ezcsp 0.0.1 → 0.0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +50 -0
  3. data/lib/ezcsp.rb +0 -36
  4. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: a64098cd248945d8710812f3321c933b2369eeea
4
- data.tar.gz: 057154fe542773f16ef047ecce002dc0882a08b0
3
+ metadata.gz: e85c15f0666a4ccbdd890925384c38e92e642e30
4
+ data.tar.gz: 1d9057b469c1a375a81e1bf10f0378c79dece42a
5
5
  SHA512:
6
- metadata.gz: b8d006493d6446008a8beb09c8cd5c425365fb1583d07f8ecd152695524dbfc2859a7d6398ebd1f55107c056729a15f23ccf5701bc5faf30d377c01cedc3c739
7
- data.tar.gz: e453772110f23a06a30f94c91465433ac36e8e8b2a1f79c1fd0dc877f830e6f439b8b9c426be7bcef38a66a03a2526f98be08b8c1f713e022d7bc5230c5e2624
6
+ metadata.gz: ff4d1d6a894c50875bf30d2ce60ee6aa31049642b9ee32a24c24c37a9c80e98a0552590e6fd9aabc5dc543c42fd7af54e310e9c60bbdef137c54c526acc157a2
7
+ data.tar.gz: 64430bd7554d662d9629501bf667a656caabaa9c2f570736c089dc01f598dd217674ba2261eab0dc7597a614d69d6ffc50bb7dd49f5bd4e1e89893188fab841f
data/README.md ADDED
@@ -0,0 +1,50 @@
1
+ EzCSP provides a simple object-oriented way to generate `Content-Security-Policy`
2
+ HTTP headers. For documentation on CSP, see Mozilla's [Content-Security-Policy page](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
3
+
4
+ Basic usage:
5
+
6
+ require 'ezcsp'
7
+ csp = EzCSP.new()
8
+
9
+ Then, depending on how you output HTTP headers, you could output the CSP header
10
+ something like this:
11
+
12
+ headers['Content-Security-Policy'] = csp.to_s
13
+
14
+ `csp.to_s`, by default, returns this string:
15
+
16
+ default-src 'self'; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
17
+
18
+ By default, the header value is very restrictive. It basically states that no
19
+ resources — scripts, styles, images, etc. — from outside the current web site
20
+ can be used. Expand that set of allowed resources by adding to the accessors
21
+ listed in the class documentation, usually by using the `cdn` method. So, for
22
+ example, to allow the browser to get scripts and styles from `code.jquery.com`,
23
+ you would do this:
24
+
25
+ csp.cdn 'code.jquery.com', 'script_src', 'style_src'
26
+
27
+ which would produce this header value:
28
+
29
+ default-src 'self'; script-src 'self' code.jquery.com; style-src 'self' code.jquery.com; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
30
+
31
+ EzCSP isn't a substitute for understanding content security policies. Make
32
+ sure you [read up on CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) before using this class.
33
+
34
+ ## Install
35
+
36
+ ```
37
+ gem install ezcsp
38
+ ```
39
+
40
+ ## Author
41
+
42
+ Mike O'Sullivan
43
+ mike@idocs.com
44
+
45
+ ## History
46
+
47
+ | version | date | notes |
48
+ |----------|-------------|------|
49
+ | 0.0.2 | Nov 9, 2018 | Improved structure of gem. No changes to code. |
50
+ | 0.0.1 | Nov 5, 2018 | Initial upload. |
data/lib/ezcsp.rb CHANGED
@@ -5,42 +5,6 @@ require 'json'
5
5
  #
6
6
 
7
7
  ##
8
- # EzCSP provides a simple object-oriented way to generate
9
- # <tt>Content-Security-Policy</tt> HTTP headers. For documentation on CSP,
10
- # see {Mozilla's Content-Security-Policy page}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy].
11
- #
12
- # Basic usage:
13
- #
14
- # require 'ezcsp'
15
- # csp = EzCSP.new()
16
- #
17
- # Then, depending on how you output HTTP headers, you could output the CSP header
18
- # something like this:
19
- #
20
- # headers['Content-Security-Policy'] = csp.to_s
21
- #
22
- # <tt>csp.to_s</tt>, by default, returns this string:
23
- #
24
- # default-src 'self'; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
25
- #
26
- # By default, the header value is very restrictive. It basically states that no
27
- # resources — scripts, styles, images, etc. — from outside the current web site
28
- # can be used. Expand that set of allowed resources by adding to the accessors
29
- # listed below, usually by using the #cdn method. So, for example, to
30
- # allow the browser to get scripts and styles from <tt>code.jquery.com</tt>,
31
- # you would do this:
32
- #
33
- # csp.cdn 'code.jquery.com', 'script_src', 'style_src'
34
- #
35
- # which would produce this header value:
36
- #
37
- # default-src 'self'; script-src 'self' code.jquery.com; style-src 'self' code.jquery.com; frame-src 'self'; object-src 'none'; form-action 'self'; frame-ancestors 'self'; base-uri 'none'; block-all-mixed-content;
38
- #
39
- # EzCSP isn't a substitute for understanding content security policies. Make
40
- # sure you
41
- # {read up on CSP}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
42
- # before using this class.
43
- #
44
8
  # In the array attributes listed below, if the value <tt>none</tt> is in the
45
9
  # array, then all other values are ignored.
46
10
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ezcsp
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.1
4
+ version: 0.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike O'Sullivan
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-11-05 00:00:00.000000000 Z
11
+ date: 2018-11-10 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Simplifies creating a content security policy for use as an HTTP header
14
14
  email: miko@idocs.com
@@ -16,6 +16,7 @@ executables: []
16
16
  extensions: []
17
17
  extra_rdoc_files: []
18
18
  files:
19
+ - README.md
19
20
  - lib/ezcsp.rb
20
21
  homepage: https://rubygems.org/gems/ezcsp
21
22
  licenses: