content-security-policy 0.1.2 → 0.1.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. data/README.md +1 -1
  2. data/lib/content-security-policy/middleware.rb +11 -6
  3. data/lib/content-security-policy/version.rb +1 -1
  4. data/spec/content-security-policy_spec.rb +20 -54
  5. metadata +16 -11
data/README.md CHANGED
@@ -59,7 +59,7 @@ run MyApplication
59
59
 
60
60
  ## Status
61
61
 
62
- Content Security Policy is now implemented with `X-Content-Security-Policy` and `X-WebKit-CSP` headers.
62
+ Content Security Policy is now implemented with `Content-Security-Policy` (official name), `X-Content-Security-Policy` (Firefox and IE) and `X-WebKit-CSP` (Chrome and Safari) headers.
63
63
 
64
64
  ## Copyright
65
65
 
data/lib/content-security-policy/middleware.rb CHANGED
@@ -20,16 +20,13 @@ class ContentSecurityPolicy
20
20
  def initialize(app, options = {})
21
21
  @app = app
22
22
  @report_only = options[:report_only] || ContentSecurityPolicy.report_only
23
- @directives = options[:directives] || ContentSecurityPolicy.directives
23
+ @directives = options[:directives] || ContentSecurityPolicy.directives
24
24
 
25
25
  @directives or raise NoDirectivesError, 'No directives were passed.'
26
26
 
27
27
  # make sure directives with policy-uri don't contain any other directives
28
28
  if @directives['policy-uri'] && @directives.keys.length > 1
29
29
  raise IncorrectDirectivesError, 'You passed both policy-uri and other directives.'
30
- # make sure default-src is present
31
- elsif !@directives['policy-uri'] && !@directives['default-src']
32
- raise IncorrectDirectivesError, 'You have to set default-src directive.'
33
30
  end
34
31
  end
35
32
 
@@ -51,9 +48,17 @@ class ContentSecurityPolicy
51
48
 
52
49
  # prepare response headers names
53
50
  if @report_only
54
- resp_headers = %w(X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only)
51
+ resp_headers = %w(
52
+ Content-Security-Policy-Report-Only
53
+ X-Content-Security-Policy-Report-Only
54
+ X-WebKit-CSP-Report-Only
55
+ )
55
56
  else
56
- resp_headers = %w(X-Content-Security-Policy X-WebKit-CSP)
57
+ resp_headers = %w(
58
+ Content-Security-Policy
59
+ X-Content-Security-Policy
60
+ X-WebKit-CSP
61
+ )
57
62
  end
58
63
 
59
64
  # append response header
data/lib/content-security-policy/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  class ContentSecurityPolicy
2
2
 
3
- VERSION = '0.1.2'
3
+ VERSION = '0.1.3'
4
4
 
5
5
  end # ContentSecurityPolicy
data/spec/content-security-policy_spec.rb CHANGED
@@ -1,7 +1,6 @@
1
1
  require 'spec_helper'
2
2
 
3
3
  describe ContentSecurityPolicy do
4
-
5
4
  context 'configuration' do
6
5
  let(:app) do
7
6
  [200, { 'Content-Type' => 'text/plain' }, %w(ok)]
@@ -9,46 +8,39 @@ describe ContentSecurityPolicy do
9
8
 
10
9
  describe '#initialize' do
11
10
  it 'should raise error if directives hash is not present' do
12
- lambda do
11
+ lambda {
13
12
  ContentSecurityPolicy.new(app)
14
- end.should raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
15
- end
16
-
17
- it 'should raise error if default-src was not set' do
18
- lambda do
19
- options = { :directives => { 'script-src' => "'self'" }}
20
- ContentSecurityPolicy.new(app, options)
21
- end.should raise_error(ContentSecurityPolicy::IncorrectDirectivesError, 'You have to set default-src directive.')
13
+ }.should raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
22
14
  end
23
15
 
24
16
  it 'should raise error if both policy-uri and other directive was set' do
25
- lambda do
17
+ lambda {
26
18
  options = { :directives => { 'policy-uri' => 'policy.xml', 'script-src' => "'self'" }}
27
19
  ContentSecurityPolicy.new(app, options)
28
- end.should raise_error(ContentSecurityPolicy::IncorrectDirectivesError, "You passed both policy-uri and other directives.")
20
+ }.should raise_error(ContentSecurityPolicy::IncorrectDirectivesError, "You passed both policy-uri and other directives.")
29
21
  end
30
22
 
31
23
  it 'should allow setting directives with ContentSecurityPolicy.configure' do
32
24
  ContentSecurityPolicy.configure { |csp| csp['default-src'] = "'self'" }
33
25
  ContentSecurityPolicy.should_receive(:directives).and_return('default-src' => '*')
34
26
 
35
- lambda do
27
+ lambda {
36
28
  ContentSecurityPolicy.new(app)
37
- end.should_not raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
29
+ }.should_not raise_error(ContentSecurityPolicy::NoDirectivesError, 'No directives were passed.')
38
30
  end
39
31
 
40
32
  it 'should allow passing hash of directives' do
41
- lambda do
33
+ lambda {
42
34
  options = { :directives => { 'default-src' => "'self'" }}
43
35
  ContentSecurityPolicy.new(app, options)
44
- end.should_not raise_error
36
+ }.should_not raise_error
45
37
  end
46
38
 
47
39
  it 'should allow passing report_only attribute' do
48
- lambda do
40
+ lambda {
49
41
  options = { :directives => { 'default-src' => "'self'" }, :report_only => true }
50
42
  ContentSecurityPolicy.new(app, options)
51
- end.should_not raise_error
43
+ }.should_not raise_error
52
44
  end
53
45
  end
54
46
 
@@ -66,8 +58,7 @@ describe ContentSecurityPolicy do
66
58
  it 'should append directives' do
67
59
  ContentSecurityPolicy.configure { |csp| csp['default-src'] = '*' }
68
60
  ContentSecurityPolicy.configure { |csp| csp['script-src'] = '*' }
69
- ContentSecurityPolicy.directives.should == { 'default-src' => '*',
70
- 'script-src' => '*' }
61
+ ContentSecurityPolicy.directives.should == { 'default-src' => '*', 'script-src' => '*' }
71
62
  end
72
63
 
73
64
  it 'should save report_only attribute' do
@@ -95,42 +86,17 @@ describe ContentSecurityPolicy do
95
86
  end
96
87
 
97
88
  describe '#call' do
98
- it 'should respond with X-Content-Security-Policy HTTP response header' do
99
- directives = "default-src *; img-src *.google.com; script-src 'self'"
100
-
101
- header = get('/').headers['X-Content-Security-Policy']
102
- header.should_not be_nil
103
- header.should_not be_empty
104
- header.should == directives
105
- end
106
-
107
- it 'should respond with X-WebKit-CSP HTTP response header' do
108
- directives = "default-src *; img-src *.google.com; script-src 'self'"
109
-
110
- header = get('/').headers['X-WebKit-CSP']
111
- header.should_not be_nil
112
- header.should_not be_empty
113
- header.should == directives
89
+ %w(Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP).each do |header|
90
+ it "should respond with #{header} HTTP response header" do
91
+ get('/').headers[header].should == "default-src *; img-src *.google.com; script-src 'self'"
92
+ end
114
93
  end
115
94
 
116
- it 'should respond with X-Content-Security-Policy-Report-Only HTTP response header' do
117
- ContentSecurityPolicy.configure { |csp| csp.report_only = true }
118
- directives = "default-src *; img-src *.google.com; script-src 'self'"
119
-
120
- header = get('/').headers['X-Content-Security-Policy-Report-Only']
121
- header.should_not be_nil
122
- header.should_not be_empty
123
- header.should == directives
124
- end
125
-
126
- it 'should respond with X-WebKit-CSP HTTP response header' do
127
- ContentSecurityPolicy.configure { |csp| csp.report_only = true }
128
- directives = "default-src *; img-src *.google.com; script-src 'self'"
129
-
130
- header = get('/').headers['X-WebKit-CSP-Report-Only']
131
- header.should_not be_nil
132
- header.should_not be_empty
133
- header.should == directives
95
+ %w(Content-Security-Policy-Report-Only X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only).each do |header|
96
+ it "should respond with #{header} HTTP response header" do
97
+ ContentSecurityPolicy.report_only = true
98
+ get('/').headers[header].should == "default-src *; img-src *.google.com; script-src 'self'"
99
+ end
134
100
  end
135
101
  end
136
102
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: content-security-policy
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.1.3
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-02-22 00:00:00.000000000Z
12
+ date: 2012-09-13 00:00:00.000000000Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rack
16
- requirement: &16425620 !ruby/object:Gem::Requirement
16
+ requirement: &15825420 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ~>
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '1.4'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *16425620
24
+ version_requirements: *15825420
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: rack-test
27
- requirement: &16425120 !ruby/object:Gem::Requirement
27
+ requirement: &15856880 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ~>
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: '0.6'
33
33
  type: :development
34
34
  prerelease: false
35
- version_requirements: *16425120
35
+ version_requirements: *15856880
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: rspec
38
- requirement: &16424660 !ruby/object:Gem::Requirement
38
+ requirement: &16810180 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ~>
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: '2.8'
44
44
  type: :development
45
45
  prerelease: false
46
- version_requirements: *16424660
46
+ version_requirements: *16810180
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: rake
49
- requirement: &16424200 !ruby/object:Gem::Requirement
49
+ requirement: &17568560 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ~>
@@ -54,7 +54,7 @@ dependencies:
54
54
  version: '0.9'
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *16424200
57
+ version_requirements: *17568560
58
58
  description: Full-featured Content Security Policy as Rack middleware
59
59
  email: p0deje@gmail.com
60
60
  executables: []
@@ -85,12 +85,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
85
85
  - - ! '>='
86
86
  - !ruby/object:Gem::Version
87
87
  version: '0'
88
+ segments:
89
+ - 0
90
+ hash: -3566934327810610234
88
91
  required_rubygems_version: !ruby/object:Gem::Requirement
89
92
  none: false
90
93
  requirements:
91
94
  - - ! '>='
92
95
  - !ruby/object:Gem::Version
93
96
  version: '0'
97
+ segments:
98
+ - 0
99
+ hash: -3566934327810610234
94
100
  requirements: []
95
101
  rubyforge_project:
96
102
  rubygems_version: 1.8.16
@@ -100,4 +106,3 @@ summary: Full-featured Content Security Policy as Rack middleware
100
106
  test_files:
101
107
  - spec/content-security-policy_spec.rb
102
108
  - spec/spec_helper.rb
103
- has_rdoc: