csp_report 0.4.0 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +18 -28
- data/lib/csp_report/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 71b96c2b38d600e6aaad2589bb2d1d16ebafc69a
|
4
|
+
data.tar.gz: b2f1a28385911667bc3826a7b204974b31fb499b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ce05a919ef86f2bfcfc2ce8c72013ebd3a3b80a30cfed67a823112168b31d2b54f497d565960e1e139bbf2559b81267fb213ef0c8890a11a578efb25964e569a
|
7
|
+
data.tar.gz: 4ab795bc4a6716d3286067ba3f54f7b2dc73aa75523ab0a5e5a63e8443f3e48916348c4d349cbfae7d3209bd45aa8a7028a1524ca53fd589ea1c7a9cdb1b6ae6
|
data/README.md
CHANGED
@@ -4,31 +4,19 @@ CspReport
|
|
4
4
|
This gem provides a Rails engine that manages the CSP violations reported by
|
5
5
|
the client browser (when supported).
|
6
6
|
|
7
|
-
|
8
|
-
of
|
9
|
-
|
10
|
-
the spec, I can't see anything that should not work if your browser ups to the
|
11
|
-
new version.
|
12
|
-
|
13
|
-
**Disclaimer**
|
14
|
-
|
15
|
-
This is a rough cut gem for the moment. It won't look like much in the report
|
16
|
-
page. However, elements have a class so you can add some CSS style before I
|
17
|
-
add some clean ones in the gem.
|
18
|
-
|
19
|
-
I promise something cleaner when I'll get to v1.
|
7
|
+
As of today (Sept 14th), a new editor's draft of CSP 1.1 is available and got
|
8
|
+
rid of the new proposed report elements. Therefore, as of today too, I'll
|
9
|
+
publish the current version of the gem as the csp_report 1.0 version.
|
20
10
|
|
21
11
|
[Installation](#install) | [Upgrade](#upgrade-notes) |
|
22
12
|
[Configuration](#trying-it-out) | [Description](#what-is-csp)
|
23
13
|
|
24
|
-
**Careful**: If migrating from
|
25
|
-
|
14
|
+
**Careful**: If migrating from an earlier version, please look up the upgrage
|
15
|
+
instructions.
|
26
16
|
|
27
|
-
|
28
|
-
[
|
29
|
-
|
30
|
-
**Careful**: If migrating from 0.3.x or below, you can follow
|
31
|
-
[these instructions](#upgrade-from-03x-or-below). This is mandatory.
|
17
|
+
Now that v1.0 is out, I would advise to redo an install from scratch or to
|
18
|
+
consult the new [INSTALL](./INSTALL.md) file for details of what should be
|
19
|
+
installed
|
32
20
|
|
33
21
|
What is CSP
|
34
22
|
===========
|
@@ -44,7 +32,7 @@ For more information, consult
|
|
44
32
|
|
45
33
|
[Browser supporting CSP](http://caniuse.com/#search=csp)
|
46
34
|
|
47
|
-
Tested in Chrome 27 and shown to work with the *'Content-Security-Policy'* new
|
35
|
+
Tested in Chrome (since version 27) and shown to work with the *'Content-Security-Policy'* new
|
48
36
|
directive.
|
49
37
|
Safari 6 already supports it but with the *'X-Webkit-CSP'* directive. However, it
|
50
38
|
seems the *report_uri* parameter is not yet supported there.
|
@@ -53,9 +41,8 @@ Features
|
|
53
41
|
========
|
54
42
|
|
55
43
|
* Provides a *csp_report* resource that stores the reported violations.
|
56
|
-
* Displays the violation for analysis
|
44
|
+
* Displays the violation for analysis along with consolidated reports.
|
57
45
|
* Keeps up-to-date with the CSP W3C RFC
|
58
|
-
* Future: provide visualization aids on the report data
|
59
46
|
|
60
47
|
Why using this gem
|
61
48
|
==================
|
@@ -71,7 +58,7 @@ that you'll have a hard
|
|
71
58
|
time figuring out all the sources you are using. By recording all the breaches,
|
72
59
|
this gem allows you to setup a policy, run a crawler for example, and then
|
73
60
|
look at what is reported as breaches. It will help you getting rid of your
|
74
|
-
inline js and
|
61
|
+
inline js and tuning your policy.
|
75
62
|
* Second, in normal production mode, it'll help you monitor the situation and
|
76
63
|
see if your server has been victim of some injection (if some input is not
|
77
64
|
sanitize properly) or if your users are being attacked in some way (in which
|
@@ -80,6 +67,8 @@ case you might gather stats and maybe warn them in one way or another).
|
|
80
67
|
Install
|
81
68
|
=======
|
82
69
|
|
70
|
+
_(See the [INSTALL.md](./INSTALL.md) file for more details)_
|
71
|
+
|
83
72
|
1. In your *Gemfile*, add the following
|
84
73
|
```
|
85
74
|
gem csp_report
|
@@ -95,8 +84,7 @@ too
|
|
95
84
|
```shell
|
96
85
|
rails generate csp_report:install [mount_point_name] [-a]
|
97
86
|
```
|
98
|
-
|
99
|
-
It mounts the engine in the application (see routes.rb)
|
87
|
+
Among other things, it retrieves the db migration files from the gem and copy them in the application
|
100
88
|
*Don't forget to run the `rake db:migrate` command*
|
101
89
|
|
102
90
|
1. **EASY INSTALL**: if you used the *-a* parameter above, you can skip this
|
@@ -162,7 +150,10 @@ have to redefine every single one of them.
|
|
162
150
|
|
163
151
|
#### Changing the CSP rule per controller/action
|
164
152
|
|
165
|
-
|
153
|
+
This is not tested, but by adding a before_filter to any of your controller,
|
154
|
+
you should be able to override the application level CSP directive.
|
155
|
+
|
156
|
+
TODO - gbataille - Test it
|
166
157
|
|
167
158
|
Utilities
|
168
159
|
=========
|
@@ -179,7 +170,6 @@ To come
|
|
179
170
|
|
180
171
|
* Customization instructions
|
181
172
|
* Support of CSP 1.1 draft spec
|
182
|
-
* Eased data mining
|
183
173
|
|
184
174
|
Upgrade notes
|
185
175
|
=============
|
data/lib/csp_report/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: csp_report
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Gregory Bataille
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2013-09-
|
11
|
+
date: 2013-09-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|