panda_pal 3.2.3 → 4.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2de62b8e33689a9b977186c7886fa941a74e01e8
4
- data.tar.gz: b40a4b7f488abbf8204b5024d033f3b7488ef811
3
+ metadata.gz: d06b29a94018b002f596dd6182ae6e99b2095d77
4
+ data.tar.gz: 333749f144fa69a081204fc36664f1250d2667b0
5
5
  SHA512:
6
- metadata.gz: 356f9ab2fcce637dd21186a006a9ce83820a72df5e2c6e5e6376ba8959188ed445d1ad03e50eedfa1d9cc63d62d7411713759e26d4c4e0ba6cf2b0dbdb3df4e1
7
- data.tar.gz: df4d02cc3ccfb78f6752fbc40b47a1bfbe9a5fbdb80d1882033e8997c66982984ebe79928f3227b099e9ddb4d11665e083e64cb88ebff4f7e680cb5eebb0281d
6
+ metadata.gz: 31d73e9e8d25d4d5ba6930e7582ddb83a41c43c7c088c2bd283cfa26e9f87ae03f426e940e2502b38ba11debc06c8e99715c4229b8fd3b11861e7f10d332cd3d
7
+ data.tar.gz: 5ffd1dcf5a23a191b3d3ad8acfaf38d0bfbad58ca172c610559f49b8281ec047381eea8500d237d34695b098c6b15261a078b990111581dcba6595dd8d4b2029
@@ -1,4 +1,4 @@
1
- <script>
1
+ <script nonce=<%= content_security_policy_script_nonce %>>
2
2
  var referrer = document.referrer;
3
3
  top.window.location='?safari_cookie_fix=true&return_to='.concat(encodeURI(referrer));
4
4
  </script>
@@ -1,6 +1,7 @@
1
1
  require 'apartment'
2
2
  require 'ims/lti'
3
3
  require 'attr_encrypted'
4
+ require 'secure_headers'
4
5
 
5
6
  module PandaPal
6
7
  class Engine < ::Rails::Engine
@@ -40,5 +41,42 @@ module PandaPal
40
41
  PandaPal::propagate_lti_navigation
41
42
  end
42
43
  end
44
+
45
+ initializer :secure_headers do |app|
46
+ connect_src = %w('self')
47
+ script_src = %w('self')
48
+
49
+ if Rails.env.development?
50
+ # Allow webpack-dev-server to work
51
+ connect_src << "http://localhost:3035"
52
+ connect_src << "ws://localhost:3035"
53
+
54
+ # Allow stuff like rack-mini-profiler to work in development:
55
+ # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
56
+ # DON'T ENABLE THIS FOR PRODUCTION!
57
+ script_src << "'unsafe-eval'"
58
+ end
59
+
60
+ SecureHeaders::Configuration.default do |config|
61
+ # The default cookie headers aren't compatable with PandaPal cookies currenntly
62
+ config.cookies = SecureHeaders::OPT_OUT
63
+
64
+ # Need to allow LTI iframes
65
+ config.x_frame_options = "ALLOWALL"
66
+
67
+ config.x_content_type_options = "nosniff"
68
+ config.x_xss_protection = "1; mode=block"
69
+ config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
70
+
71
+ config.csp = {
72
+ default_src: %w('self'),
73
+ script_src: script_src,
74
+ # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
75
+ style_src: %w('self' 'unsafe-inline' blob:),
76
+ font_src: %w('self' data:),
77
+ connect_src: connect_src,
78
+ }
79
+ end
80
+ end
43
81
  end
44
82
  end
@@ -1,3 +1,3 @@
1
1
  module PandaPal
2
- VERSION = "3.2.3"
2
+ VERSION = "4.0.0"
3
3
  end
data/panda_pal.gemspec CHANGED
@@ -21,6 +21,7 @@ Gem::Specification.new do |s|
21
21
  s.add_dependency 'ims-lti', '~> 2.2.3'
22
22
  s.add_dependency 'browser', '2.5.0'
23
23
  s.add_dependency 'attr_encrypted', '~> 3.0.0'
24
+ s.add_dependency 'secure_headers', '~> 6.0.0'
24
25
  s.add_development_dependency 'rspec-rails'
25
26
  s.add_development_dependency 'factory_girl_rails'
26
27
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: panda_pal
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.3
4
+ version: 4.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Instructure ProServe
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-10-17 00:00:00.000000000 Z
11
+ date: 2018-10-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -100,6 +100,20 @@ dependencies:
100
100
  - - "~>"
101
101
  - !ruby/object:Gem::Version
102
102
  version: 3.0.0
103
+ - !ruby/object:Gem::Dependency
104
+ name: secure_headers
105
+ requirement: !ruby/object:Gem::Requirement
106
+ requirements:
107
+ - - "~>"
108
+ - !ruby/object:Gem::Version
109
+ version: 6.0.0
110
+ type: :runtime
111
+ prerelease: false
112
+ version_requirements: !ruby/object:Gem::Requirement
113
+ requirements:
114
+ - - "~>"
115
+ - !ruby/object:Gem::Version
116
+ version: 6.0.0
103
117
  - !ruby/object:Gem::Dependency
104
118
  name: rspec-rails
105
119
  requirement: !ruby/object:Gem::Requirement