panda_pal 4.0.6 → 4.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da0905133cf5f9f6e481e3a70590d4f55e1641d496b3728c19493b374ba949db
-  data.tar.gz: d59f2ffff44b154d13ce2e0d6da0d0074b353c32b28bcf32cf51cabcea1888d2
+  metadata.gz: 191c2d9f7cf6b18d5ed8cbce6fe4e0df6500932aaf9d03be4acfc1988799849b
+  data.tar.gz: aa49c20146e96c20b7a4662840a1bc10e5e5582643316e0b4cfec504dbe78c5b
 SHA512:
-  metadata.gz: cf5b13fe0eb054b4c36425c762a9466d5146fe6ebfa1f3671e2fb6ca05a98d37f58711aba9d2856f58be4f719e931526a8ba90611eec9583ba4fae8bcf637841
-  data.tar.gz: 70d00cca3aaa7f224ce120a501bdc868d05b582056c29df8850454672f07a3488a837d4d2a701c4708414b2643a6af898bdb755695b2aeeb249e977f6f97ff76
+  metadata.gz: 60d1ce4ff05cec9b339f1ff9dfaa2c49e56381011a3fa51fb5fddde69c3e7717fe4d2d3ab5535f04940f0ba5fc116a8befa8235add607715acbda3ca659e192e
+  data.tar.gz: e0f27943ef2516c3fef1902428b2cb015050c8211316d13d568cbd8e65598c4f311ee916548bc44300417626fa09e7d1eb81ddda411eef4be87cd5a395116b49

data/lib/panda_pal/engine.rb

@@ -59,7 +59,7 @@ module PandaPal
 
       SecureHeaders::Configuration.default do |config|
         # The default cookie headers aren't compatable with PandaPal cookies currenntly
-        config.cookies = { samesite: { none: true } }
+        config.cookies = SecureHeaders::OPT_OUT
 
         # Need to allow LTI iframes
         config.x_frame_options = "ALLOWALL"
@@ -78,23 +78,8 @@ module PandaPal
         }
       end
 
-      SecureHeaders::Configuration.override(:safari_override) do |config|
-        config.cookies = SecureHeaders::OPT_OUT
-        # Need to allow LTI iframes
-        config.x_frame_options = "ALLOWALL"
-
-        config.x_content_type_options = "nosniff"
-        config.x_xss_protection = "1; mode=block"
-        config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
-
-        config.csp = {
-          default_src: %w('self'),
-          script_src: script_src,
-          # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
-          style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
-          font_src: %w('self' data: https://fonts.gstatic.com),
-          connect_src: connect_src,
-        }
+      SecureHeaders::Configuration.override(:non_safari_override) do |config|
+        config.cookies = { samesite: { none: true } }
       end
     end
   end

data/lib/panda_pal/helpers/controller_helper.rb

@@ -26,7 +26,7 @@ module PandaPal::Helpers::ControllerHelper
 
   def validate_launch!
     authorized = false
-    use_secure_headers_override(:safari_override) if browser.safari?
+    use_secure_headers_override(:non_safari_override) if !browser.safari? && !session.loaded?
     if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
       sanitized_params = request.request_parameters
       # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
@@ -74,7 +74,6 @@ module PandaPal::Helpers::ControllerHelper
       session[:safari_cookie_fixed] = true
       redirect_to params[:return_to]
     else
-      use_secure_headers_override(:safari_override)
       render 'panda_pal/lti/iframe_cookie_fix', layout: false
     end
   end

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "4.0.6"
+  VERSION = "4.0.7"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: panda_pal
 version: !ruby/object:Gem::Version
-  version: 4.0.6
+  version: 4.0.7
 platform: ruby
 authors:
 - Instructure ProServe
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-22 00:00:00.000000000 Z
+date: 2020-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails