspSrcs = {
+      "default-src": []
+    };
   }
-};
+});
 
 // allow<Resource>Origin, allow<Resource>Data, allow<Resource>self, and
 // disallow<Resource> methods for each type of resource.
@@ -189,13 +260,16 @@ _.each(["script", "object", "img", "media",
            ensureDirective(directive);
            cspSrcs[directive].push(src);
          };
-         if (resource !== "script") {
-           BrowserPolicy[disallowMethodName] = function () {
-             cspSrcs[directive] = [noneKeyword];
-           };
-         }
+         BrowserPolicy[disallowMethodName] = function () {
+           throwIfNotEnabled();
+           cspSrcs[directive] = [];
+         };
          BrowserPolicy[allowDataMethodName] = function () {
            ensureDirective(directive);
            cspSrcs[directive].push("data:");
          };
+         BrowserPolicy[allowSelfMethodName] = function () {
+           ensureDirective(directive);
+           cspSrcs[directive].push(selfKeyword);
+         };
        });
diff --git a/packages/browser-policy/package.js b/packages/browser-policy/package.js
index c90f070623..ca3d0eff2f 100644
--- a/packages/browser-policy/package.js
+++ b/packages/browser-policy/package.js
@@ -7,3 +7,8 @@ Package.on_use(function (api) {
   api.add_files("browser-policy.js", "server");
   api.export("BrowserPolicy", "server");
 });
+
+Package.on_test(function (api) {
+  api.use(["tinytest", "browser-policy", "ejson"]);
+  api.add_files("browser-policy-test.js", "server");
+});
diff --git a/packages/starter-browser-policy/.gitignore b/packages/starter-browser-policy/.gitignore
deleted file mode 100644
index 677a6fc263..0000000000
--- a/packages/starter-browser-policy/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.build*
diff --git a/packages/starter-browser-policy/package.js b/packages/starter-browser-policy/package.js
deleted file mode 100644
index 6a7bc6d95f..0000000000
--- a/packages/starter-browser-policy/package.js
+++ /dev/null
@@ -1,8 +0,0 @@
-Package.describe({
-  summary: "Basic browser security policies"
-});
-
-Package.on_use(function (api) {
-  api.use("browser-policy", "server");
-  api.add_files("starter-browser-policy.js", "server");
-});
diff --git a/packages/starter-browser-policy/starter-browser-policy.js b/packages/starter-browser-policy/starter-browser-policy.js
deleted file mode 100644
index 4d7650878d..0000000000
--- a/packages/starter-browser-policy/starter-browser-policy.js
+++ /dev/null
@@ -1,13 +0,0 @@
-BrowserPolicy.allowFramingBySameOrigin();
-
-// By default, unsafe inline scripts and styles are allowed, since we expect
-// many apps will use them for analytics, etc. Unsafe eval is disallowed, and
-// the only allowable content source is the same origin or data, except for
-// connect which allows anything (since meteor.com apps make websocket
-// connections to a lot of different origins).
-
-BrowserPolicy.setContentSecurityPolicy("default-src 'self'; " +
-                                       "script-src 'self' 'unsafe-inline'; " +
-                                       "connect-src *; " +
-                                       "img-src data: 'self'; " +
-                                       "style-src 'self' 'unsafe-inline';");

From 9d1e3dbd562541164fc1f2d6b3e6fbe32b968223 Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Fri, 13 Sep 2013 11:19:44 -0700
Subject: [PATCH 4/4] Enable CSP differently for tests.

Avoids sending header and using meteor_runtime_config.js on tests. Also tweak
wording on browser-policy docs.
---
 docs/client/packages/browser-policy.html      | 10 ++++--
 .../browser-policy/browser-policy-test.js     | 14 ++++-----
 packages/browser-policy/browser-policy.js     | 31 ++++++++++++-------
 packages/webapp/package.js                    |  8 +++--
 4 files changed, 39 insertions(+), 24 deletions(-)

diff --git a/docs/client/packages/browser-policy.html b/docs/client/packages/browser-policy.html
index 5b8e31354e..f7676e7445 100644
--- a/docs/client/packages/browser-policy.html
+++ b/docs/client/packages/browser-policy.html
@@ -35,6 +35,10 @@ src` attribute.
 * If your app does not need to be framed by other websites, call
 `BrowserPolicy.allowFramingBySameOrigin()` to help prevent clickjacking attacks.
 
+Meteor determines the browser policy when the server starts up, so you should
+call `BrowserPolicy` functions in top-level application code or in
+`Meteor.startup`.
+
 #### Frame options
 
 You can use the following functions to specify which websites are allowed to
@@ -70,10 +74,10 @@ You can use the functions in this section to control how different types of
 content can be loaded on your site. In order to use any of these functions, you
 must first call `BrowserPolicy.enableContentSecurityPolicy()`, which enables the
 starter policy described above. This section covers additional functions that
-you can use to tighten or relax what content your app can use.
+you can use to tighten or relax restrictions on what content your app can use.
 
-You can use the following functions to tighten or relax restrictions on where
-Javascript and CSS can be run:
+You can use the following functions to adjust policies on where Javascript and
+CSS can be run:
 
 <dl class="callbacks">
 {{#dtdd "BrowserPolicy.allowInlineScripts()"}}
diff --git a/packages/browser-policy/browser-policy-test.js b/packages/browser-policy/browser-policy-test.js
index 875a6323eb..cf9ddd9e59 100644
--- a/packages/browser-policy/browser-policy-test.js
+++ b/packages/browser-policy/browser-policy-test.js
@@ -18,11 +18,11 @@ var cspsEqual = function (csp1, csp2) {
 Tinytest.add("browser-policy - csp", function (test) {
   var defaultCsp = "default-src 'self'; script-src 'self' 'unsafe-inline'; " +
         "connect-src * 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline';"
-  BrowserPolicy.enableContentSecurityPolicy();
+  BrowserPolicy.enableContentSecurityPolicy(true /* enable for tests */);
 
   // Default policy
   test.isTrue(cspsEqual(BrowserPolicy._constructCsp(), defaultCsp));
-  test.isTrue(BrowserPolicy.inlineScriptsAllowed());
+  test.isTrue(BrowserPolicy.inlineScriptsAllowed(true /* tests-only flag */));
 
   // Redundant whitelisting (inline scripts already allowed in default policy)
   BrowserPolicy.allowInlineScripts();
@@ -33,7 +33,7 @@ Tinytest.add("browser-policy - csp", function (test) {
   test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
                         "default-src 'self'; script-src 'self'; " +
                         "connect-src * 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline';"));
-  test.isFalse(BrowserPolicy.inlineScriptsAllowed());
+  test.isFalse(BrowserPolicy.inlineScriptsAllowed(true));
 
   // Allow eval
   BrowserPolicy.allowEval();
@@ -54,26 +54,26 @@ Tinytest.add("browser-policy - csp", function (test) {
   // Disallow everything
   BrowserPolicy.disallowAllContent();
   test.isTrue(cspsEqual(BrowserPolicy._constructCsp(), "default-src 'none';"));
-  test.isFalse(BrowserPolicy.inlineScriptsAllowed());
+  test.isFalse(BrowserPolicy.inlineScriptsAllowed(true));
 
   // Put inline scripts back in
   BrowserPolicy.allowInlineScripts();
   test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
                         "default-src 'none'; script-src 'unsafe-inline';"));
-  test.isTrue(BrowserPolicy.inlineScriptsAllowed());
+  test.isTrue(BrowserPolicy.inlineScriptsAllowed(true));
 
   // Add 'self' to all content types
   BrowserPolicy.allowAllContentSameOrigin();
   test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
                         "default-src 'self'; script-src 'self' 'unsafe-inline';"));
-  test.isTrue(BrowserPolicy.inlineScriptsAllowed());
+  test.isTrue(BrowserPolicy.inlineScriptsAllowed(true));
 
   // Disallow all content except same-origin scripts
   BrowserPolicy.disallowAllContent();
   BrowserPolicy.allowScriptSameOrigin();
   test.isTrue(cspsEqual(BrowserPolicy._constructCsp(),
                         "default-src 'none'; script-src 'self';"));
-  test.isFalse(BrowserPolicy.inlineScriptsAllowed());
+  test.isFalse(BrowserPolicy.inlineScriptsAllowed(true));
 
   // Starting with all content same origin, disallowScript() and then allow
   // inline scripts. Result should be that that only inline scripts can execute,
diff --git a/packages/browser-policy/browser-policy.js b/packages/browser-policy/browser-policy.js
index 40588dc536..a605d7f13e 100644
--- a/packages/browser-policy/browser-policy.js
+++ b/packages/browser-policy/browser-policy.js
@@ -46,7 +46,6 @@
 
 var xFrameOptions;
 var cspSrcs;
-//var cspUnsafeAllowed;
 
 // CSP keywords have to be single-quoted.
 var unsafeInline = "'unsafe-inline'";
@@ -55,6 +54,7 @@ var selfKeyword = "'self'";
 var noneKeyword = "'none'";
 
 var cspEnabled = false;
+var cspEnabledForTests = false;
 
 BrowserPolicy = {};
 
@@ -65,9 +65,6 @@ var constructXFrameOptions = BrowserPolicy._constructXFrameOptions =
       };
 
 var constructCsp = BrowserPolicy._constructCsp = function () {
-  if (! cspEnabled)
-    return null;
-
   cspSrcs = cspSrcs || {};
 
   var header = _.map(cspSrcs, function (srcs, directive) {
@@ -118,7 +115,7 @@ var ensureDirective = function (directive) {
 };
 
 var throwIfNotEnabled = function () {
-  if (! cspEnabled)
+  if (! cspEnabled && ! cspEnabledForTests)
     throw new Error("Enable this function by calling "+
                     "BrowserPolicy.enableContentSecurityPolicy().");
 };
@@ -158,13 +155,18 @@ BrowserPolicy = _.extend(BrowserPolicy, {
     xFrameOptions = null;
   },
 
-  enableContentSecurityPolicy: function () {
+  // _enableForTests means that you can call CSP functions, but the header won't
+  // actually be sent.
+  enableContentSecurityPolicy: function (_enableForTests) {
     // By default, unsafe inline scripts and styles are allowed, since we expect
     // many apps will use them for analytics, etc. Unsafe eval is disallowed, and
     // the only allowable content source is the same origin or data, except for
     // connect which allows anything (since meteor.com apps make websocket
     // connections to a lot of different origins).
-    cspEnabled = true;
+    if (! _enableForTests)
+      cspEnabled = true;
+    else
+      cspEnabledForTests = true;
     cspSrcs = {};
     BrowserPolicy.setContentSecurityPolicy("default-src 'self'; " +
                                            "script-src 'self' 'unsafe-inline'; " +
@@ -180,16 +182,23 @@ BrowserPolicy = _.extend(BrowserPolicy, {
 
   // Helpers for creating content security policies
 
-  _keywordAllowed: function (directive, keyword) {
-    return ! cspEnabled ||
+  _keywordAllowed: function (directive, keyword, _calledFromTests) {
+    // All keywords are allowed if csp is not enabled and we're not in a test
+    // run. If csp is enabled or we're in a test run, then look in cspSrcs to
+    // see if it's allowed.
+    return (! cspEnabled && ! _calledFromTests) ||
       (cspSrcs[directive] &&
        _.indexOf(cspSrcs[directive], keyword) !== -1);
   },
 
   // Used by webapp to determine whether we need an extra round trip for
   // __meteor_runtime_config__.
-  inlineScriptsAllowed: function () {
-    return BrowserPolicy._keywordAllowed("script-src", unsafeInline);
+  // _calledFromTests is used to indicate that we should ignore cspEnabled and
+  // instead look directly in cspSrcs to determine if the keyword is allowed.
+  // XXX maybe this test interface could be cleaned up
+  inlineScriptsAllowed: function (_calledFromTests) {
+    return BrowserPolicy._keywordAllowed("script-src",
+                                         unsafeInline, _calledFromTests);
   },
 
   allowInlineScripts: function () {
diff --git a/packages/webapp/package.js b/packages/webapp/package.js
index c451f2086a..ea662b2be8 100644
--- a/packages/webapp/package.js
+++ b/packages/webapp/package.js
@@ -12,9 +12,11 @@ Package.on_use(function (api) {
   api.use(['application-configuration'], {
     unordered: true
   });
-  api.use(['browser-policy'], {
-    unordered: true
-  });
+  // At response serving time, webapp uses browser-policy if it is loaded. If
+  // browser-policy is loaded, then it must be loaded after webapp
+  // (browser-policy depends on webapp). So we don't explicitly depend in any
+  // way on browser-policy here, but we use it when it is loaded, and it can be
+  // loaded after webapp.
   api.export(['WebApp', 'main', 'WebAppInternals'], 'server');
   api.add_files('webapp_server.js', 'server');
 });