better_content_security_policy 0.1.2 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +5 -4
- data/README.md +3 -1
- data/lib/better_content_security_policy/content_security_policy.rb +15 -4
- data/lib/better_content_security_policy/has_content_security_policy.rb +1 -1
- data/lib/better_content_security_policy/version.rb +1 -1
- metadata +3 -4
- data/better_content_security_policy.gemspec +0 -41
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 42a95999c8944222bf7dcc5d97ee24f7cbb1a665095086adbe873bc9b4699f14
|
4
|
+
data.tar.gz: 69bc62d14e29971d1f2a64f99bb5c295520a2669c3ed3b0688a345504376d3c1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 89588b03485c2851f6e193b743e15c2b2a0c5971f47b765fd85ae2cb34442d9e4695e48b1f4b4371b58f58aea2e943f81103f75aab51199f35fdadf61082d692
|
7
|
+
data.tar.gz: a4ca3bdeed413a75d642f1d6acd59c9b93b06cf247c8e4ab6b54a4a07d528e38fc6054fd4af6bb88ad03d42c9c9caaf517943e226d8328dc60b546518f45add4
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
better_content_security_policy (0.1.
|
4
|
+
better_content_security_policy (0.1.3)
|
5
5
|
rails (>= 5.0.0)
|
6
6
|
|
7
7
|
GEM
|
@@ -84,11 +84,11 @@ GEM
|
|
84
84
|
marcel (1.0.2)
|
85
85
|
method_source (1.0.0)
|
86
86
|
mini_mime (1.1.2)
|
87
|
+
mini_portile2 (2.6.1)
|
87
88
|
minitest (5.15.0)
|
88
89
|
nio4r (2.5.8)
|
89
|
-
nokogiri (1.12.5
|
90
|
-
|
91
|
-
nokogiri (1.12.5-x86_64-linux)
|
90
|
+
nokogiri (1.12.5)
|
91
|
+
mini_portile2 (~> 2.6.1)
|
92
92
|
racc (~> 1.4)
|
93
93
|
parallel (1.22.1)
|
94
94
|
parser (3.1.2.1)
|
@@ -173,6 +173,7 @@ GEM
|
|
173
173
|
zeitwerk (2.6.1)
|
174
174
|
|
175
175
|
PLATFORMS
|
176
|
+
arm64-darwin-22
|
176
177
|
x86_64-darwin-21
|
177
178
|
x86_64-linux
|
178
179
|
|
data/README.md
CHANGED
@@ -25,11 +25,13 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
25
25
|
|
26
26
|
## Usage
|
27
27
|
|
28
|
-
Include the `BetterContentSecurityPolicy::HasContentSecurityPolicy` concern in your `ApplicationController
|
28
|
+
Include the `BetterContentSecurityPolicy::HasContentSecurityPolicy` concern in your `ApplicationController`,
|
29
|
+
and the line `after_action :set_content_security_policy_header`.
|
29
30
|
|
30
31
|
```ruby
|
31
32
|
class ApplicationController < ActionController::Base
|
32
33
|
include BetterContentSecurityPolicy::HasContentSecurityPolicy
|
34
|
+
after_action :set_content_security_policy_header, if: -> { request.format.html? }
|
33
35
|
```
|
34
36
|
|
35
37
|
Define a `#configure_content_security_policy` method in `ApplicationController` to configure the default `Content-Security-Policy` rules:
|
@@ -12,15 +12,21 @@ module BetterContentSecurityPolicy
|
|
12
12
|
default-src
|
13
13
|
font-src
|
14
14
|
form-action
|
15
|
+
frame-ancestors
|
15
16
|
frame-src
|
16
17
|
img-src
|
17
18
|
manifest-src
|
18
19
|
media-src
|
19
|
-
navigate-to
|
20
20
|
object-src
|
21
21
|
prefetch-src
|
22
|
+
require-trusted-types-for
|
22
23
|
script-src
|
24
|
+
script-src-attr
|
25
|
+
script-src-elem
|
23
26
|
style-src
|
27
|
+
style-src-attr
|
28
|
+
style-src-elem
|
29
|
+
trusted-types
|
24
30
|
worker-src
|
25
31
|
].freeze
|
26
32
|
|
@@ -31,6 +37,8 @@ module BetterContentSecurityPolicy
|
|
31
37
|
http
|
32
38
|
https
|
33
39
|
mediastream
|
40
|
+
ws
|
41
|
+
wss
|
34
42
|
].freeze
|
35
43
|
|
36
44
|
QUOTED_SOURCES = %w[
|
@@ -39,7 +47,10 @@ module BetterContentSecurityPolicy
|
|
39
47
|
unsafe-eval
|
40
48
|
unsafe-hashes
|
41
49
|
unsafe-inline
|
42
|
-
|
50
|
+
allow-duplicates
|
51
|
+
report-sample
|
52
|
+
script
|
53
|
+
strict-dynamic
|
43
54
|
].freeze
|
44
55
|
|
45
56
|
attr_accessor :directives, :report_uri, :report_only
|
@@ -65,8 +76,8 @@ module BetterContentSecurityPolicy
|
|
65
76
|
@directives[directive]
|
66
77
|
end
|
67
78
|
|
68
|
-
def respond_to_missing?(directive)
|
69
|
-
valid_directive?(directive)
|
79
|
+
def respond_to_missing?(directive, include_all = false)
|
80
|
+
valid_directive?(directive) || super
|
70
81
|
end
|
71
82
|
|
72
83
|
# Converts sources from our Ruby DSL (camelcase) into proper Content-Security-Policy sources.
|
@@ -6,6 +6,7 @@ module BetterContentSecurityPolicy
|
|
6
6
|
# Include this module in your ApplicationController to configure a dynamic Content Security Policy.
|
7
7
|
# The header will be set in an after_action after the response has been rendered.
|
8
8
|
# This means that you can also modify the policy in your views.
|
9
|
+
# You must call 'after_action :set_content_security_policy_header' in your own controller.
|
9
10
|
module HasContentSecurityPolicy
|
10
11
|
extend ActiveSupport::Concern
|
11
12
|
|
@@ -14,7 +15,6 @@ module BetterContentSecurityPolicy
|
|
14
15
|
|
15
16
|
helper_method :content_security_policy
|
16
17
|
before_action :configure_content_security_policy
|
17
|
-
after_action :set_content_security_policy_header
|
18
18
|
end
|
19
19
|
|
20
20
|
def content_security_policy
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: better_content_security_policy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Nathan Broadbent
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-11-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -43,7 +43,6 @@ files:
|
|
43
43
|
- LICENSE.txt
|
44
44
|
- README.md
|
45
45
|
- Rakefile
|
46
|
-
- better_content_security_policy.gemspec
|
47
46
|
- lib/better_content_security_policy.rb
|
48
47
|
- lib/better_content_security_policy/content_security_policy.rb
|
49
48
|
- lib/better_content_security_policy/has_content_security_policy.rb
|
@@ -73,7 +72,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
73
72
|
- !ruby/object:Gem::Version
|
74
73
|
version: '0'
|
75
74
|
requirements: []
|
76
|
-
rubygems_version: 3.
|
75
|
+
rubygems_version: 3.4.19
|
77
76
|
signing_key:
|
78
77
|
specification_version: 4
|
79
78
|
summary: Configure a dynamic Content-Security-Policy header that you can customize
|
@@ -1,41 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require_relative "lib/better_content_security_policy/version"
|
4
|
-
|
5
|
-
Gem::Specification.new do |spec|
|
6
|
-
spec.name = "better_content_security_policy"
|
7
|
-
spec.version = BetterContentSecurityPolicy::VERSION
|
8
|
-
spec.authors = ["Nathan Broadbent"]
|
9
|
-
spec.email = ["nathan@docspring.com"]
|
10
|
-
|
11
|
-
spec.summary = "Configure a dynamic Content-Security-Policy header that you can customize in your controllers."
|
12
|
-
spec.description = "This gem makes it easy to configure a dynamic Content-Security-Policy header " \
|
13
|
-
"for your Rails application. You can easily customize the rules in your controllers, " \
|
14
|
-
"and you can also update the rules in your views."
|
15
|
-
spec.homepage = "https://github.com/DocSpring/better_content_security_policy"
|
16
|
-
spec.license = "MIT"
|
17
|
-
spec.required_ruby_version = ">= 2.5.0"
|
18
|
-
|
19
|
-
# spec.metadata["allowed_push_host"] = "TODO: Set to your gem server 'https://example.com'"
|
20
|
-
|
21
|
-
spec.metadata["homepage_uri"] = spec.homepage
|
22
|
-
spec.metadata["source_code_uri"] = "https://github.com/DocSpring/better_content_security_policy"
|
23
|
-
spec.metadata["changelog_uri"] = "https://github.com/DocSpring/better_content_security_policy/blob/master/CHANGELOG.md"
|
24
|
-
|
25
|
-
# Specify which files should be added to the gem when it is released.
|
26
|
-
# The `git ls-files -z` loads the files in the RubyGem that have been added into git.
|
27
|
-
spec.files = Dir.chdir(__dir__) do
|
28
|
-
`git ls-files -z`.split("\x0").reject do |f|
|
29
|
-
(f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
|
30
|
-
end
|
31
|
-
end
|
32
|
-
spec.bindir = "exe"
|
33
|
-
spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
|
34
|
-
spec.require_paths = ["lib"]
|
35
|
-
|
36
|
-
# For more information and examples about making a new gem, check out our
|
37
|
-
# guide at: https://bundler.io/guides/creating_gem.html
|
38
|
-
spec.metadata["rubygems_mfa_required"] = "true"
|
39
|
-
|
40
|
-
spec.add_dependency "rails", ">= 5.0.0"
|
41
|
-
end
|