secure_headers 1.0.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +4 -8
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +8 -3
- data/Gemfile +6 -8
- data/README.md +208 -134
- data/Rakefile +11 -116
- data/fixtures/rails_3_2_12/Gemfile +0 -8
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
- data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
- data/fixtures/rails_3_2_12/config.ru +3 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +57 -19
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +18 -16
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +17 -12
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +17 -12
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
- data/fixtures/rails_4_1_8/Gemfile +5 -0
- data/fixtures/rails_4_1_8/README.rdoc +28 -0
- data/fixtures/rails_4_1_8/Rakefile +6 -0
- data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
- data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/models/.keep +0 -0
- data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
- data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
- data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
- data/fixtures/rails_4_1_8/config/application.rb +15 -0
- data/fixtures/rails_4_1_8/config/boot.rb +4 -0
- data/fixtures/rails_4_1_8/config/environment.rb +5 -0
- data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
- data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
- data/fixtures/rails_4_1_8/config/routes.rb +4 -0
- data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
- data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
- data/fixtures/rails_4_1_8/config.ru +4 -0
- data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
- data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
- data/fixtures/rails_4_1_8/log/.keep +0 -0
- data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
- data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
- data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
- data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
- data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
- data/lib/secure_headers/hash_helper.rb +7 -0
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
- data/lib/secure_headers/headers/content_security_policy.rb +160 -161
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/railtie.rb +19 -24
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers/view_helper.rb +68 -0
- data/lib/secure_headers.rb +70 -29
- data/lib/tasks/tasks.rake +48 -0
- data/secure_headers.gemspec +4 -5
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +127 -299
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -13
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
- data/spec/lib/secure_headers_spec.rb +68 -83
- data/spec/spec_helper.rb +29 -18
- metadata +51 -66
- data/.rvmrc +0 -1
- data/Guardfile +0 -10
- data/HISTORY.md +0 -100
- data/app/controllers/content_security_policy_controller.rb +0 -53
- data/config/curl-ca-bundle.crt +0 -5420
- data/config/routes.rb +0 -3
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
- data/lib/secure_headers/headers/content_security_policy/browser_strategy.rb +0 -78
- data/lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb +0 -72
- data/lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb +0 -6
- data/lib/secure_headers/headers/content_security_policy/standard_browser_strategy.rb +0 -22
- data/spec/controllers/content_security_policy_controller_spec.rb +0 -74
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,24 +9,8 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2015-01-23 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
|
-
- !ruby/object:Gem::Dependency
|
|
15
|
-
name: brwsr
|
|
16
|
-
requirement: !ruby/object:Gem::Requirement
|
|
17
|
-
none: false
|
|
18
|
-
requirements:
|
|
19
|
-
- - ! '>='
|
|
20
|
-
- !ruby/object:Gem::Version
|
|
21
|
-
version: 1.1.1
|
|
22
|
-
type: :runtime
|
|
23
|
-
prerelease: false
|
|
24
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
-
none: false
|
|
26
|
-
requirements:
|
|
27
|
-
- - ! '>='
|
|
28
|
-
- !ruby/object:Gem::Version
|
|
29
|
-
version: 1.1.1
|
|
30
14
|
- !ruby/object:Gem::Dependency
|
|
31
15
|
name: rake
|
|
32
16
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -43,7 +27,7 @@ dependencies:
|
|
|
43
27
|
- - ! '>='
|
|
44
28
|
- !ruby/object:Gem::Version
|
|
45
29
|
version: '0'
|
|
46
|
-
description:
|
|
30
|
+
description: Security related headers all in one gem.
|
|
47
31
|
email:
|
|
48
32
|
- neil.matatall@gmail.com
|
|
49
33
|
executables: []
|
|
@@ -51,49 +35,32 @@ extensions: []
|
|
|
51
35
|
extra_rdoc_files: []
|
|
52
36
|
files:
|
|
53
37
|
- .gitignore
|
|
54
|
-
- .
|
|
38
|
+
- .ruby-gemset
|
|
39
|
+
- .ruby-version
|
|
55
40
|
- .travis.yml
|
|
56
41
|
- Gemfile
|
|
57
|
-
- Guardfile
|
|
58
|
-
- HISTORY.md
|
|
59
42
|
- LICENSE
|
|
60
43
|
- README.md
|
|
61
44
|
- Rakefile
|
|
62
|
-
- app/controllers/content_security_policy_controller.rb
|
|
63
|
-
- config/curl-ca-bundle.crt
|
|
64
|
-
- config/routes.rb
|
|
65
45
|
- fixtures/rails_3_2_12/.rspec
|
|
66
46
|
- fixtures/rails_3_2_12/Gemfile
|
|
67
|
-
- fixtures/rails_3_2_12/Guardfile
|
|
68
47
|
- fixtures/rails_3_2_12/README.rdoc
|
|
69
48
|
- fixtures/rails_3_2_12/Rakefile
|
|
70
49
|
- fixtures/rails_3_2_12/app/controllers/application_controller.rb
|
|
71
50
|
- fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
|
|
72
51
|
- fixtures/rails_3_2_12/app/controllers/things_controller.rb
|
|
73
52
|
- fixtures/rails_3_2_12/app/models/.gitkeep
|
|
74
|
-
- fixtures/rails_3_2_12/app/models/thing.rb
|
|
75
53
|
- fixtures/rails_3_2_12/app/views/layouts/application.html.erb
|
|
76
54
|
- fixtures/rails_3_2_12/app/views/other_things/index.html.erb
|
|
77
55
|
- fixtures/rails_3_2_12/app/views/things/index.html.erb
|
|
78
56
|
- fixtures/rails_3_2_12/config.ru
|
|
79
57
|
- fixtures/rails_3_2_12/config/application.rb
|
|
80
58
|
- fixtures/rails_3_2_12/config/boot.rb
|
|
81
|
-
- fixtures/rails_3_2_12/config/database.yml
|
|
82
59
|
- fixtures/rails_3_2_12/config/environment.rb
|
|
83
|
-
- fixtures/rails_3_2_12/config/environments/development.rb
|
|
84
|
-
- fixtures/rails_3_2_12/config/environments/production.rb
|
|
85
60
|
- fixtures/rails_3_2_12/config/environments/test.rb
|
|
86
|
-
- fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
|
|
87
|
-
- fixtures/rails_3_2_12/config/initializers/inflections.rb
|
|
88
|
-
- fixtures/rails_3_2_12/config/initializers/mime_types.rb
|
|
89
|
-
- fixtures/rails_3_2_12/config/initializers/secret_token.rb
|
|
90
61
|
- fixtures/rails_3_2_12/config/initializers/secure_headers.rb
|
|
91
|
-
- fixtures/rails_3_2_12/config/initializers/session_store.rb
|
|
92
|
-
- fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
|
|
93
|
-
- fixtures/rails_3_2_12/config/locales/en.yml
|
|
94
62
|
- fixtures/rails_3_2_12/config/routes.rb
|
|
95
|
-
- fixtures/rails_3_2_12/
|
|
96
|
-
- fixtures/rails_3_2_12/db/seeds.rb
|
|
63
|
+
- fixtures/rails_3_2_12/config/script_hashes.yml
|
|
97
64
|
- fixtures/rails_3_2_12/lib/assets/.gitkeep
|
|
98
65
|
- fixtures/rails_3_2_12/lib/tasks/.gitkeep
|
|
99
66
|
- fixtures/rails_3_2_12/log/.gitkeep
|
|
@@ -105,39 +72,21 @@ files:
|
|
|
105
72
|
- fixtures/rails_3_2_12/vendor/plugins/.gitkeep
|
|
106
73
|
- fixtures/rails_3_2_12_no_init/.rspec
|
|
107
74
|
- fixtures/rails_3_2_12_no_init/Gemfile
|
|
108
|
-
- fixtures/rails_3_2_12_no_init/Guardfile
|
|
109
75
|
- fixtures/rails_3_2_12_no_init/README.rdoc
|
|
110
76
|
- fixtures/rails_3_2_12_no_init/Rakefile
|
|
111
77
|
- fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
|
|
112
78
|
- fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
|
|
113
79
|
- fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
|
|
114
80
|
- fixtures/rails_3_2_12_no_init/app/models/.gitkeep
|
|
115
|
-
- fixtures/rails_3_2_12_no_init/app/models/thing.rb
|
|
116
81
|
- fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
|
|
117
82
|
- fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
|
|
118
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
|
|
119
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
|
|
120
83
|
- fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
|
|
121
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
|
|
122
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
|
|
123
84
|
- fixtures/rails_3_2_12_no_init/config.ru
|
|
124
85
|
- fixtures/rails_3_2_12_no_init/config/application.rb
|
|
125
86
|
- fixtures/rails_3_2_12_no_init/config/boot.rb
|
|
126
|
-
- fixtures/rails_3_2_12_no_init/config/database.yml
|
|
127
87
|
- fixtures/rails_3_2_12_no_init/config/environment.rb
|
|
128
|
-
- fixtures/rails_3_2_12_no_init/config/environments/development.rb
|
|
129
|
-
- fixtures/rails_3_2_12_no_init/config/environments/production.rb
|
|
130
88
|
- fixtures/rails_3_2_12_no_init/config/environments/test.rb
|
|
131
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
|
|
132
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
|
|
133
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
|
|
134
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
|
|
135
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
|
|
136
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
|
|
137
|
-
- fixtures/rails_3_2_12_no_init/config/locales/en.yml
|
|
138
89
|
- fixtures/rails_3_2_12_no_init/config/routes.rb
|
|
139
|
-
- fixtures/rails_3_2_12_no_init/db/schema.rb
|
|
140
|
-
- fixtures/rails_3_2_12_no_init/db/seeds.rb
|
|
141
90
|
- fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
|
|
142
91
|
- fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
|
|
143
92
|
- fixtures/rails_3_2_12_no_init/log/.gitkeep
|
|
@@ -147,25 +96,59 @@ files:
|
|
|
147
96
|
- fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
|
|
148
97
|
- fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
|
|
149
98
|
- fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
|
|
99
|
+
- fixtures/rails_4_1_8/Gemfile
|
|
100
|
+
- fixtures/rails_4_1_8/README.rdoc
|
|
101
|
+
- fixtures/rails_4_1_8/Rakefile
|
|
102
|
+
- fixtures/rails_4_1_8/app/controllers/application_controller.rb
|
|
103
|
+
- fixtures/rails_4_1_8/app/controllers/concerns/.keep
|
|
104
|
+
- fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
|
|
105
|
+
- fixtures/rails_4_1_8/app/controllers/things_controller.rb
|
|
106
|
+
- fixtures/rails_4_1_8/app/models/.keep
|
|
107
|
+
- fixtures/rails_4_1_8/app/models/concerns/.keep
|
|
108
|
+
- fixtures/rails_4_1_8/app/views/layouts/application.html.erb
|
|
109
|
+
- fixtures/rails_4_1_8/app/views/other_things/index.html.erb
|
|
110
|
+
- fixtures/rails_4_1_8/app/views/things/index.html.erb
|
|
111
|
+
- fixtures/rails_4_1_8/config.ru
|
|
112
|
+
- fixtures/rails_4_1_8/config/application.rb
|
|
113
|
+
- fixtures/rails_4_1_8/config/boot.rb
|
|
114
|
+
- fixtures/rails_4_1_8/config/environment.rb
|
|
115
|
+
- fixtures/rails_4_1_8/config/environments/test.rb
|
|
116
|
+
- fixtures/rails_4_1_8/config/initializers/secure_headers.rb
|
|
117
|
+
- fixtures/rails_4_1_8/config/routes.rb
|
|
118
|
+
- fixtures/rails_4_1_8/config/script_hashes.yml
|
|
119
|
+
- fixtures/rails_4_1_8/config/secrets.yml
|
|
120
|
+
- fixtures/rails_4_1_8/lib/assets/.keep
|
|
121
|
+
- fixtures/rails_4_1_8/lib/tasks/.keep
|
|
122
|
+
- fixtures/rails_4_1_8/log/.keep
|
|
123
|
+
- fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
|
|
124
|
+
- fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
|
|
125
|
+
- fixtures/rails_4_1_8/spec/spec_helper.rb
|
|
126
|
+
- fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
|
|
127
|
+
- fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
|
|
150
128
|
- lib/secure_headers.rb
|
|
129
|
+
- lib/secure_headers/hash_helper.rb
|
|
151
130
|
- lib/secure_headers/header.rb
|
|
152
131
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
153
|
-
- lib/secure_headers/headers/content_security_policy/
|
|
154
|
-
- lib/secure_headers/headers/content_security_policy/firefox_browser_strategy.rb
|
|
155
|
-
- lib/secure_headers/headers/content_security_policy/ie_browser_strategy.rb
|
|
156
|
-
- lib/secure_headers/headers/content_security_policy/standard_browser_strategy.rb
|
|
132
|
+
- lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
|
|
157
133
|
- lib/secure_headers/headers/strict_transport_security.rb
|
|
158
134
|
- lib/secure_headers/headers/x_content_type_options.rb
|
|
135
|
+
- lib/secure_headers/headers/x_download_options.rb
|
|
159
136
|
- lib/secure_headers/headers/x_frame_options.rb
|
|
137
|
+
- lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
|
|
160
138
|
- lib/secure_headers/headers/x_xss_protection.rb
|
|
139
|
+
- lib/secure_headers/padrino.rb
|
|
161
140
|
- lib/secure_headers/railtie.rb
|
|
162
141
|
- lib/secure_headers/version.rb
|
|
142
|
+
- lib/secure_headers/view_helper.rb
|
|
143
|
+
- lib/tasks/tasks.rake
|
|
163
144
|
- secure_headers.gemspec
|
|
164
|
-
- spec/
|
|
145
|
+
- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
|
|
165
146
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
166
147
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
167
148
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
149
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
168
150
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
151
|
+
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
|
169
152
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
170
153
|
- spec/lib/secure_headers_spec.rb
|
|
171
154
|
- spec/spec_helper.rb
|
|
@@ -191,17 +174,19 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
191
174
|
version: '0'
|
|
192
175
|
requirements: []
|
|
193
176
|
rubyforge_project:
|
|
194
|
-
rubygems_version: 1.8.
|
|
177
|
+
rubygems_version: 1.8.23
|
|
195
178
|
signing_key:
|
|
196
179
|
specification_version: 3
|
|
197
|
-
summary: Add easily configured
|
|
198
|
-
|
|
180
|
+
summary: Add easily configured security headers to responses including content-security-policy,
|
|
181
|
+
x-frame-options, strict-transport-security, etc.
|
|
199
182
|
test_files:
|
|
200
|
-
- spec/
|
|
183
|
+
- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
|
|
201
184
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
202
185
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
203
186
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
187
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
204
188
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
189
|
+
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
|
205
190
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
206
191
|
- spec/lib/secure_headers_spec.rb
|
|
207
192
|
- spec/spec_helper.rb
|
data/.rvmrc
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
rvm use 1.9.3@secureheaders --create
|
data/Guardfile
DELETED
|
@@ -1,10 +0,0 @@
|
|
|
1
|
-
guard 'spork', :aggressive_kill => false do
|
|
2
|
-
watch('spec/spec_helper.rb') { :rspec }
|
|
3
|
-
end
|
|
4
|
-
|
|
5
|
-
guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
|
|
6
|
-
watch(%r{^spec/.+_spec\.rb$})
|
|
7
|
-
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
8
|
-
watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
|
|
9
|
-
watch('spec/spec_helper.rb') { "spec" }
|
|
10
|
-
end
|
data/HISTORY.md
DELETED
|
@@ -1,100 +0,0 @@
|
|
|
1
|
-
1.0.0
|
|
2
|
-
======
|
|
3
|
-
|
|
4
|
-
Features:
|
|
5
|
-
|
|
6
|
-
- Use non-prefixed header names for Firefox >= 23, Chrome >= 25
|
|
7
|
-
- Use csp 1.0 compliant header for firefox >= 23
|
|
8
|
-
|
|
9
|
-
Bug Fix:
|
|
10
|
-
|
|
11
|
-
- Stop sending CSP on safari 5.1+
|
|
12
|
-
|
|
13
|
-
0.5.0
|
|
14
|
-
======
|
|
15
|
-
|
|
16
|
-
- X-Content-Type-Options also applied to Chrome requests
|
|
17
|
-
|
|
18
|
-
0.4.3
|
|
19
|
-
======
|
|
20
|
-
|
|
21
|
-
- Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
|
|
22
|
-
|
|
23
|
-
0.4.2
|
|
24
|
-
======
|
|
25
|
-
|
|
26
|
-
- Stupid bug where Fixnums couldn't be used for config values
|
|
27
|
-
- Doc updates
|
|
28
|
-
|
|
29
|
-
0.4.1
|
|
30
|
-
======
|
|
31
|
-
|
|
32
|
-
- Allow strings or ints in the HSTS max-age (@reedloden)
|
|
33
|
-
|
|
34
|
-
0.4.0
|
|
35
|
-
=======
|
|
36
|
-
|
|
37
|
-
- Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
|
|
38
|
-
- Should be backwards compatible, but it is a change to the API.
|
|
39
|
-
|
|
40
|
-
0.3.0
|
|
41
|
-
=======
|
|
42
|
-
|
|
43
|
-
- Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
|
|
44
|
-
|
|
45
|
-
0.2.3
|
|
46
|
-
=======
|
|
47
|
-
|
|
48
|
-
- Fix error in report-uri logic for Firefox forwarding.
|
|
49
|
-
|
|
50
|
-
0.2.2
|
|
51
|
-
=======
|
|
52
|
-
|
|
53
|
-
- Stop applying chrome-extension: to Firefox directives.
|
|
54
|
-
|
|
55
|
-
0.2.1
|
|
56
|
-
=======
|
|
57
|
-
|
|
58
|
-
- Firefox headers will now stop overriding report_uri when only a path is supplied
|
|
59
|
-
|
|
60
|
-
0.2.0
|
|
61
|
-
=======
|
|
62
|
-
|
|
63
|
-
- 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
|
|
64
|
-
- Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
|
|
65
|
-
|
|
66
|
-
```ruby
|
|
67
|
-
FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
|
|
68
|
-
CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
|
|
69
|
-
```
|
|
70
|
-
- :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
|
|
71
|
-
- Skeleton applications have been added to test isolated application configurations
|
|
72
|
-
- Cleanup by @bemurphy
|
|
73
|
-
|
|
74
|
-
0.1.1
|
|
75
|
-
=======
|
|
76
|
-
|
|
77
|
-
Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
|
|
78
|
-
|
|
79
|
-
0.1.0
|
|
80
|
-
=======
|
|
81
|
-
|
|
82
|
-
Notes:
|
|
83
|
-
------
|
|
84
|
-
|
|
85
|
-
- Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
|
|
86
|
-
|
|
87
|
-
Features:
|
|
88
|
-
------
|
|
89
|
-
|
|
90
|
-
- ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
|
|
91
|
-
- Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
|
|
92
|
-
|
|
93
|
-
Bug fixes, misc:
|
|
94
|
-
------
|
|
95
|
-
|
|
96
|
-
- Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
|
|
97
|
-
- Better support for other frameworks, including docs from @achui, @bmaland
|
|
98
|
-
- Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
|
|
99
|
-
- data: automatically whitelisted for img-src
|
|
100
|
-
- Doc updates from @ming13, @theverything, @dcollazo
|
|
@@ -1,53 +0,0 @@
|
|
|
1
|
-
require 'net/https'
|
|
2
|
-
require 'openssl'
|
|
3
|
-
|
|
4
|
-
class ContentSecurityPolicyController < ActionController::Base
|
|
5
|
-
CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
|
|
6
|
-
|
|
7
|
-
def scribe
|
|
8
|
-
csp = ::SecureHeaders::Configuration.csp || {}
|
|
9
|
-
|
|
10
|
-
forward_endpoint = csp[:forward_endpoint]
|
|
11
|
-
if forward_endpoint
|
|
12
|
-
forward_params_to(forward_endpoint)
|
|
13
|
-
end
|
|
14
|
-
|
|
15
|
-
head :ok
|
|
16
|
-
rescue StandardError => e
|
|
17
|
-
log_warning(forward_endpoint, e)
|
|
18
|
-
head :bad_request
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
private
|
|
22
|
-
|
|
23
|
-
def forward_params_to(forward_endpoint)
|
|
24
|
-
uri = URI.parse(forward_endpoint)
|
|
25
|
-
http = Net::HTTP.new(uri.host, uri.port)
|
|
26
|
-
if uri.scheme == 'https'
|
|
27
|
-
use_ssl(http)
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
request = Net::HTTP::Post.new(uri.to_s)
|
|
31
|
-
request.body = params.to_json
|
|
32
|
-
|
|
33
|
-
# fire and forget
|
|
34
|
-
if defined?(Delayed::Job)
|
|
35
|
-
http.delay.request(request)
|
|
36
|
-
else
|
|
37
|
-
http.request(request)
|
|
38
|
-
end
|
|
39
|
-
end
|
|
40
|
-
|
|
41
|
-
def use_ssl request
|
|
42
|
-
request.use_ssl = true
|
|
43
|
-
request.ca_file = CA_FILE
|
|
44
|
-
request.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
45
|
-
request.verify_depth = 9
|
|
46
|
-
end
|
|
47
|
-
|
|
48
|
-
def log_warning(forward_endpoint, e)
|
|
49
|
-
if defined?(Rails.logger)
|
|
50
|
-
Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
|
|
51
|
-
end
|
|
52
|
-
end
|
|
53
|
-
end
|