coalescing_panda 1.1.20 → 1.1.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/coalescing_panda/controller_helpers.rb +2 -0
- data/lib/coalescing_panda/engine.rb +48 -0
- data/lib/coalescing_panda/version.rb +1 -1
- metadata +16 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 944d92a3431e6323e9ba3b51aa7def85416dd322fbd51c26c70a1f07f5eced1a
|
|
4
|
+
data.tar.gz: f58244ff27af50fef210b7a88b306adda5ab421e3abf72ef9adfad2fdd198ffa
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f461fef8d038d1a6bb0c1bb6863231e556fe9bad0589d48b6e844dbc6e3f3eaf335f28706271a15eb54dfa5cb97c12cc34f044d243f594f82c64b4fe8244e723
|
|
7
|
+
data.tar.gz: 4962e1e2c3335c1e5986dca5ddd7132cb7b973156e76b34a738a6a9278f083106dd451165e7b88fde95d961a491301ba9bc98a61f0d3f226a4b41392c10120fb
|
|
@@ -60,6 +60,7 @@ module CoalescingPanda
|
|
|
60
60
|
|
|
61
61
|
def lti_authorize!(*roles)
|
|
62
62
|
authorized = false
|
|
63
|
+
use_secure_headers_override(:safari_override) if browser.safari?
|
|
63
64
|
if @lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key'])
|
|
64
65
|
sanitized_params = sanitize_params
|
|
65
66
|
authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @lti_account.secret)
|
|
@@ -158,6 +159,7 @@ module CoalescingPanda
|
|
|
158
159
|
session[:safari_cookie_fixed] = true
|
|
159
160
|
redirect_to params[:return_to]
|
|
160
161
|
else
|
|
162
|
+
use_secure_headers_override(:safari_override)
|
|
161
163
|
render 'coalescing_panda/lti/iframe_cookie_fix', layout: false
|
|
162
164
|
end
|
|
163
165
|
end
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require 'secure_headers'
|
|
2
|
+
|
|
1
3
|
module CoalescingPanda
|
|
2
4
|
class Engine < ::Rails::Engine
|
|
3
5
|
config.autoload_once_paths += Dir["#{config.root}/lib/**/"]
|
|
@@ -30,5 +32,51 @@ module CoalescingPanda
|
|
|
30
32
|
end
|
|
31
33
|
end
|
|
32
34
|
|
|
35
|
+
initializer :secure_headers do |app|
|
|
36
|
+
connect_src = %w('self')
|
|
37
|
+
script_src = %w('self')
|
|
38
|
+
if Rails.env.development?
|
|
39
|
+
# Allow webpack-dev-server to work
|
|
40
|
+
connect_src << "http://localhost:3035"
|
|
41
|
+
connect_src << "ws://localhost:3035"
|
|
42
|
+
# Allow stuff like rack-mini-profiler to work in development:
|
|
43
|
+
# https://github.com/MiniProfiler/rack-mini-profiler/issues/327
|
|
44
|
+
# DON'T ENABLE THIS FOR PRODUCTION!
|
|
45
|
+
script_src << "'unsafe-eval'"
|
|
46
|
+
end
|
|
47
|
+
SecureHeaders::Configuration.default do |config|
|
|
48
|
+
# The default cookie headers aren't compatable with PandaPal cookies currenntly
|
|
49
|
+
config.cookies = { samesite: { none: true } }
|
|
50
|
+
# Need to allow LTI iframes
|
|
51
|
+
config.x_frame_options = "ALLOWALL"
|
|
52
|
+
config.x_content_type_options = "nosniff"
|
|
53
|
+
config.x_xss_protection = "1; mode=block"
|
|
54
|
+
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
|
55
|
+
config.csp = {
|
|
56
|
+
default_src: %w('self'),
|
|
57
|
+
script_src: script_src,
|
|
58
|
+
# Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
|
|
59
|
+
style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
|
|
60
|
+
font_src: %w('self' data: https://fonts.gstatic.com),
|
|
61
|
+
connect_src: connect_src,
|
|
62
|
+
}
|
|
63
|
+
end
|
|
64
|
+
SecureHeaders::Configuration.override(:safari_override) do |config|
|
|
65
|
+
config.cookies = SecureHeaders::OPT_OUT
|
|
66
|
+
# Need to allow LTI iframes
|
|
67
|
+
config.x_frame_options = "ALLOWALL"
|
|
68
|
+
config.x_content_type_options = "nosniff"
|
|
69
|
+
config.x_xss_protection = "1; mode=block"
|
|
70
|
+
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
|
71
|
+
config.csp = {
|
|
72
|
+
default_src: %w('self'),
|
|
73
|
+
script_src: script_src,
|
|
74
|
+
# Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
|
|
75
|
+
style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
|
|
76
|
+
font_src: %w('self' data: https://fonts.gstatic.com),
|
|
77
|
+
connect_src: connect_src,
|
|
78
|
+
}
|
|
79
|
+
end
|
|
80
|
+
end
|
|
33
81
|
end
|
|
34
82
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: coalescing_panda
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.1.
|
|
4
|
+
version: 1.1.21
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Nathan Mills
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-04-
|
|
11
|
+
date: 2020-04-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -178,6 +178,20 @@ dependencies:
|
|
|
178
178
|
- - "<"
|
|
179
179
|
- !ruby/object:Gem::Version
|
|
180
180
|
version: 2.0.0
|
|
181
|
+
- !ruby/object:Gem::Dependency
|
|
182
|
+
name: secure_headers
|
|
183
|
+
requirement: !ruby/object:Gem::Requirement
|
|
184
|
+
requirements:
|
|
185
|
+
- - ">="
|
|
186
|
+
- !ruby/object:Gem::Version
|
|
187
|
+
version: '0'
|
|
188
|
+
type: :runtime
|
|
189
|
+
prerelease: false
|
|
190
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
191
|
+
requirements:
|
|
192
|
+
- - ">="
|
|
193
|
+
- !ruby/object:Gem::Version
|
|
194
|
+
version: '0'
|
|
181
195
|
- !ruby/object:Gem::Dependency
|
|
182
196
|
name: sqlite3
|
|
183
197
|
requirement: !ruby/object:Gem::Requirement
|