panda_pal 4.0.4 → 4.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/panda_pal/engine.rb +20 -1
- data/lib/panda_pal/helpers/controller_helper.rb +2 -0
- data/lib/panda_pal/version.rb +1 -1
- data/panda_pal.gemspec +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: da0905133cf5f9f6e481e3a70590d4f55e1641d496b3728c19493b374ba949db
|
|
4
|
+
data.tar.gz: d59f2ffff44b154d13ce2e0d6da0d0074b353c32b28bcf32cf51cabcea1888d2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cf5b13fe0eb054b4c36425c762a9466d5146fe6ebfa1f3671e2fb6ca05a98d37f58711aba9d2856f58be4f719e931526a8ba90611eec9583ba4fae8bcf637841
|
|
7
|
+
data.tar.gz: 70d00cca3aaa7f224ce120a501bdc868d05b582056c29df8850454672f07a3488a837d4d2a701c4708414b2643a6af898bdb755695b2aeeb249e977f6f97ff76
|
data/lib/panda_pal/engine.rb
CHANGED
|
@@ -59,8 +59,27 @@ module PandaPal
|
|
|
59
59
|
|
|
60
60
|
SecureHeaders::Configuration.default do |config|
|
|
61
61
|
# The default cookie headers aren't compatable with PandaPal cookies currenntly
|
|
62
|
-
config.cookies =
|
|
62
|
+
config.cookies = { samesite: { none: true } }
|
|
63
|
+
|
|
64
|
+
# Need to allow LTI iframes
|
|
65
|
+
config.x_frame_options = "ALLOWALL"
|
|
66
|
+
|
|
67
|
+
config.x_content_type_options = "nosniff"
|
|
68
|
+
config.x_xss_protection = "1; mode=block"
|
|
69
|
+
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
|
63
70
|
|
|
71
|
+
config.csp = {
|
|
72
|
+
default_src: %w('self'),
|
|
73
|
+
script_src: script_src,
|
|
74
|
+
# Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
|
|
75
|
+
style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
|
|
76
|
+
font_src: %w('self' data: https://fonts.gstatic.com),
|
|
77
|
+
connect_src: connect_src,
|
|
78
|
+
}
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
SecureHeaders::Configuration.override(:safari_override) do |config|
|
|
82
|
+
config.cookies = SecureHeaders::OPT_OUT
|
|
64
83
|
# Need to allow LTI iframes
|
|
65
84
|
config.x_frame_options = "ALLOWALL"
|
|
66
85
|
|
|
@@ -26,6 +26,7 @@ module PandaPal::Helpers::ControllerHelper
|
|
|
26
26
|
|
|
27
27
|
def validate_launch!
|
|
28
28
|
authorized = false
|
|
29
|
+
use_secure_headers_override(:safari_override) if browser.safari?
|
|
29
30
|
if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
|
|
30
31
|
sanitized_params = request.request_parameters
|
|
31
32
|
# These params come over with a safari-workaround launch. The authenticator doesn't like them, so clean them out.
|
|
@@ -73,6 +74,7 @@ module PandaPal::Helpers::ControllerHelper
|
|
|
73
74
|
session[:safari_cookie_fixed] = true
|
|
74
75
|
redirect_to params[:return_to]
|
|
75
76
|
else
|
|
77
|
+
use_secure_headers_override(:safari_override)
|
|
76
78
|
render 'panda_pal/lti/iframe_cookie_fix', layout: false
|
|
77
79
|
end
|
|
78
80
|
end
|
data/lib/panda_pal/version.rb
CHANGED
data/panda_pal.gemspec
CHANGED
|
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
|
|
|
21
21
|
s.add_dependency 'ims-lti', '~> 2.2.3'
|
|
22
22
|
s.add_dependency 'browser', '2.5.0'
|
|
23
23
|
s.add_dependency 'attr_encrypted', '~> 3.0.0'
|
|
24
|
-
s.add_dependency 'secure_headers', '~> 6.
|
|
24
|
+
s.add_dependency 'secure_headers', '~> 6.1.2'
|
|
25
25
|
s.add_development_dependency 'rspec-rails'
|
|
26
26
|
s.add_development_dependency 'factory_girl_rails'
|
|
27
27
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: panda_pal
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.
|
|
4
|
+
version: 4.0.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Instructure ProServe
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-01-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -106,14 +106,14 @@ dependencies:
|
|
|
106
106
|
requirements:
|
|
107
107
|
- - "~>"
|
|
108
108
|
- !ruby/object:Gem::Version
|
|
109
|
-
version: 6.
|
|
109
|
+
version: 6.1.2
|
|
110
110
|
type: :runtime
|
|
111
111
|
prerelease: false
|
|
112
112
|
version_requirements: !ruby/object:Gem::Requirement
|
|
113
113
|
requirements:
|
|
114
114
|
- - "~>"
|
|
115
115
|
- !ruby/object:Gem::Version
|
|
116
|
-
version: 6.
|
|
116
|
+
version: 6.1.2
|
|
117
117
|
- !ruby/object:Gem::Dependency
|
|
118
118
|
name: rspec-rails
|
|
119
119
|
requirement: !ruby/object:Gem::Requirement
|