content-security-policy 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. data/README.md +1 -1
  2. data/lib/content-security-policy/middleware.rb +11 -6
  3. data/lib/content-security-policy/version.rb +1 -1
  4. data/spec/content-security-policy_spec.rb +20 -54
  5. metadata +16 -11
data/README.md CHANGED
@@ -59,7 +59,7 @@ run MyApplication
59
59
 
60
60
  ## Status
61
61
 
62
- Content Security Policy is now implemented with `X-Content-Security-Policy` and `X-WebKit-CSP` headers.
62
+ Content Security Policy is now implemented with `Content-Security-Policy` (official name), `X-Content-Security-Policy` (Firefox and IE) and `X-WebKit-CSP` (Chrome and Safari) headers.
63
63
 
64
64
  ## Copyright
65
65
 
data/lib/content-security-policy/middleware.rb CHANGED
@@ -20,16 +20,13 @@ class ContentSecurityPolicy
20
20
  def initialize(app, options = {})
21
21
  @app = app
22
22
  @report_only = options[:report_only] || ContentSecurityPolicy.report_only
23
- @directives = options[:directives] || ContentSecurityPolicy.directives
23
+ @directives = options[:directives] || ContentSecurityPolicy.directives
24
24
 
25
25
  @directives or raise NoDirectivesError, 'No directives were passed.'
26
26
 
27
27
  # make sure directives with policy-uri don't contain any other directives
28
28
  if @directives['policy-uri'] && @directives.keys.length > 1
29
29
  raise IncorrectDirectivesError, 'You passed both policy-uri and other directives.'
30
- # make sure default-src is present
31
- elsif !@directives['policy-uri'] && !@directives['default-src']
32
- raise IncorrectDirectivesError, 'You have to set default-src directive.'
33
30
  end
34
31
  end
35
32
 
@@ -51,9 +48,17 @@ class ContentSecurityPolicy
51
48
 
52
49
  # prepare response headers names
53
50
  if @report_only
54
- resp_headers = %w(X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only)
51
+ resp_headers = %w(
52
+ Content-Security-Policy-Report-Only
53
+ X-Content-Security-Policy-Report-Only
54
+ X-WebKit-CSP-Report-Only
55
+ )
55
56
  else
56
- resp_headers = %w(X-Content-Security-Policy X-WebKit-CSP)
57
+ resp_headers = %w(
58
+ Content-Security-Policy
59
+ X-Content-Security-Policy
60
+ X-WebKit-CSP
61
+ )
57
62
  end
58
63
 
59
64
  # append response header
data/lib/content-security-policy/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  class ContentSecurityPolicy
2
2
 
3
- VERSION = '0.1.2'
3
+ VERSION = '0.1.3'
4
4
 
5
5
  end # ContentSecurityPolicy
data/spec/content-security-policy_spec.rb CHANGED
@@ -1,7 +1,6 @@
1
1
  require 'spec_helper'
2
2
 
3
3
  describe ContentSecurityPolicy do
4
-
5
4
  context 'configuration' do
6
5
  let(:app) do
7
6
  [200, { 'Content-Type' => 'text/plain' }, %w(ok)]
@@ -9,46 +8,39 @@ describe ContentSecurityPolicy do
9
8
 
10
9
  describe '#initialize' do
11
10
  it 'should raise error if directives hash is not present' do
12
- lambda do
11
+ lambda {
13
12
  ContentSecurityPolicy.new(app)
14
- end.should raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
15
- end
16
-
17
- it 'should raise error if default-src was not set' do
18
- lambda do
19
- options = { :directives => { 'script-src' => "'self'" }}
20
- ContentSecurityPolicy.new(app, options)
21
- end.should raise_error(ContentSecurityPolicy::IncorrectDirectivesError, 'You have to set default-src directive.')
13
+ }.should raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
22
14
  end
23
15
 
24
16
  it 'should raise error if both policy-uri and other directive was set' do
25
- lambda do
17
+ lambda {
26
18
  options = { :directives => { 'policy-uri' => 'policy.xml', 'script-src' => "'self'" }}
27
19
  ContentSecurityPolicy.new(app, options)
28
- end.should raise_error(ContentSecurityPolicy::IncorrectDirectivesError, "You passed both policy-uri and other directives.")
20
+ }.should raise_error(ContentSecurityPolicy::IncorrectDirectivesError, "You passed both policy-uri and other directives.")
29
21
  end
30
22
 
31
23
  it 'should allow setting directives with ContentSecurityPolicy.configure' do
32
24
  ContentSecurityPolicy.configure { |csp| csp['default-src'] = "'self'" }
33
25
  ContentSecurityPolicy.should_receive(:directives).and_return('default-src' => '*')
34
26
 
35
- lambda do
27
+ lambda {
36
28
  ContentSecurityPolicy.new(app)
37
- end.should_not raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
29
+ }.should_not raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
38
30
  end
39
31
 
40
32
  it 'should allow passing hash of directives' do
41
- lambda do
33
+ lambda {
42
34
  options = { :directives => { 'default-src' => "'self'" }}
43
35
  ContentSecurityPolicy.new(app, options)
44
- end.should_not raise_error
36
+ }.should_not raise_error
45
37
  end
46
38
 
47
39
  it 'should allow passing report_only attribute' do
48
- lambda do
40
+ lambda {
49
41
  options = { :directives => { 'default-src' => "'self'" }, :report_only => true }
50
42
  ContentSecurityPolicy.new(app, options)
51
- end.should_not raise_error
43
+ }.should_not raise_error
52
44
  end
53
45
  end
54
46
 
@@ -66,8 +58,7 @@ describe ContentSecurityPolicy do
66
58
  it 'should append directives' do
67
59
  ContentSecurityPolicy.configure { |csp| csp['default-src'] = '*' }
68
60
  ContentSecurityPolicy.configure { |csp| csp['script-src'] = '*' }
69
- ContentSecurityPolicy.directives.should == { 'default-src' => '*',
70
- 'script-src' => '*' }
61
+ ContentSecurityPolicy.directives.should == { 'default-src' => '*', 'script-src' => '*' }
71
62
  end
72
63
 
73
64
  it 'should save report_only attribute' do
@@ -95,42 +86,17 @@ describe ContentSecurityPolicy do
95
86
  end
96
87
 
97
88
  describe '#call' do
98
- it 'should respond with X-Content-Security-Policy HTTP response header' do
99
- directives = "default-src *; img-src *.google.com; script-src 'self'"
100
-
101
- header = get('/').headers['X-Content-Security-Policy']
102
- header.should_not be_nil
103
- header.should_not be_empty
104
- header.should == directives
105
- end
106
-
107
- it 'should respond with X-WebKit-CSP HTTP response header' do
108
- directives = "default-src *; img-src *.google.com; script-src 'self'"
109
-
110
- header = get('/').headers['X-WebKit-CSP']
111
- header.should_not be_nil
112
- header.should_not be_empty
113
- header.should == directives
89
+ %w(Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP).each do |header|
90
+ it "should respond with #{header} HTTP response header" do
91
+ get('/').headers[header].should == "default-src *; img-src *.google.com; script-src 'self'"
92
+ end
114
93
  end
115
94
 
116
- it 'should respond with X-Content-Security-Policy-Report-Only HTTP response header' do
117
- ContentSecurityPolicy.configure { |csp| csp.report_only = true }
118
- directives = "default-src *; img-src *.google.com; script-src 'self'"
119
-
120
- header = get('/').headers['X-Content-Security-Policy-Report-Only']
121
- header.should_not be_nil
122
- header.should_not be_empty
123
- header.should == directives
124
- end
125
-
126
- it 'should respond with X-WebKit-CSP HTTP response header' do
127
- ContentSecurityPolicy.configure { |csp| csp.report_only = true }
128
- directives = "default-src *; img-src *.google.com; script-src 'self'"
129
-
130
- header = get('/').headers['X-WebKit-CSP-Report-Only']
131
- header.should_not be_nil
132
- header.should_not be_empty
133
- header.should == directives
95
+ %w(Content-Security-Policy-Report-Only X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only).each do |header|
96
+ it "should respond with #{header} HTTP response header" do
97
+ ContentSecurityPolicy.report_only = true
98
+ get('/').headers[header].should == "default-src *; img-src *.google.com; script-src 'self'"
99
+ end
134
100
  end
135
101
  end
136
102
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: content-security-policy
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.1.3
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-02-22 00:00:00.000000000Z
12
+ date: 2012-09-13 00:00:00.000000000Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rack
16
- requirement: &16425620 !ruby/object:Gem::Requirement
16
+ requirement: &15825420 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ~>
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '1.4'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *16425620
24
+ version_requirements: *15825420
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: rack-test
27
- requirement: &16425120 !ruby/object:Gem::Requirement
27
+ requirement: &15856880 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ~>
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: '0.6'
33
33
  type: :development
34
34
  prerelease: false
35
- version_requirements: *16425120
35
+ version_requirements: *15856880
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: rspec
38
- requirement: &16424660 !ruby/object:Gem::Requirement
38
+ requirement: &16810180 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ~>
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: '2.8'
44
44
  type: :development
45
45
  prerelease: false
46
- version_requirements: *16424660
46
+ version_requirements: *16810180
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: rake
49
- requirement: &16424200 !ruby/object:Gem::Requirement
49
+ requirement: &17568560 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ~>
@@ -54,7 +54,7 @@ dependencies:
54
54
  version: '0.9'
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *16424200
57
+ version_requirements: *17568560
58
58
  description: Full-featured Content Security Policy as Rack middleware
59
59
  email: p0deje@gmail.com
60
60
  executables: []
@@ -85,12 +85,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
85
85
  - - ! '>='
86
86
  - !ruby/object:Gem::Version
87
87
  version: '0'
88
+ segments:
89
+ - 0
90
+ hash: -3566934327810610234
88
91
  required_rubygems_version: !ruby/object:Gem::Requirement
89
92
  none: false
90
93
  requirements:
91
94
  - - ! '>='
92
95
  - !ruby/object:Gem::Version
93
96
  version: '0'
97
+ segments:
98
+ - 0
99
+ hash: -3566934327810610234
94
100
  requirements: []
95
101
  rubyforge_project:
96
102
  rubygems_version: 1.8.16
@@ -100,4 +106,3 @@ summary: Full-featured Content Security Policy as Rack middleware
100
106
  test_files:
101
107
  - spec/content-security-policy_spec.rb
102
108
  - spec/spec_helper.rb
103
- has_rdoc: