coalescing_panda 4.6.1 → 4.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8efea91014e88f07f7bd39860db6072161db84af
-  data.tar.gz: 88cad27a86b4a93c67fdb4ff7302214d0dde080c
+  metadata.gz: 943b18616d0a5e87a50358017ce3faf8e27fb7ff
+  data.tar.gz: 10539ffb27a3ae9709b58e9f08b3e1bd57e4f295
 SHA512:
-  metadata.gz: 5af45f9fb9b3b3fa3765dd3236ce47eacf5b1cba2e5b4e38d3b6a63dd8e35c3d30d98f117c4511ffd16b291943fbe598a69618a461eb04c3c7fbca6cd7cae1c7
-  data.tar.gz: 981e1e48035e68adb3680859f591f91e9ab759ff1c92198a370af467942e3a8f75d7ea57200e9f4cd42b9054aa9b14244e16438c054a080010b435a2af9f89e3
+  metadata.gz: 5a2df63567b03a1b07d05efa93676139f470b1cc625cdd2887ccd38df80f0f08f0b04eb0cf676ae7ad2cb7b515477f069c9bdb748810ebede82f6a14203227b6
+  data.tar.gz: 414e8d88d43b97ed4564d6ca67bc60e4c38b0638e01fc8f4a316a26b586009ce4f7136080a07319948f9835456c7642db675ee2c70e21f74fb96b909dcd1f990

data/lib/coalescing_panda/engine.rb

@@ -1,3 +1,5 @@
+require 'secure_headers'
+
 module CoalescingPanda
   class Engine < ::Rails::Engine
     config.autoload_once_paths += Dir["#{config.root}/lib/**/"]
@@ -35,5 +37,50 @@ module CoalescingPanda
       end
     end
 
+    initializer :secure_headers do |app|
+      connect_src = %w('self')
+      script_src = %w('self')
+
+      if Rails.env.development?
+        # Allow webpack-dev-server to work
+        connect_src << "http://localhost:3035"
+        connect_src << "ws://localhost:3035"
+
+        # Allow stuff like rack-mini-profiler to work in development:
+        # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
+        # DON'T ENABLE THIS FOR PRODUCTION!
+        script_src << "'unsafe-eval'"
+      end
+
+      SecureHeaders::Configuration.default do |config|
+        # The default cookie headers aren't compatible with PandaPal cookies currently
+        config.cookies = { samesite: { none: true } }
+
+        if Rails.env.production?
+          config.cookies[:secure] = true
+        end
+
+        # Need to allow LTI iframes
+        config.x_frame_options = "ALLOWALL"
+
+        config.x_content_type_options = "nosniff"
+        config.x_xss_protection = "1; mode=block"
+        config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
+
+        config.csp = {
+            default_src: %w('self'),
+            script_src: script_src,
+            # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
+            style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
+            font_src: %w('self' data: https://fonts.gstatic.com),
+            connect_src: connect_src,
+        }
+      end
+
+      SecureHeaders::Configuration.override(:safari_override) do |config|
+        config.cookies = SecureHeaders::OPT_OUT
+      end
+    end
+
   end
 end

data/lib/coalescing_panda/version.rb

@@ -1,3 +1,3 @@
 module CoalescingPanda
-  VERSION = '4.6.1'
+  VERSION = '4.7.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: coalescing_panda
 version: !ruby/object:Gem::Version
-  version: 4.6.1
+  version: 4.7.0
 platform: ruby
 authors:
 - Nathan Mills
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-19 00:00:00.000000000 Z
+date: 2020-03-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -208,6 +208,20 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.0.0
+- !ruby/object:Gem::Dependency
+  name: secure_headers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '6.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '6.3'
 - !ruby/object:Gem::Dependency
   name: zip-zip
   requirement: !ruby/object:Gem::Requirement