secure_headers 1.0.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (129) hide show
  1. data/.gitignore +4 -8
  2. data/.ruby-gemset +1 -0
  3. data/.ruby-version +1 -0
  4. data/.travis.yml +8 -3
  5. data/Gemfile +6 -8
  6. data/README.md +208 -134
  7. data/Rakefile +11 -116
  8. data/fixtures/rails_3_2_12/Gemfile +0 -8
  9. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  10. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  11. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  12. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  13. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  14. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  15. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
  16. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  17. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  18. data/fixtures/rails_3_2_12/config.ru +3 -0
  19. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +57 -19
  20. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +18 -16
  21. data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
  22. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
  23. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  24. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  25. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  26. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  27. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
  28. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  29. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  30. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +17 -12
  31. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +17 -12
  32. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
  33. data/fixtures/rails_4_1_8/Gemfile +5 -0
  34. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  35. data/fixtures/rails_4_1_8/Rakefile +6 -0
  36. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  37. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  38. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  39. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  40. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  41. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  42. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  43. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  44. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  45. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  46. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  47. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  48. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  49. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  50. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  51. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  52. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  53. data/fixtures/rails_4_1_8/config.ru +4 -0
  54. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  55. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  56. data/fixtures/rails_4_1_8/log/.keep +0 -0
  57. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  58. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  59. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  60. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  61. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  62. data/lib/secure_headers/hash_helper.rb +7 -0
  63. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  64. data/lib/secure_headers/headers/content_security_policy.rb +160 -161
  65. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  66. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  67. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  68. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  69. data/lib/secure_headers/padrino.rb +14 -0
  70. data/lib/secure_headers/railtie.rb +19 -24
  71. data/lib/secure_headers/version.rb +1 -1
  72. data/lib/secure_headers/view_helper.rb +68 -0
  73. data/lib/secure_headers.rb +70 -29
  74. data/lib/tasks/tasks.rake +48 -0
  75. data/secure_headers.gemspec +4 -5
  76. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  77. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +127 -299
  78. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
  79. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
  80. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  81. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -13
  82. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  83. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
  84. data/spec/lib/secure_headers_spec.rb +68 -83
  85. data/spec/spec_helper.rb +29 -18
  86. metadata +51 -66
  87. data/.rvmrc +0 -1
  88. data/Guardfile +0 -10
  89. data/HISTORY.md +0 -100
  90. data/app/controllers/content_security_policy_controller.rb +0 -53
  91. data/config/curl-ca-bundle.crt +0 -5420
  92. data/config/routes.rb +0 -3
  93. data/fixtures/rails_3_2_12/Guardfile +0 -14
  94. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  95. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  96. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  97. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  98. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  99. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  100. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  101. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  102. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  103. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  104. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  105. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  106. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  107. data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
  108. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  109. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  110. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  111. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  112. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  113. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  114. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  115. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  116. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  117. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  118. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  119. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  120. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  121. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  122. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  123. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  124. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
  125. data/lib/secure_headers/headers/content_security_policy/browser_strategy.rb +0 -78
  126. data/lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb +0 -72
  127. data/lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb +0 -6
  128. data/lib/secure_headers/headers/content_security_policy/standard_browser_strategy.rb +0 -22
  129. data/spec/controllers/content_security_policy_controller_spec.rb +0 -74
data/Rakefile CHANGED
@@ -33,6 +33,17 @@ task :all_spec => :spec do
33
33
  fail "Header tests with app not using initializer failed"
34
34
  Dir.chdir pwd
35
35
  end
36
+
37
+ Dir.chdir pwd
38
+ Dir.chdir 'fixtures/rails_4_1_8'
39
+ puts Dir.pwd
40
+ puts `bundle install >> /dev/null; bundle exec rspec spec`
41
+
42
+ unless $? == 0
43
+ fail "Header tests with Rails 4 failed"
44
+ Dir.chdir pwd
45
+ end
46
+
36
47
  end
37
48
 
38
49
  begin
@@ -49,119 +60,3 @@ RDoc::Task.new(:rdoc) do |rdoc|
49
60
  rdoc.options << '--line-numbers'
50
61
  rdoc.rdoc_files.include('lib/**/*.rb')
51
62
  end
52
-
53
- UPDATE_URI = 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'
54
- CA_FILE = File.expand_path(File.join('..', 'config', 'curl-ca-bundle.crt'), __FILE__)
55
- task :fetch_ca_bundle do
56
- begin
57
- FileUtils.cp CA_FILE, CA_FILE + ".bak"
58
- uri = URI.parse(UPDATE_URI)
59
- http = Net::HTTP.new(uri.host, uri.port)
60
- http.use_ssl = true
61
- http.ca_file = CA_FILE
62
- http.verify_mode = OpenSSL::SSL::VERIFY_PEER
63
- request = Net::HTTP::Get.new(uri.request_uri)
64
-
65
- ca_file = StringIO.new(http.request(request).body)
66
- File.open(CA_FILE, 'w') do |f|
67
- f.puts mozilla_license
68
- end
69
-
70
- while line = ca_file.gets
71
- next if line =~ /^#/
72
- next if line =~ /^\s*$/
73
- line.chomp!
74
-
75
- if line =~ /CKA_LABEL/
76
- label,type,cert_name = line.split(' ',3)
77
- cert_name.sub!(/^"/, "")
78
- cert_name.sub!(/"$/, "")
79
- next
80
- end
81
- if line =~ /CKA_VALUE MULTILINE_OCTAL/
82
- puts "reading cert for #{cert_name}"
83
- data=''
84
- while line = ca_file.gets
85
- break if line =~ /^END/
86
- line.chomp!
87
- line.gsub(/\\([0-3][0-7][0-7])/) { data += $1.oct.chr }
88
- end
89
-
90
- open(CA_FILE, "a") do |fp|
91
- puts "Appending"
92
- fp.puts cert_name
93
- fp.puts "================"
94
- fp.puts "-----BEGIN CERTIFICATE-----"
95
- fp.puts [data].pack("m*")
96
- fp.puts "-----END CERTIFICATE-----"
97
- fp.puts
98
- end
99
- puts "Parsing: " + cert_name
100
- end
101
- end
102
-
103
- FileUtils.rm CA_FILE + ".bak"
104
- rescue => e
105
- puts "ERRROR #{e}"
106
- puts e.backtrace
107
- FileUtils.mv CA_FILE + '.bak', CA_FILE
108
- end
109
- end
110
-
111
-
112
- def mozilla_license
113
- <<-EOM
114
- ## generated using a modified version of http://curl.haxx.se/mail/lib-2004-07/att-0134/parse-certs.sh
115
- ##
116
- ## lib/ca-bundle.crt -- Bundle of CA Root Certificates
117
- ##
118
- ## Certificate data from Mozilla as of: Tue Mar 27 20:21:58 2012
119
- ##
120
- ## This is a bundle of X.509 certificates of public Certificate Authorities
121
- ## (CA). These were automatically extracted from Mozilla's root certificates
122
- ## file (certdata.txt). This file can be found in the mozilla source tree:
123
- ## http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
124
- ##
125
- ## It contains the certificates in PEM format and therefore
126
- ## can be directly used with curl / libcurl / php_curl, or with
127
- ## an Apache+mod_ssl webserver for SSL client authentication.
128
- ## Just configure this file as the SSLCACertificateFile.
129
- ##
130
-
131
- # ***** BEGIN LICENSE BLOCK *****
132
- # Version: MPL 1.1/GPL 2.0/LGPL 2.1
133
- #
134
- # The contents of this file are subject to the Mozilla Public License Version
135
- # 1.1 (the "License"); you may not use this file except in compliance with
136
- # the License. You may obtain a copy of the License at
137
- # http://www.mozilla.org/MPL/
138
- #
139
- # Software distributed under the License is distributed on an "AS IS" basis,
140
- # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
141
- # for the specific language governing rights and limitations under the
142
- # License.
143
- #
144
- # The Original Code is the Netscape security libraries.
145
- #
146
- # The Initial Developer of the Original Code is
147
- # Netscape Communications Corporation.
148
- # Portions created by the Initial Developer are Copyright (C) 1994-2000
149
- # the Initial Developer. All Rights Reserved.
150
- #
151
- # Contributor(s):
152
- #
153
- # Alternatively, the contents of this file may be used under the terms of
154
- # either the GNU General Public License Version 2 or later (the "GPL"), or
155
- # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
156
- # in which case the provisions of the GPL or the LGPL are applicable instead
157
- # of those above. If you wish to allow use of your version of this file only
158
- # under the terms of either the GPL or the LGPL, and not to allow others to
159
- # use your version of this file under the terms of the MPL, indicate your
160
- # decision by deleting the provisions above and replace them with the notice
161
- # and other provisions required by the GPL or the LGPL. If you do not delete
162
- # the provisions above, a recipient may use your version of this file under
163
- # the terms of any one of the MPL, the GPL or the LGPL.
164
- #
165
- # ***** END LICENSE BLOCK *****
166
- EOM
167
- end
@@ -1,14 +1,6 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
3
  gem 'rails', '3.2.12'
4
- gem 'sqlite3'
5
4
  gem 'rspec-rails', '>= 2.0.0'
6
5
  gem 'secure_headers', :path => '../..'
7
- gem 'spork'
8
- gem 'debugger', :platform => :ruby_19
9
- gem 'ruby-debug', :platform => :ruby_18
10
- gem 'guard-rspec'
11
- gem 'guard-spork'
12
- gem 'rb-fsevent'
13
- gem 'growl'
14
6
 
@@ -1,6 +1,5 @@
1
1
  class ThingsController < ApplicationController
2
2
  ensure_security_headers :csp => false
3
3
  def index
4
- ######## : ) <- Marge Simpson?
5
4
  end
6
5
  end
@@ -2,13 +2,10 @@
2
2
  <html>
3
3
  <head>
4
4
  <title>Rails3212</title>
5
- <%= stylesheet_link_tag "application", :media => "all" %>
6
- <%= javascript_include_tag "application" %>
7
- <%= csrf_meta_tags %>
8
5
  </head>
9
6
  <body>
10
7
 
11
8
  <%= yield %>
12
-
9
+ <script>console.log("oh hell nah")</script>
13
10
  </body>
14
11
  </html>
@@ -1 +1,2 @@
1
- index
1
+ index
2
+ <script>console.log("oh what")</script>
@@ -1,21 +1 @@
1
- <h1>Listing things</h1>
2
-
3
- <table>
4
- <tr>
5
- <th></th>
6
- <th></th>
7
- <th></th>
8
- </tr>
9
-
10
- <% @things.each do |thing| %>
11
- <tr>
12
- <td><%= link_to 'Show', thing %></td>
13
- <td><%= link_to 'Edit', edit_thing_path(thing) %></td>
14
- <td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
15
- </tr>
16
- <% end %>
17
- </table>
18
-
19
- <br />
20
-
21
- <%= link_to 'New Thing', new_thing_path %>
1
+ things
@@ -1,68 +1,14 @@
1
1
  require File.expand_path('../boot', __FILE__)
2
2
 
3
- # Pick the frameworks you want:
4
- require "active_record/railtie"
5
3
  require "action_controller/railtie"
6
- require "action_mailer/railtie"
7
- require "active_resource/railtie"
8
4
  require "sprockets/railtie"
9
- # require "rails/test_unit/railtie"
10
5
 
11
6
  if defined?(Bundler)
12
- # If you precompile assets before deploying to production, use this line
13
7
  Bundler.require(*Rails.groups(:assets => %w(development test)))
14
- # If you want your assets lazily compiled in production, use this line
15
- # Bundler.require(:default, :assets, Rails.env)
16
8
  end
17
9
 
18
10
  module Rails3212
19
11
  class Application < Rails::Application
20
- # Settings in config/environments/* take precedence over those specified here.
21
- # Application configuration should go into files in config/initializers
22
- # -- all .rb files in that directory are automatically loaded.
23
12
 
24
- # Custom directories with classes and modules you want to be autoloadable.
25
- # config.autoload_paths += %W(#{config.root}/extras)
26
-
27
- # Only load the plugins named here, in the order given (default is alphabetical).
28
- # :all can be used as a placeholder for all plugins not explicitly named.
29
- # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
30
-
31
- # Activate observers that should always be running.
32
- # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
33
-
34
- # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
35
- # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
36
- # config.time_zone = 'Central Time (US & Canada)'
37
-
38
- # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
39
- # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
40
- # config.i18n.default_locale = :de
41
-
42
- # Configure the default encoding used in templates for Ruby 1.9.
43
- config.encoding = "utf-8"
44
-
45
- # Configure sensitive parameters which will be filtered from the log file.
46
- config.filter_parameters += [:password]
47
-
48
- # Enable escaping HTML in JSON.
49
- config.active_support.escape_html_entities_in_json = true
50
-
51
- # Use SQL instead of Active Record's schema dumper when creating the database.
52
- # This is necessary if your schema can't be completely dumped by the schema dumper,
53
- # like if you have constraints or database-specific column types
54
- # config.active_record.schema_format = :sql
55
-
56
- # Enforce whitelist mode for mass assignment.
57
- # This will create an empty whitelist of attributes available for mass-assignment for all models
58
- # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
59
- # parameters by using an attr_accessible or attr_protected declaration.
60
- config.active_record.whitelist_attributes = true
61
-
62
- # Enable the asset pipeline
63
- config.assets.enabled = true
64
-
65
- # Version of your assets, change this if you want to expire all your assets
66
- config.assets.version = '1.0'
67
13
  end
68
14
  end
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
27
27
  # Tell Action Mailer not to deliver emails to the real world.
28
28
  # The :test delivery method accumulates sent emails in the
29
29
  # ActionMailer::Base.deliveries array.
30
- config.action_mailer.delivery_method = :test
30
+ # config.action_mailer.delivery_method = :test
31
31
 
32
32
  # Raise exception on mass assignment protection for Active Record models
33
- config.active_record.mass_assignment_sanitizer = :strict
33
+ # config.active_record.mass_assignment_sanitizer = :strict
34
34
 
35
35
  # Print deprecation notices to the stderr
36
36
  config.active_support.deprecation = :stderr
@@ -3,11 +3,13 @@
3
3
  config.x_frame_options = 'SAMEORIGIN'
4
4
  config.x_content_type_options = "nosniff"
5
5
  config.x_xss_protection = {:value => 1, :mode => 'block'}
6
+ config.x_permitted_cross_domain_policies = 'none'
6
7
  csp = {
7
8
  :default_src => "self",
8
- :disable_chrome_extension => true,
9
+ :script_src => "self nonce",
9
10
  :disable_fill_missing => true,
10
11
  :report_uri => 'somewhere',
12
+ :script_hash_middleware => true,
11
13
  :enforce => false # false means warnings only
12
14
  }
13
15
 
@@ -1,61 +1,4 @@
1
1
  Rails3212::Application.routes.draw do
2
2
  resources :things
3
-
4
-
5
- # The priority is based upon order of creation:
6
- # first created -> highest priority.
7
-
8
- # Sample of regular route:
9
- # match 'products/:id' => 'catalog#view'
10
- # Keep in mind you can assign values other than :controller and :action
11
-
12
- # Sample of named route:
13
- # match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
14
- # This route can be invoked with purchase_url(:id => product.id)
15
-
16
- # Sample resource route (maps HTTP verbs to controller actions automatically):
17
- # resources :products
18
-
19
- # Sample resource route with options:
20
- # resources :products do
21
- # member do
22
- # get 'short'
23
- # post 'toggle'
24
- # end
25
- #
26
- # collection do
27
- # get 'sold'
28
- # end
29
- # end
30
-
31
- # Sample resource route with sub-resources:
32
- # resources :products do
33
- # resources :comments, :sales
34
- # resource :seller
35
- # end
36
-
37
- # Sample resource route with more complex sub-resources
38
- # resources :products do
39
- # resources :comments
40
- # resources :sales do
41
- # get 'recent', :on => :collection
42
- # end
43
- # end
44
-
45
- # Sample resource route within a namespace:
46
- # namespace :admin do
47
- # # Directs /admin/products/* to Admin::ProductsController
48
- # # (app/controllers/admin/products_controller.rb)
49
- # resources :products
50
- # end
51
-
52
- # You can have the root of your site routed with "root"
53
- # just remember to delete public/index.html.
54
- # root :to => 'welcome#index'
55
-
56
- # See how all your routes lay out with "rake routes"
57
-
58
- # This is a legacy wild controller route that's not recommended for RESTful applications.
59
- # Note: This route will make all actions in every controller accessible via GET requests.
60
3
  match ':controller(/:action(/:id))(.:format)'
61
4
  end
@@ -0,0 +1,5 @@
1
+ ---
2
+ app/views/layouts/application.html.erb:
3
+ - sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
4
+ app/views/other_things/index.html.erb:
5
+ - sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=
@@ -2,3 +2,6 @@
2
2
 
3
3
  require ::File.expand_path('../config/environment', __FILE__)
4
4
  run Rails3212::Application
5
+
6
+ require 'secure_headers/headers/content_security_policy/script_hash_middleware'
7
+ use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
@@ -1,44 +1,82 @@
1
1
  require 'spec_helper'
2
2
 
3
- describe OtherThingsController do
3
+ require 'secure_headers/headers/content_security_policy/script_hash_middleware'
4
+
5
+ describe OtherThingsController, :type => :controller do
6
+ include Rack::Test::Methods
7
+
8
+ def app
9
+ OtherThingsController.action(:index)
10
+ end
11
+
12
+ def request(opts = {})
13
+ options = opts.merge(
14
+ {
15
+ 'HTTPS' => 'on',
16
+ 'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
17
+ }
18
+ )
19
+
20
+
21
+ Rack::MockRequest.env_for('/', options)
22
+ end
23
+
24
+
4
25
  describe "headers" do
5
26
  before(:each) do
6
- # Chrome
7
- request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
27
+ _, @env = app.call(request)
8
28
  end
9
29
 
10
30
  it "sets the X-XSS-Protection header" do
11
- get :index
12
- response.headers['X-XSS-Protection'].should == '1; mode=block'
31
+ get '/'
32
+ expect(@env['X-XSS-Protection']).to eq('1; mode=block')
13
33
  end
14
34
 
15
35
  it "sets the X-Frame-Options header" do
16
- get :index
17
- response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
36
+ get '/'
37
+ expect(@env['X-Frame-Options']).to eq('SAMEORIGIN')
38
+ end
39
+
40
+ it "sets the CSP header with a local reference to a nonce" do
41
+ middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
42
+ _, env = middleware.call(request(@env))
43
+ expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
18
44
  end
19
45
 
20
- it "sets the X-WebKit-CSP header" do
21
- get :index
22
- response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; img-src data:; report-uri somewhere;"
46
+ it "sets the required hashes to whitelist inline script" do
47
+ middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
48
+ _, env = middleware.call(request(@env))
49
+ hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
50
+ hashes.each do |hash|
51
+ expect(env['Content-Security-Policy-Report-Only']).to include(hash)
52
+ end
23
53
  end
24
54
 
25
- #mock ssl
26
55
  it "sets the Strict-Transport-Security header" do
27
- request.env['HTTPS'] = 'on'
28
- get :index
29
- response.headers['Strict-Transport-Security'].should == "max-age=315576000"
56
+ get '/'
57
+ expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
58
+ end
59
+
60
+ it "sets the X-Download-Options header" do
61
+ get '/'
62
+ expect(@env['X-Download-Options']).to eq('noopen')
30
63
  end
31
64
 
32
65
  it "sets the X-Content-Type-Options header" do
33
- get :index
34
- response.headers['X-Content-Type-Options'].should == "nosniff"
66
+ get '/'
67
+ expect(@env['X-Content-Type-Options']).to eq("nosniff")
68
+ end
69
+
70
+ it "sets the X-Permitted-Cross-Domain-Policies" do
71
+ get '/'
72
+ expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
35
73
  end
36
74
 
37
75
  context "using IE" do
38
76
  it "sets the X-Content-Type-Options header" do
39
- request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
40
- get :index
41
- response.headers['X-Content-Type-Options'].should == "nosniff"
77
+ @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
78
+ get '/'
79
+ expect(@env['X-Content-Type-Options']).to eq("nosniff")
42
80
  end
43
81
  end
44
82
  end
@@ -4,49 +4,51 @@ require 'spec_helper'
4
4
  # all values are defaulted because no initializer is configured, and the values in app controller
5
5
  # only provide csp => false
6
6
 
7
- describe ThingsController do
7
+ describe ThingsController, :type => :controller do
8
8
  describe "headers" do
9
- before(:each) do
10
- # Chrome
11
- request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
12
- end
13
-
14
9
  it "sets the X-XSS-Protection header" do
15
10
  get :index
16
- response.headers['X-XSS-Protection'].should == '1; mode=block'
11
+ expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
17
12
  end
18
13
 
19
14
  it "sets the X-Frame-Options header" do
20
15
  get :index
21
- response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
16
+ expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
22
17
  end
23
18
 
24
- it "sets the X-WebKit-CSP header" do
19
+ it "does not set CSP header" do
25
20
  get :index
26
- response.headers['X-WebKit-CSP-Report-Only'].should == nil
21
+ expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
27
22
  end
28
23
 
29
24
  #mock ssl
30
25
  it "sets the Strict-Transport-Security header" do
31
26
  request.env['HTTPS'] = 'on'
32
27
  get :index
33
- response.headers['Strict-Transport-Security'].should == "max-age=315576000"
28
+ expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
29
+ end
30
+
31
+ it "sets the X-Download-Options header" do
32
+ get :index
33
+ expect(response.headers['X-Download-Options']).to eq('noopen')
34
34
  end
35
35
 
36
36
  it "sets the X-Content-Type-Options header" do
37
37
  get :index
38
- response.headers['X-Content-Type-Options'].should == "nosniff"
38
+ expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
39
+ end
40
+
41
+ it "sets the X-Permitted-Cross-Domain-Policies" do
42
+ get :index
43
+ expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
39
44
  end
40
45
 
41
46
  context "using IE" do
42
47
  it "sets the X-Content-Type-Options header" do
43
48
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
44
49
  get :index
45
- response.headers['X-Content-Type-Options'].should == "nosniff"
50
+ expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
46
51
  end
47
52
  end
48
53
  end
49
54
  end
50
-
51
-
52
- # response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"
@@ -1,5 +1,5 @@
1
1
  require 'rubygems'
2
- require 'spork'
2
+
3
3
  #uncomment the following line to use spork with the debugger
4
4
  #require 'spork/ext/ruby-debug'
5
5
 
@@ -11,9 +11,5 @@ require 'spork'
11
11
  ENV["RAILS_ENV"] ||= 'test'
12
12
  require File.expand_path("../../config/environment", __FILE__)
13
13
  require 'rspec/rails'
14
- require 'rspec/autorun'
15
14
  # end
16
15
 
17
- Spork.each_run do
18
-
19
- end
@@ -1,14 +1,5 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
3
  gem 'rails', '3.2.12'
4
- gem 'sqlite3'
5
4
  gem 'rspec-rails', '>= 2.0.0'
6
5
  gem 'secure_headers', :path => '../..'
7
- gem 'spork'
8
- gem 'debugger', :platform => :ruby_19
9
- gem 'ruby-debug', :platform => :ruby_18
10
- gem 'guard-rspec'
11
- gem 'guard-spork'
12
- gem 'rb-fsevent'
13
- gem 'growl'
14
-
@@ -1,6 +1,5 @@
1
1
  class OtherThingsController < ApplicationController
2
- ensure_security_headers :csp => {:default_src => 'self', :disable_chrome_extension => true,
3
- :disable_fill_missing => true}
2
+ ensure_security_headers :csp => {:default_src => 'self', :disable_fill_missing => true}
4
3
  def index
5
4
 
6
5
  end
@@ -1,5 +1,5 @@
1
1
  class ThingsController < ApplicationController
2
2
  def index
3
- ######## : ) <- Marge Simpson?
3
+
4
4
  end
5
5
  end
@@ -3,8 +3,6 @@
3
3
  <head>
4
4
  <title>Rails3212</title>
5
5
  <%= stylesheet_link_tag "application", :media => "all" %>
6
- <%= javascript_include_tag "application" %>
7
- <%= csrf_meta_tags %>
8
6
  </head>
9
7
  <body>
10
8
 
@@ -1,21 +0,0 @@
1
- <h1>Listing things</h1>
2
-
3
- <table>
4
- <tr>
5
- <th></th>
6
- <th></th>
7
- <th></th>
8
- </tr>
9
-
10
- <% @things.each do |thing| %>
11
- <tr>
12
- <td><%= link_to 'Show', thing %></td>
13
- <td><%= link_to 'Edit', edit_thing_path(thing) %></td>
14
- <td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
15
- </tr>
16
- <% end %>
17
- </table>
18
-
19
- <br />
20
-
21
- <%= link_to 'New Thing', new_thing_path %>