secure_headers 1.0.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (129) hide show
  1. data/.gitignore +4 -8
  2. data/.ruby-gemset +1 -0
  3. data/.ruby-version +1 -0
  4. data/.travis.yml +8 -3
  5. data/Gemfile +6 -8
  6. data/README.md +208 -134
  7. data/Rakefile +11 -116
  8. data/fixtures/rails_3_2_12/Gemfile +0 -8
  9. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  10. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  11. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  12. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  13. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  14. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  15. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
  16. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  17. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  18. data/fixtures/rails_3_2_12/config.ru +3 -0
  19. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +57 -19
  20. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +18 -16
  21. data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
  22. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
  23. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  24. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  25. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  26. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  27. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
  28. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  29. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  30. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +17 -12
  31. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +17 -12
  32. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
  33. data/fixtures/rails_4_1_8/Gemfile +5 -0
  34. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  35. data/fixtures/rails_4_1_8/Rakefile +6 -0
  36. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  37. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  38. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  39. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  40. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  41. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  42. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  43. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  44. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  45. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  46. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  47. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  48. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  49. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  50. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  51. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  52. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  53. data/fixtures/rails_4_1_8/config.ru +4 -0
  54. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  55. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  56. data/fixtures/rails_4_1_8/log/.keep +0 -0
  57. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  58. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  59. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  60. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  61. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  62. data/lib/secure_headers/hash_helper.rb +7 -0
  63. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  64. data/lib/secure_headers/headers/content_security_policy.rb +160 -161
  65. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  66. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  67. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  68. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  69. data/lib/secure_headers/padrino.rb +14 -0
  70. data/lib/secure_headers/railtie.rb +19 -24
  71. data/lib/secure_headers/version.rb +1 -1
  72. data/lib/secure_headers/view_helper.rb +68 -0
  73. data/lib/secure_headers.rb +70 -29
  74. data/lib/tasks/tasks.rake +48 -0
  75. data/secure_headers.gemspec +4 -5
  76. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  77. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +127 -299
  78. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
  79. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
  80. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  81. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -13
  82. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  83. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
  84. data/spec/lib/secure_headers_spec.rb +68 -83
  85. data/spec/spec_helper.rb +29 -18
  86. metadata +51 -66
  87. data/.rvmrc +0 -1
  88. data/Guardfile +0 -10
  89. data/HISTORY.md +0 -100
  90. data/app/controllers/content_security_policy_controller.rb +0 -53
  91. data/config/curl-ca-bundle.crt +0 -5420
  92. data/config/routes.rb +0 -3
  93. data/fixtures/rails_3_2_12/Guardfile +0 -14
  94. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  95. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  96. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  97. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  98. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  99. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  100. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  101. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  102. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  103. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  104. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  105. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  106. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  107. data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
  108. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  109. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  110. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  111. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  112. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  113. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  114. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  115. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  116. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  117. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  118. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  119. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  120. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  121. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  122. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  123. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  124. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
  125. data/lib/secure_headers/headers/content_security_policy/browser_strategy.rb +0 -78
  126. data/lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb +0 -72
  127. data/lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb +0 -6
  128. data/lib/secure_headers/headers/content_security_policy/standard_browser_strategy.rb +0 -22
  129. data/spec/controllers/content_security_policy_controller_spec.rb +0 -74
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 2.0.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,24 +9,8 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-06-17 00:00:00.000000000 Z
12
+ date: 2015-01-23 00:00:00.000000000 Z
13
13
  dependencies:
14
- - !ruby/object:Gem::Dependency
15
- name: brwsr
16
- requirement: !ruby/object:Gem::Requirement
17
- none: false
18
- requirements:
19
- - - ! '>='
20
- - !ruby/object:Gem::Version
21
- version: 1.1.1
22
- type: :runtime
23
- prerelease: false
24
- version_requirements: !ruby/object:Gem::Requirement
25
- none: false
26
- requirements:
27
- - - ! '>='
28
- - !ruby/object:Gem::Version
29
- version: 1.1.1
30
14
  - !ruby/object:Gem::Dependency
31
15
  name: rake
32
16
  requirement: !ruby/object:Gem::Requirement
@@ -43,7 +27,7 @@ dependencies:
43
27
  - - ! '>='
44
28
  - !ruby/object:Gem::Version
45
29
  version: '0'
46
- description: Add easily configured browser headers to responses.
30
+ description: Security related headers all in one gem.
47
31
  email:
48
32
  - neil.matatall@gmail.com
49
33
  executables: []
@@ -51,49 +35,32 @@ extensions: []
51
35
  extra_rdoc_files: []
52
36
  files:
53
37
  - .gitignore
54
- - .rvmrc
38
+ - .ruby-gemset
39
+ - .ruby-version
55
40
  - .travis.yml
56
41
  - Gemfile
57
- - Guardfile
58
- - HISTORY.md
59
42
  - LICENSE
60
43
  - README.md
61
44
  - Rakefile
62
- - app/controllers/content_security_policy_controller.rb
63
- - config/curl-ca-bundle.crt
64
- - config/routes.rb
65
45
  - fixtures/rails_3_2_12/.rspec
66
46
  - fixtures/rails_3_2_12/Gemfile
67
- - fixtures/rails_3_2_12/Guardfile
68
47
  - fixtures/rails_3_2_12/README.rdoc
69
48
  - fixtures/rails_3_2_12/Rakefile
70
49
  - fixtures/rails_3_2_12/app/controllers/application_controller.rb
71
50
  - fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
72
51
  - fixtures/rails_3_2_12/app/controllers/things_controller.rb
73
52
  - fixtures/rails_3_2_12/app/models/.gitkeep
74
- - fixtures/rails_3_2_12/app/models/thing.rb
75
53
  - fixtures/rails_3_2_12/app/views/layouts/application.html.erb
76
54
  - fixtures/rails_3_2_12/app/views/other_things/index.html.erb
77
55
  - fixtures/rails_3_2_12/app/views/things/index.html.erb
78
56
  - fixtures/rails_3_2_12/config.ru
79
57
  - fixtures/rails_3_2_12/config/application.rb
80
58
  - fixtures/rails_3_2_12/config/boot.rb
81
- - fixtures/rails_3_2_12/config/database.yml
82
59
  - fixtures/rails_3_2_12/config/environment.rb
83
- - fixtures/rails_3_2_12/config/environments/development.rb
84
- - fixtures/rails_3_2_12/config/environments/production.rb
85
60
  - fixtures/rails_3_2_12/config/environments/test.rb
86
- - fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
87
- - fixtures/rails_3_2_12/config/initializers/inflections.rb
88
- - fixtures/rails_3_2_12/config/initializers/mime_types.rb
89
- - fixtures/rails_3_2_12/config/initializers/secret_token.rb
90
61
  - fixtures/rails_3_2_12/config/initializers/secure_headers.rb
91
- - fixtures/rails_3_2_12/config/initializers/session_store.rb
92
- - fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
93
- - fixtures/rails_3_2_12/config/locales/en.yml
94
62
  - fixtures/rails_3_2_12/config/routes.rb
95
- - fixtures/rails_3_2_12/db/schema.rb
96
- - fixtures/rails_3_2_12/db/seeds.rb
63
+ - fixtures/rails_3_2_12/config/script_hashes.yml
97
64
  - fixtures/rails_3_2_12/lib/assets/.gitkeep
98
65
  - fixtures/rails_3_2_12/lib/tasks/.gitkeep
99
66
  - fixtures/rails_3_2_12/log/.gitkeep
@@ -105,39 +72,21 @@ files:
105
72
  - fixtures/rails_3_2_12/vendor/plugins/.gitkeep
106
73
  - fixtures/rails_3_2_12_no_init/.rspec
107
74
  - fixtures/rails_3_2_12_no_init/Gemfile
108
- - fixtures/rails_3_2_12_no_init/Guardfile
109
75
  - fixtures/rails_3_2_12_no_init/README.rdoc
110
76
  - fixtures/rails_3_2_12_no_init/Rakefile
111
77
  - fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
112
78
  - fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
113
79
  - fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
114
80
  - fixtures/rails_3_2_12_no_init/app/models/.gitkeep
115
- - fixtures/rails_3_2_12_no_init/app/models/thing.rb
116
81
  - fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
117
82
  - fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
118
- - fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
119
- - fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
120
83
  - fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
121
- - fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
122
- - fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
123
84
  - fixtures/rails_3_2_12_no_init/config.ru
124
85
  - fixtures/rails_3_2_12_no_init/config/application.rb
125
86
  - fixtures/rails_3_2_12_no_init/config/boot.rb
126
- - fixtures/rails_3_2_12_no_init/config/database.yml
127
87
  - fixtures/rails_3_2_12_no_init/config/environment.rb
128
- - fixtures/rails_3_2_12_no_init/config/environments/development.rb
129
- - fixtures/rails_3_2_12_no_init/config/environments/production.rb
130
88
  - fixtures/rails_3_2_12_no_init/config/environments/test.rb
131
- - fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
132
- - fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
133
- - fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
134
- - fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
135
- - fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
136
- - fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
137
- - fixtures/rails_3_2_12_no_init/config/locales/en.yml
138
89
  - fixtures/rails_3_2_12_no_init/config/routes.rb
139
- - fixtures/rails_3_2_12_no_init/db/schema.rb
140
- - fixtures/rails_3_2_12_no_init/db/seeds.rb
141
90
  - fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
142
91
  - fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
143
92
  - fixtures/rails_3_2_12_no_init/log/.gitkeep
@@ -147,25 +96,59 @@ files:
147
96
  - fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
148
97
  - fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
149
98
  - fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
99
+ - fixtures/rails_4_1_8/Gemfile
100
+ - fixtures/rails_4_1_8/README.rdoc
101
+ - fixtures/rails_4_1_8/Rakefile
102
+ - fixtures/rails_4_1_8/app/controllers/application_controller.rb
103
+ - fixtures/rails_4_1_8/app/controllers/concerns/.keep
104
+ - fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
105
+ - fixtures/rails_4_1_8/app/controllers/things_controller.rb
106
+ - fixtures/rails_4_1_8/app/models/.keep
107
+ - fixtures/rails_4_1_8/app/models/concerns/.keep
108
+ - fixtures/rails_4_1_8/app/views/layouts/application.html.erb
109
+ - fixtures/rails_4_1_8/app/views/other_things/index.html.erb
110
+ - fixtures/rails_4_1_8/app/views/things/index.html.erb
111
+ - fixtures/rails_4_1_8/config.ru
112
+ - fixtures/rails_4_1_8/config/application.rb
113
+ - fixtures/rails_4_1_8/config/boot.rb
114
+ - fixtures/rails_4_1_8/config/environment.rb
115
+ - fixtures/rails_4_1_8/config/environments/test.rb
116
+ - fixtures/rails_4_1_8/config/initializers/secure_headers.rb
117
+ - fixtures/rails_4_1_8/config/routes.rb
118
+ - fixtures/rails_4_1_8/config/script_hashes.yml
119
+ - fixtures/rails_4_1_8/config/secrets.yml
120
+ - fixtures/rails_4_1_8/lib/assets/.keep
121
+ - fixtures/rails_4_1_8/lib/tasks/.keep
122
+ - fixtures/rails_4_1_8/log/.keep
123
+ - fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
124
+ - fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
125
+ - fixtures/rails_4_1_8/spec/spec_helper.rb
126
+ - fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
127
+ - fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
150
128
  - lib/secure_headers.rb
129
+ - lib/secure_headers/hash_helper.rb
151
130
  - lib/secure_headers/header.rb
152
131
  - lib/secure_headers/headers/content_security_policy.rb
153
- - lib/secure_headers/headers/content_security_policy/browser_strategy.rb
154
- - lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb
155
- - lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb
156
- - lib/secure_headers/headers/content_security_policy/standard_browser_strategy.rb
132
+ - lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
157
133
  - lib/secure_headers/headers/strict_transport_security.rb
158
134
  - lib/secure_headers/headers/x_content_type_options.rb
135
+ - lib/secure_headers/headers/x_download_options.rb
159
136
  - lib/secure_headers/headers/x_frame_options.rb
137
+ - lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
160
138
  - lib/secure_headers/headers/x_xss_protection.rb
139
+ - lib/secure_headers/padrino.rb
161
140
  - lib/secure_headers/railtie.rb
162
141
  - lib/secure_headers/version.rb
142
+ - lib/secure_headers/view_helper.rb
143
+ - lib/tasks/tasks.rake
163
144
  - secure_headers.gemspec
164
- - spec/controllers/content_security_policy_controller_spec.rb
145
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
165
146
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
166
147
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
167
148
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
149
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
168
150
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
151
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
169
152
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
170
153
  - spec/lib/secure_headers_spec.rb
171
154
  - spec/spec_helper.rb
@@ -191,17 +174,19 @@ required_rubygems_version: !ruby/object:Gem::Requirement
191
174
  version: '0'
192
175
  requirements: []
193
176
  rubyforge_project:
194
- rubygems_version: 1.8.25
177
+ rubygems_version: 1.8.23
195
178
  signing_key:
196
179
  specification_version: 3
197
- summary: Add easily configured browser headers to responses including content security
198
- policy, x-frame-options, strict-transport-security and more.
180
+ summary: Add easily configured security headers to responses including content-security-policy,
181
+ x-frame-options, strict-transport-security, etc.
199
182
  test_files:
200
- - spec/controllers/content_security_policy_controller_spec.rb
183
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
201
184
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
202
185
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
203
186
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
187
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
204
188
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
189
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
205
190
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
206
191
  - spec/lib/secure_headers_spec.rb
207
192
  - spec/spec_helper.rb
data/.rvmrc DELETED
@@ -1 +0,0 @@
1
- rvm use 1.9.3@secureheaders --create
data/Guardfile DELETED
@@ -1,10 +0,0 @@
1
- guard 'spork', :aggressive_kill => false do
2
- watch('spec/spec_helper.rb') { :rspec }
3
- end
4
-
5
- guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
6
- watch(%r{^spec/.+_spec\.rb$})
7
- watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
8
- watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
9
- watch('spec/spec_helper.rb') { "spec" }
10
- end
data/HISTORY.md DELETED
@@ -1,100 +0,0 @@
1
- 1.0.0
2
- ======
3
-
4
- Features:
5
-
6
- - Use non-prefixed header names for Firefox >= 23, Chrome >= 25
7
- - Use csp 1.0 compliant header for firefox >= 23
8
-
9
- Bug Fix:
10
-
11
- - Stop sending CSP on safari 5.1+
12
-
13
- 0.5.0
14
- ======
15
-
16
- - X-Content-Type-Options also applied to Chrome requests
17
-
18
- 0.4.3
19
- ======
20
-
21
- - Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
22
-
23
- 0.4.2
24
- ======
25
-
26
- - Stupid bug where Fixnums couldn't be used for config values
27
- - Doc updates
28
-
29
- 0.4.1
30
- ======
31
-
32
- - Allow strings or ints in the HSTS max-age (@reedloden)
33
-
34
- 0.4.0
35
- =======
36
-
37
- - Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
38
- - Should be backwards compatible, but it is a change to the API.
39
-
40
- 0.3.0
41
- =======
42
-
43
- - Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
44
-
45
- 0.2.3
46
- =======
47
-
48
- - Fix error in report-uri logic for Firefox forwarding.
49
-
50
- 0.2.2
51
- =======
52
-
53
- - Stop applying chrome-extension: to Firefox directives.
54
-
55
- 0.2.1
56
- =======
57
-
58
- - Firefox headers will now stop overriding report_uri when only a path is supplied
59
-
60
- 0.2.0
61
- =======
62
-
63
- - 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
64
- - Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
65
-
66
- ```ruby
67
- FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
68
- CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
69
- ```
70
- - :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
71
- - Skeleton applications have been added to test isolated application configurations
72
- - Cleanup by @bemurphy
73
-
74
- 0.1.1
75
- =======
76
-
77
- Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
78
-
79
- 0.1.0
80
- =======
81
-
82
- Notes:
83
- ------
84
-
85
- - Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
86
-
87
- Features:
88
- ------
89
-
90
- - ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
91
- - Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
92
-
93
- Bug fixes, misc:
94
- ------
95
-
96
- - Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
97
- - Better support for other frameworks, including docs from @achui, @bmaland
98
- - Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
99
- - data: automatically whitelisted for img-src
100
- - Doc updates from @ming13, @theverything, @dcollazo
@@ -1,53 +0,0 @@
1
- require 'net/https'
2
- require 'openssl'
3
-
4
- class ContentSecurityPolicyController < ActionController::Base
5
- CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
6
-
7
- def scribe
8
- csp = ::SecureHeaders::Configuration.csp || {}
9
-
10
- forward_endpoint = csp[:forward_endpoint]
11
- if forward_endpoint
12
- forward_params_to(forward_endpoint)
13
- end
14
-
15
- head :ok
16
- rescue StandardError => e
17
- log_warning(forward_endpoint, e)
18
- head :bad_request
19
- end
20
-
21
- private
22
-
23
- def forward_params_to(forward_endpoint)
24
- uri = URI.parse(forward_endpoint)
25
- http = Net::HTTP.new(uri.host, uri.port)
26
- if uri.scheme == 'https'
27
- use_ssl(http)
28
- end
29
-
30
- request = Net::HTTP::Post.new(uri.to_s)
31
- request.body = params.to_json
32
-
33
- # fire and forget
34
- if defined?(Delayed::Job)
35
- http.delay.request(request)
36
- else
37
- http.request(request)
38
- end
39
- end
40
-
41
- def use_ssl request
42
- request.use_ssl = true
43
- request.ca_file = CA_FILE
44
- request.verify_mode = OpenSSL::SSL::VERIFY_PEER
45
- request.verify_depth = 9
46
- end
47
-
48
- def log_warning(forward_endpoint, e)
49
- if defined?(Rails.logger)
50
- Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
51
- end
52
- end
53
- end