better_content_security_policy 0.1.2 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf8f11b55c77a23844ebd19428e56b42fa1ef3a4636137e7e61ab4bb6cfc5c24
-  data.tar.gz: dea5ebf55a0ec4985aacc0743dfda54fb81c5545cb4e7ae97df97d9d180d9feb
+  metadata.gz: 42a95999c8944222bf7dcc5d97ee24f7cbb1a665095086adbe873bc9b4699f14
+  data.tar.gz: 69bc62d14e29971d1f2a64f99bb5c295520a2669c3ed3b0688a345504376d3c1
 SHA512:
-  metadata.gz: ffcb4a396dbe92cc3ab86d1ee3a5903c9032cc2a54abdff127ac1590495519edaebc2f70938cb574b7149617cc473f52cc8693e6b3fbb0136856ac9c0fd7fd40
-  data.tar.gz: 1fe7607741267495f00c7f2077336241abe91ff5eedb740f409ffc8637ea9c324b85270de5e68a2eacaddb675c8e6de13cd4a3c638d64d6fb29c5fd6d1bc7ecf
+  metadata.gz: 89588b03485c2851f6e193b743e15c2b2a0c5971f47b765fd85ae2cb34442d9e4695e48b1f4b4371b58f58aea2e943f81103f75aab51199f35fdadf61082d692
+  data.tar.gz: a4ca3bdeed413a75d642f1d6acd59c9b93b06cf247c8e4ab6b54a4a07d528e38fc6054fd4af6bb88ad03d42c9c9caaf517943e226d8328dc60b546518f45add4

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    better_content_security_policy (0.1.2)
+    better_content_security_policy (0.1.3)
       rails (>= 5.0.0)
 
 GEM
@@ -84,11 +84,11 @@ GEM
     marcel (1.0.2)
     method_source (1.0.0)
     mini_mime (1.1.2)
+    mini_portile2 (2.6.1)
     minitest (5.15.0)
     nio4r (2.5.8)
-    nokogiri (1.12.5-x86_64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.12.5-x86_64-linux)
+    nokogiri (1.12.5)
+      mini_portile2 (~> 2.6.1)
       racc (~> 1.4)
     parallel (1.22.1)
     parser (3.1.2.1)
@@ -173,6 +173,7 @@ GEM
     zeitwerk (2.6.1)
 
 PLATFORMS
+  arm64-darwin-22
   x86_64-darwin-21
   x86_64-linux
 

data/README.md

@@ -25,11 +25,13 @@ If bundler is not being used to manage dependencies, install the gem by executin
 
 ## Usage
 
-Include the `BetterContentSecurityPolicy::HasContentSecurityPolicy` concern in your `ApplicationController`:
+Include the `BetterContentSecurityPolicy::HasContentSecurityPolicy` concern in your `ApplicationController`,
+and the line `after_action :set_content_security_policy_header`.
 
 ```ruby
 class ApplicationController < ActionController::Base
   include BetterContentSecurityPolicy::HasContentSecurityPolicy
+  after_action :set_content_security_policy_header, if: -> { request.format.html? }
 ```
 
 Define a `#configure_content_security_policy` method in `ApplicationController` to configure the default `Content-Security-Policy` rules:

data/lib/better_content_security_policy/content_security_policy.rb

@@ -12,15 +12,21 @@ module BetterContentSecurityPolicy
       default-src
       font-src
       form-action
+      frame-ancestors
       frame-src
       img-src
       manifest-src
       media-src
-      navigate-to
       object-src
       prefetch-src
+      require-trusted-types-for
       script-src
+      script-src-attr
+      script-src-elem
       style-src
+      style-src-attr
+      style-src-elem
+      trusted-types
       worker-src
     ].freeze
 
@@ -31,6 +37,8 @@ module BetterContentSecurityPolicy
       http
       https
       mediastream
+      ws
+      wss
     ].freeze
 
     QUOTED_SOURCES = %w[
@@ -39,7 +47,10 @@ module BetterContentSecurityPolicy
       unsafe-eval
       unsafe-hashes
       unsafe-inline
-      wasm-unsafe-eval
+      allow-duplicates
+      report-sample
+      script
+      strict-dynamic
     ].freeze
 
     attr_accessor :directives, :report_uri, :report_only
@@ -65,8 +76,8 @@ module BetterContentSecurityPolicy
       @directives[directive]
     end
 
-    def respond_to_missing?(directive)
-      valid_directive?(directive)
+    def respond_to_missing?(directive, include_all = false)
+      valid_directive?(directive) || super
     end
 
     # Converts sources from our Ruby DSL (camelcase) into proper Content-Security-Policy sources.

data/lib/better_content_security_policy/has_content_security_policy.rb

@@ -6,6 +6,7 @@ module BetterContentSecurityPolicy
   # Include this module in your ApplicationController to configure a dynamic Content Security Policy.
   # The header will be set in an after_action after the response has been rendered.
   # This means that you can also modify the policy in your views.
+  # You must call 'after_action :set_content_security_policy_header' in your own controller.
   module HasContentSecurityPolicy
     extend ActiveSupport::Concern
 
@@ -14,7 +15,6 @@ module BetterContentSecurityPolicy
 
       helper_method :content_security_policy
       before_action :configure_content_security_policy
-      after_action :set_content_security_policy_header
     end
 
     def content_security_policy

data/lib/better_content_security_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module BetterContentSecurityPolicy
-  VERSION = "0.1.2"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: better_content_security_policy
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.4
 platform: ruby
 authors:
 - Nathan Broadbent
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-10-11 00:00:00.000000000 Z
+date: 2023-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -43,7 +43,6 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
-- better_content_security_policy.gemspec
 - lib/better_content_security_policy.rb
 - lib/better_content_security_policy/content_security_policy.rb
 - lib/better_content_security_policy/has_content_security_policy.rb
@@ -73,7 +72,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.22
+rubygems_version: 3.4.19
 signing_key:
 specification_version: 4
 summary: Configure a dynamic Content-Security-Policy header that you can customize

data/better_content_security_policy.gemspec

@@ -1,41 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "lib/better_content_security_policy/version"
-
-Gem::Specification.new do |spec|
-  spec.name = "better_content_security_policy"
-  spec.version = BetterContentSecurityPolicy::VERSION
-  spec.authors = ["Nathan Broadbent"]
-  spec.email = ["nathan@docspring.com"]
-
-  spec.summary = "Configure a dynamic Content-Security-Policy header that you can customize in your controllers."
-  spec.description = "This gem makes it easy to configure a dynamic Content-Security-Policy header " \
-                     "for your Rails application. You can easily customize the rules in your controllers, " \
-                     "and you can also update the rules in your views."
-  spec.homepage = "https://github.com/DocSpring/better_content_security_policy"
-  spec.license = "MIT"
-  spec.required_ruby_version = ">= 2.5.0"
-
-  # spec.metadata["allowed_push_host"] = "TODO: Set to your gem server 'https://example.com'"
-
-  spec.metadata["homepage_uri"] = spec.homepage
-  spec.metadata["source_code_uri"] = "https://github.com/DocSpring/better_content_security_policy"
-  spec.metadata["changelog_uri"] = "https://github.com/DocSpring/better_content_security_policy/blob/master/CHANGELOG.md"
-
-  # Specify which files should be added to the gem when it is released.
-  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files = Dir.chdir(__dir__) do
-    `git ls-files -z`.split("\x0").reject do |f|
-      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
-    end
-  end
-  spec.bindir = "exe"
-  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
-
-  # For more information and examples about making a new gem, check out our
-  # guide at: https://bundler.io/guides/creating_gem.html
-  spec.metadata["rubygems_mfa_required"] = "true"
-
-  spec.add_dependency "rails", ">= 5.0.0"
-end