panda_pal 4.0.4 → 4.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/panda_pal/engine.rb +20 -1
- data/lib/panda_pal/helpers/controller_helper.rb +2 -0
- data/lib/panda_pal/version.rb +1 -1
- data/panda_pal.gemspec +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: da0905133cf5f9f6e481e3a70590d4f55e1641d496b3728c19493b374ba949db
|
|
4
|
+
data.tar.gz: d59f2ffff44b154d13ce2e0d6da0d0074b353c32b28bcf32cf51cabcea1888d2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cf5b13fe0eb054b4c36425c762a9466d5146fe6ebfa1f3671e2fb6ca05a98d37f58711aba9d2856f58be4f719e931526a8ba90611eec9583ba4fae8bcf637841
|
|
7
|
+
data.tar.gz: 70d00cca3aaa7f224ce120a501bdc868d05b582056c29df8850454672f07a3488a837d4d2a701c4708414b2643a6af898bdb755695b2aeeb249e977f6f97ff76
|
data/lib/panda_pal/engine.rb
CHANGED
|
@@ -59,8 +59,27 @@ module PandaPal
|
|
|
59
59
|
|
|
60
60
|
SecureHeaders::Configuration.default do |config|
|
|
61
61
|
# The default cookie headers aren't compatable with PandaPal cookies currenntly
|
|
62
|
-
config.cookies =
|
|
62
|
+
config.cookies = { samesite: { none: true } }
|
|
63
|
+
|
|
64
|
+
# Need to allow LTI iframes
|
|
65
|
+
config.x_frame_options = "ALLOWALL"
|
|
66
|
+
|
|
67
|
+
config.x_content_type_options = "nosniff"
|
|
68
|
+
config.x_xss_protection = "1; mode=block"
|
|
69
|
+
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
|
63
70
|
|
|
71
|
+
config.csp = {
|
|
72
|
+
default_src: %w('self'),
|
|
73
|
+
script_src: script_src,
|
|
74
|
+
# Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
|
|
75
|
+
style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
|
|
76
|
+
font_src: %w('self' data: https://fonts.gstatic.com),
|
|
77
|
+
connect_src: connect_src,
|
|
78
|
+
}
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
SecureHeaders::Configuration.override(:safari_override) do |config|
|
|
82
|
+
config.cookies = SecureHeaders::OPT_OUT
|
|
64
83
|
# Need to allow LTI iframes
|
|
65
84
|
config.x_frame_options = "ALLOWALL"
|
|
66
85
|
|
|
@@ -26,6 +26,7 @@ module PandaPal::Helpers::ControllerHelper
|
|
|
26
26
|
|
|
27
27
|
def validate_launch!
|
|
28
28
|
authorized = false
|
|
29
|
+
use_secure_headers_override(:safari_override) if browser.safari?
|
|
29
30
|
if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
|
|
30
31
|
sanitized_params = request.request_parameters
|
|
31
32
|
# These params come over with a safari-workaround launch. The authenticator doesn't like them, so clean them out.
|
|
@@ -73,6 +74,7 @@ module PandaPal::Helpers::ControllerHelper
|
|
|
73
74
|
session[:safari_cookie_fixed] = true
|
|
74
75
|
redirect_to params[:return_to]
|
|
75
76
|
else
|
|
77
|
+
use_secure_headers_override(:safari_override)
|
|
76
78
|
render 'panda_pal/lti/iframe_cookie_fix', layout: false
|
|
77
79
|
end
|
|
78
80
|
end
|
data/lib/panda_pal/version.rb
CHANGED
data/panda_pal.gemspec
CHANGED
|
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
|
|
|
21
21
|
s.add_dependency 'ims-lti', '~> 2.2.3'
|
|
22
22
|
s.add_dependency 'browser', '2.5.0'
|
|
23
23
|
s.add_dependency 'attr_encrypted', '~> 3.0.0'
|
|
24
|
-
s.add_dependency 'secure_headers', '~> 6.
|
|
24
|
+
s.add_dependency 'secure_headers', '~> 6.1.2'
|
|
25
25
|
s.add_development_dependency 'rspec-rails'
|
|
26
26
|
s.add_development_dependency 'factory_girl_rails'
|
|
27
27
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: panda_pal
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.
|
|
4
|
+
version: 4.0.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Instructure ProServe
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-01-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -106,14 +106,14 @@ dependencies:
|
|
|
106
106
|
requirements:
|
|
107
107
|
- - "~>"
|
|
108
108
|
- !ruby/object:Gem::Version
|
|
109
|
-
version: 6.
|
|
109
|
+
version: 6.1.2
|
|
110
110
|
type: :runtime
|
|
111
111
|
prerelease: false
|
|
112
112
|
version_requirements: !ruby/object:Gem::Requirement
|
|
113
113
|
requirements:
|
|
114
114
|
- - "~>"
|
|
115
115
|
- !ruby/object:Gem::Version
|
|
116
|
-
version: 6.
|
|
116
|
+
version: 6.1.2
|
|
117
117
|
- !ruby/object:Gem::Dependency
|
|
118
118
|
name: rspec-rails
|
|
119
119
|
requirement: !ruby/object:Gem::Requirement
|