rack-padlock 0.0.2 → 0.0.3

Sign up to get free protection for your applications and to get access to all the features.
data/README.md CHANGED
@@ -1,10 +1,10 @@
1
1
  # rack-padlock
2
2
 
3
- A toolkit for rack applications that ensures _ALL_ content on a page is secure. The browser padlock is pretty important for commercial web applications. Modern sites rely on so many third party services: analytics, video players, social media widgets. With all these moving parts it's easy to end up with a broken padlock. Rack-Padlock will increase the visibility of padlock problems to your development team, and it's dead easy to use.
3
+ A toolkit for rack applications that ensures _ALL_ content on a page adheres to your [Content Security Policy][W3C CSP spec]. The browser padlock is pretty important for commercial web applications. Modern sites rely on so many third party services: analytics, video players, social media widgets. With all these moving parts it's easy to end up with a broken padlock. Rack-Padlock will increase the visibility of padlock problems to your development team, and it's dead easy to use.
4
4
 
5
5
  ## Prerequisites
6
6
 
7
- All you need to have a rack based application! (Rails, Sinatra, Camping, etc...)
7
+ All you need to have is a rack based application! (Rails, Sinatra, Camping, etc...)
8
8
 
9
9
  ## Setup
10
10
 
@@ -46,7 +46,7 @@ Once you've set things up simply run
46
46
  rake padlock
47
47
  ```
48
48
 
49
- This will run the padlock tests. If any of your integration tests mix secure and insecure content, the padlock test will fail.
49
+ This will run the padlock tests. If any of your integration tests mix secure and insecure content, the padlock test will fail. ![alt text](http://dl.dropbox.com/u/80061077/Screenshots/c.png "Example of failing tests")
50
50
 
51
51
  ## Example rack application
52
52
 
@@ -56,6 +56,8 @@ Have a look at a simple sinatra application that demonstrates rack-padlock at ht
56
56
 
57
57
  Rack-Padlock starts your Rack app up with an SSL enabled webrick server. It puts a custom middleware in front of your application that implements a CSP policy. That policy requires the browser to notify us of any non SSL activity. The custom middleware intercepts these notifications and logs them. At the end of the run the rack-padlock test will either succeed or fail based on the presence of any policy violations.
58
58
 
59
- ## References
59
+ ## Not perfect
60
60
 
61
- 1. http://www.w3.org/TR/CSP/
61
+ I have noticed that CSP doesn't check resources requested by Flash. But google chrome will break the padlock when flash requests non-secure resources.
62
+
63
+ [W3C CSP spec]: http://www.w3.org/TR/CSP/
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  class Padlock
3
- VERSION = "0.0.2"
3
+ VERSION = "0.0.3"
4
4
  end
5
5
  end
data/lib/rack/padlock.rb CHANGED
@@ -75,7 +75,7 @@ module Rack
75
75
  report_uri = "#{host}/padlock_middleware/report"
76
76
  csp_header_names = %w(Content-Security-Policy-Report-Only X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only)
77
77
  csp_headers = {}
78
- csp_header_names.each{|name| csp_headers[name] = "default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri https://#{report_uri}"}
78
+ csp_header_names.each{|name| csp_headers[name] = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; object-src 'none'; report-uri https://#{report_uri}"}
79
79
  csp_headers
80
80
  end
81
81
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-padlock
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.2
4
+ version: 0.0.3
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-02-10 00:00:00.000000000 Z
12
+ date: 2013-02-12 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rack
16
- requirement: &70095896651180 !ruby/object:Gem::Requirement
16
+ requirement: &70233880620940 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '0'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *70095896651180
24
+ version_requirements: *70233880620940
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: rainbow
27
- requirement: &70095900907220 !ruby/object:Gem::Requirement
27
+ requirement: &70233876684360 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: '0'
33
33
  type: :runtime
34
34
  prerelease: false
35
- version_requirements: *70095900907220
35
+ version_requirements: *70233876684360
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: selenium-webdriver
38
- requirement: &70095900905920 !ruby/object:Gem::Requirement
38
+ requirement: &70233876683060 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: '0'
44
44
  type: :runtime
45
45
  prerelease: false
46
- version_requirements: *70095900905920
46
+ version_requirements: *70233876683060
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: bundler
49
- requirement: &70095900904820 !ruby/object:Gem::Requirement
49
+ requirement: &70233876682060 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
54
54
  version: '0'
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *70095900904820
57
+ version_requirements: *70233876682060
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: rake
60
- requirement: &70095900903940 !ruby/object:Gem::Requirement
60
+ requirement: &70233876681100 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: '0'
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *70095900903940
68
+ version_requirements: *70233876681100
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: minitest
71
- requirement: &70095900903060 !ruby/object:Gem::Requirement
71
+ requirement: &70233876680220 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
76
76
  version: '0'
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *70095900903060
79
+ version_requirements: *70233876680220
80
80
  - !ruby/object:Gem::Dependency
81
81
  name: rack-test
82
- requirement: &70095900902260 !ruby/object:Gem::Requirement
82
+ requirement: &70233876679420 !ruby/object:Gem::Requirement
83
83
  none: false
84
84
  requirements:
85
85
  - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
87
87
  version: '0'
88
88
  type: :development
89
89
  prerelease: false
90
- version_requirements: *70095900902260
90
+ version_requirements: *70233876679420
91
91
  description: A Gem for testing web applications don't generate mixed secure/insecure
92
92
  traffic. Keep that browser padlock locked!
93
93
  email: joshuacronemeyer@gmail.com