rack-disable_css_animations 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/lib/rack/disable_css_animations/version.rb +1 -1
  4. data/lib/rack/disable_css_animations.rb +10 -2
  5. data/test/test_disable_css_animations.rb +26 -0
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ea999d1e3559763383af7d5ee86a43a11d39db3b96a94f6ddd9b4e475948217c
4
- data.tar.gz: 93fe65b137aeab7996bf2251eea15533a96954654113c754c908ca3408d7f7c8
3
+ metadata.gz: bad6feef29bab1e1a2a8e97b26657b599173d23b85fbb484a9b4cfe3efb05030
4
+ data.tar.gz: 3bca0f36e15ed91ecd7bae9deecec5d344cb82ae7cc27aae1e9064dd596a45e8
5
5
  SHA512:
6
- metadata.gz: 33e7ed70f886c5b1ac11fcb98bc4783afdcd902dfae88f007180dcc773f9655115f02736decdb5fd530ad35a1a885c02f8fb53755c57ae2f9b7f412f18788cec
7
- data.tar.gz: 252f743b815f325d8173caf19338987efa87a0e027b9208521eac101c4dcc9c931dfc2f6cf912fac8161b94acaa842dc1665a8c3ebe1501a132ea3a6db749177
6
+ metadata.gz: d4344c6fe201e54525d0c939c67466fe876fb305d88ec2dddd0d4d433d30efa4f4b28367e83d4bcdee5c2b0aa922fb4260d981426c57ced8711989fa8ad8fc85
7
+ data.tar.gz: d9bdb2f55b3dbe8e4ac7f2c3d5b50e35cf53b6f0082302623f6b56786eef363d35660af0915018573d6b0504c507fb4693eda74529e4c3d41b247724005e35bb
data/CHANGELOG.md CHANGED
@@ -1,5 +1,10 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.5.1
4
+
5
+ - Recognize the `Content-Security-Policy-Report-Only` header (in both canonical and lowercase form) when no enforcing `Content-Security-Policy` header is present, so the injected `<style>` tag's nonce matches in apps running CSP in report-only mode.
6
+ - Insert the middleware before `ActionDispatch::ContentSecurityPolicy::Middleware` so the CSP header has already been added to the response by the time we read it. Previously the middleware ran before CSP on the response, so the header was always absent.
7
+
3
8
  ## 0.5.0
4
9
 
5
10
  - Add CSP nonce support: when the response's `Content-Security-Policy` header sets a `style-src 'nonce-…'`, the injected `<style>` tag now carries a matching `nonce` attribute so it is not blocked by CSP.
data/lib/rack/disable_css_animations/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  class DisableCSSAnimations
3
- VERSION = "0.5.0"
3
+ VERSION = "0.5.1"
4
4
  end
5
5
  end
data/lib/rack/disable_css_animations.rb CHANGED
@@ -4,7 +4,11 @@ module Rack
4
4
  class DisableCSSAnimations
5
5
  if defined?(Rails)
6
6
  class Rails < Rails::Railtie
7
- config.app_middleware.use DisableCSSAnimations
7
+ initializer "rack-disable_css_animations.insert_middleware" do |app|
8
+ app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, DisableCSSAnimations
9
+ rescue RuntimeError
10
+ app.middleware.use DisableCSSAnimations
11
+ end
8
12
  end
9
13
  end
10
14
 
@@ -34,7 +38,11 @@ module Rack
34
38
  end
35
39
 
36
40
  def csp_header
37
- @headers["Content-Security-Policy"] || @headers["content-security-policy"] || ""
41
+ @headers["Content-Security-Policy"] ||
42
+ @headers["content-security-policy"] ||
43
+ @headers["Content-Security-Policy-Report-Only"] ||
44
+ @headers["content-security-policy-report-only"] ||
45
+ ""
38
46
  end
39
47
 
40
48
  def directive_nonces
data/test/test_disable_css_animations.rb CHANGED
@@ -81,4 +81,30 @@ class TestDisableCSSAnimations < Minitest::Test
81
81
 
82
82
  assert_includes last_response.body, %(<style nonce="lower1">)
83
83
  end
84
+
85
+ def test_report_only_csp_header_nonce_is_used_when_enforcing_header_absent
86
+ self.response_headers["Content-Security-Policy-Report-Only"] = "style-src 'nonce-reportonly1'"
87
+
88
+ get "/"
89
+
90
+ assert_includes last_response.body, %(<style nonce="reportonly1">)
91
+ end
92
+
93
+ def test_lowercase_report_only_csp_header_is_also_recognized
94
+ self.response_headers = { "Content-Type" => "text/html", "content-security-policy-report-only" => "style-src 'nonce-reportonly2'" }
95
+
96
+ get "/"
97
+
98
+ assert_includes last_response.body, %(<style nonce="reportonly2">)
99
+ end
100
+
101
+ def test_enforcing_header_takes_precedence_over_report_only
102
+ self.response_headers["Content-Security-Policy"] = "style-src 'nonce-enforced'"
103
+ self.response_headers["Content-Security-Policy-Report-Only"] = "style-src 'nonce-reportonly'"
104
+
105
+ get "/"
106
+
107
+ assert_includes last_response.body, %(<style nonce="enforced">)
108
+ refute_includes last_response.body, "reportonly"
109
+ end
84
110
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-disable_css_animations
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.5.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Micah Geisel