A toolkit for rack applications that ensures ALL content on a page adheres to your Content Security Policy. The browser padlock is pretty important for commercial web applications. Modern sites rely on so many third party services: analytics, video players, social media widgets. With all these moving parts it's easy to end up with a broken padlock. Rack-Padlock will increase the visibility of padlock problems to your development team, and it's dead easy to use.
All you need to have is a rack based application! (Rails, Sinatra, Camping, etc...)
Add rack-padlock gem to your test group
group :test do
gem 'rack-padlock'
end
Add rack-padlock rake tasks to your app
require 'rack/padlock'
load 'tasks/rack-padlock.rake'
Specify what url's you want to test somewhere in your Rakefile
Rack::Padlock.padlock_uris = ["/secure", "/insecure"]
If your application isn't a Rails app, then you need to add an environment rake task to your Rakefile like this
desc "setup application environment"
task :environment do
require 'your rack application'
Rack::Padlock.application = YourRackApplication
Rack::Padlock.padlock_uris = ["/secure", "/insecure"]
end
Once you've set things up simply run
rake padlock
This will run the padlock tests. If any of your integration tests mix secure and insecure content, the padlock test will fail.
Have a look at a simple sinatra application that demonstrates rack-padlock at https://github.com/joshuacronemeyer/rack-padlock-example-app
Rack-Padlock starts your Rack app up with an SSL enabled webrick server. It puts a custom middleware in front of your application that implements a CSP policy. That policy requires the browser to notify us of any non SSL activity. The custom middleware intercepts these notifications and logs them. At the end of the run the rack-padlock test will either succeed or fail based on the presence of any policy violations.
I have noticed that CSP doesn't check resources requested by Flash. But google chrome will break the padlock when flash requests non-secure resources.