panda_pal 3.2.3 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/views/panda_pal/lti/iframe_cookie_fix.html.erb +1 -1
- data/lib/panda_pal/engine.rb +38 -0
- data/lib/panda_pal/version.rb +1 -1
- data/panda_pal.gemspec +1 -0
- metadata +16 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d06b29a94018b002f596dd6182ae6e99b2095d77
|
|
4
|
+
data.tar.gz: 333749f144fa69a081204fc36664f1250d2667b0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 31d73e9e8d25d4d5ba6930e7582ddb83a41c43c7c088c2bd283cfa26e9f87ae03f426e940e2502b38ba11debc06c8e99715c4229b8fd3b11861e7f10d332cd3d
|
|
7
|
+
data.tar.gz: 5ffd1dcf5a23a191b3d3ad8acfaf38d0bfbad58ca172c610559f49b8281ec047381eea8500d237d34695b098c6b15261a078b990111581dcba6595dd8d4b2029
|
data/lib/panda_pal/engine.rb
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
require 'apartment'
|
|
2
2
|
require 'ims/lti'
|
|
3
3
|
require 'attr_encrypted'
|
|
4
|
+
require 'secure_headers'
|
|
4
5
|
|
|
5
6
|
module PandaPal
|
|
6
7
|
class Engine < ::Rails::Engine
|
|
@@ -40,5 +41,42 @@ module PandaPal
|
|
|
40
41
|
PandaPal::propagate_lti_navigation
|
|
41
42
|
end
|
|
42
43
|
end
|
|
44
|
+
|
|
45
|
+
initializer :secure_headers do |app|
|
|
46
|
+
connect_src = %w('self')
|
|
47
|
+
script_src = %w('self')
|
|
48
|
+
|
|
49
|
+
if Rails.env.development?
|
|
50
|
+
# Allow webpack-dev-server to work
|
|
51
|
+
connect_src << "http://localhost:3035"
|
|
52
|
+
connect_src << "ws://localhost:3035"
|
|
53
|
+
|
|
54
|
+
# Allow stuff like rack-mini-profiler to work in development:
|
|
55
|
+
# https://github.com/MiniProfiler/rack-mini-profiler/issues/327
|
|
56
|
+
# DON'T ENABLE THIS FOR PRODUCTION!
|
|
57
|
+
script_src << "'unsafe-eval'"
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
SecureHeaders::Configuration.default do |config|
|
|
61
|
+
# The default cookie headers aren't compatable with PandaPal cookies currenntly
|
|
62
|
+
config.cookies = SecureHeaders::OPT_OUT
|
|
63
|
+
|
|
64
|
+
# Need to allow LTI iframes
|
|
65
|
+
config.x_frame_options = "ALLOWALL"
|
|
66
|
+
|
|
67
|
+
config.x_content_type_options = "nosniff"
|
|
68
|
+
config.x_xss_protection = "1; mode=block"
|
|
69
|
+
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
|
70
|
+
|
|
71
|
+
config.csp = {
|
|
72
|
+
default_src: %w('self'),
|
|
73
|
+
script_src: script_src,
|
|
74
|
+
# Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
|
|
75
|
+
style_src: %w('self' 'unsafe-inline' blob:),
|
|
76
|
+
font_src: %w('self' data:),
|
|
77
|
+
connect_src: connect_src,
|
|
78
|
+
}
|
|
79
|
+
end
|
|
80
|
+
end
|
|
43
81
|
end
|
|
44
82
|
end
|
data/lib/panda_pal/version.rb
CHANGED
data/panda_pal.gemspec
CHANGED
|
@@ -21,6 +21,7 @@ Gem::Specification.new do |s|
|
|
|
21
21
|
s.add_dependency 'ims-lti', '~> 2.2.3'
|
|
22
22
|
s.add_dependency 'browser', '2.5.0'
|
|
23
23
|
s.add_dependency 'attr_encrypted', '~> 3.0.0'
|
|
24
|
+
s.add_dependency 'secure_headers', '~> 6.0.0'
|
|
24
25
|
s.add_development_dependency 'rspec-rails'
|
|
25
26
|
s.add_development_dependency 'factory_girl_rails'
|
|
26
27
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: panda_pal
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 4.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Instructure ProServe
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-10-
|
|
11
|
+
date: 2018-10-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -100,6 +100,20 @@ dependencies:
|
|
|
100
100
|
- - "~>"
|
|
101
101
|
- !ruby/object:Gem::Version
|
|
102
102
|
version: 3.0.0
|
|
103
|
+
- !ruby/object:Gem::Dependency
|
|
104
|
+
name: secure_headers
|
|
105
|
+
requirement: !ruby/object:Gem::Requirement
|
|
106
|
+
requirements:
|
|
107
|
+
- - "~>"
|
|
108
|
+
- !ruby/object:Gem::Version
|
|
109
|
+
version: 6.0.0
|
|
110
|
+
type: :runtime
|
|
111
|
+
prerelease: false
|
|
112
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
113
|
+
requirements:
|
|
114
|
+
- - "~>"
|
|
115
|
+
- !ruby/object:Gem::Version
|
|
116
|
+
version: 6.0.0
|
|
103
117
|
- !ruby/object:Gem::Dependency
|
|
104
118
|
name: rspec-rails
|
|
105
119
|
requirement: !ruby/object:Gem::Requirement
|