rack-padlock 0.0.2 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +7 -5
- data/lib/rack/padlock/version.rb +1 -1
- data/lib/rack/padlock.rb +1 -1
- metadata +16 -16
data/README.md
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
# rack-padlock
|
|
2
2
|
|
|
3
|
-
A toolkit for rack applications that ensures _ALL_ content on a page
|
|
3
|
+
A toolkit for rack applications that ensures _ALL_ content on a page adheres to your [Content Security Policy][W3C CSP spec]. The browser padlock is pretty important for commercial web applications. Modern sites rely on so many third party services: analytics, video players, social media widgets. With all these moving parts it's easy to end up with a broken padlock. Rack-Padlock will increase the visibility of padlock problems to your development team, and it's dead easy to use.
|
|
4
4
|
|
|
5
5
|
## Prerequisites
|
|
6
6
|
|
|
7
|
-
All you need to have a rack based application! (Rails, Sinatra, Camping, etc...)
|
|
7
|
+
All you need to have is a rack based application! (Rails, Sinatra, Camping, etc...)
|
|
8
8
|
|
|
9
9
|
## Setup
|
|
10
10
|
|
|
@@ -46,7 +46,7 @@ Once you've set things up simply run
|
|
|
46
46
|
rake padlock
|
|
47
47
|
```
|
|
48
48
|
|
|
49
|
-
This will run the padlock tests. If any of your integration tests mix secure and insecure content, the padlock test will fail.
|
|
49
|
+
This will run the padlock tests. If any of your integration tests mix secure and insecure content, the padlock test will fail. 
|
|
50
50
|
|
|
51
51
|
## Example rack application
|
|
52
52
|
|
|
@@ -56,6 +56,8 @@ Have a look at a simple sinatra application that demonstrates rack-padlock at ht
|
|
|
56
56
|
|
|
57
57
|
Rack-Padlock starts your Rack app up with an SSL enabled webrick server. It puts a custom middleware in front of your application that implements a CSP policy. That policy requires the browser to notify us of any non SSL activity. The custom middleware intercepts these notifications and logs them. At the end of the run the rack-padlock test will either succeed or fail based on the presence of any policy violations.
|
|
58
58
|
|
|
59
|
-
##
|
|
59
|
+
## Not perfect
|
|
60
60
|
|
|
61
|
-
|
|
61
|
+
I have noticed that CSP doesn't check resources requested by Flash. But google chrome will break the padlock when flash requests non-secure resources.
|
|
62
|
+
|
|
63
|
+
[W3C CSP spec]: http://www.w3.org/TR/CSP/
|
data/lib/rack/padlock/version.rb
CHANGED
data/lib/rack/padlock.rb
CHANGED
|
@@ -75,7 +75,7 @@ module Rack
|
|
|
75
75
|
report_uri = "#{host}/padlock_middleware/report"
|
|
76
76
|
csp_header_names = %w(Content-Security-Policy-Report-Only X-Content-Security-Policy-Report-Only X-WebKit-CSP-Report-Only)
|
|
77
77
|
csp_headers = {}
|
|
78
|
-
csp_header_names.each{|name| csp_headers[name] = "default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri https://#{report_uri}"}
|
|
78
|
+
csp_header_names.each{|name| csp_headers[name] = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; object-src 'none'; report-uri https://#{report_uri}"}
|
|
79
79
|
csp_headers
|
|
80
80
|
end
|
|
81
81
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-padlock
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.3
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,11 +9,11 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-02-
|
|
12
|
+
date: 2013-02-12 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rack
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &70233880620940 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ! '>='
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: '0'
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *70233880620940
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: rainbow
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &70233876684360 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ! '>='
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: '0'
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *70233876684360
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: selenium-webdriver
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &70233876683060 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ! '>='
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: '0'
|
|
44
44
|
type: :runtime
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *70233876683060
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: bundler
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &70233876682060 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ! '>='
|
|
@@ -54,10 +54,10 @@ dependencies:
|
|
|
54
54
|
version: '0'
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *70233876682060
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: rake
|
|
60
|
-
requirement: &
|
|
60
|
+
requirement: &70233876681100 !ruby/object:Gem::Requirement
|
|
61
61
|
none: false
|
|
62
62
|
requirements:
|
|
63
63
|
- - ! '>='
|
|
@@ -65,10 +65,10 @@ dependencies:
|
|
|
65
65
|
version: '0'
|
|
66
66
|
type: :development
|
|
67
67
|
prerelease: false
|
|
68
|
-
version_requirements: *
|
|
68
|
+
version_requirements: *70233876681100
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: minitest
|
|
71
|
-
requirement: &
|
|
71
|
+
requirement: &70233876680220 !ruby/object:Gem::Requirement
|
|
72
72
|
none: false
|
|
73
73
|
requirements:
|
|
74
74
|
- - ! '>='
|
|
@@ -76,10 +76,10 @@ dependencies:
|
|
|
76
76
|
version: '0'
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
|
-
version_requirements: *
|
|
79
|
+
version_requirements: *70233876680220
|
|
80
80
|
- !ruby/object:Gem::Dependency
|
|
81
81
|
name: rack-test
|
|
82
|
-
requirement: &
|
|
82
|
+
requirement: &70233876679420 !ruby/object:Gem::Requirement
|
|
83
83
|
none: false
|
|
84
84
|
requirements:
|
|
85
85
|
- - ! '>='
|
|
@@ -87,7 +87,7 @@ dependencies:
|
|
|
87
87
|
version: '0'
|
|
88
88
|
type: :development
|
|
89
89
|
prerelease: false
|
|
90
|
-
version_requirements: *
|
|
90
|
+
version_requirements: *70233876679420
|
|
91
91
|
description: A Gem for testing web applications don't generate mixed secure/insecure
|
|
92
92
|
traffic. Keep that browser padlock locked!
|
|
93
93
|
email: joshuacronemeyer@gmail.com
|