secure_headers 1.1.1 → 1.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. checksums.yaml +15 -0
  2. data/.ruby-gemset +1 -0
  3. data/.ruby-version +1 -0
  4. data/.travis.yml +2 -0
  5. data/Gemfile +0 -4
  6. data/Guardfile +1 -5
  7. data/HISTORY.md +47 -0
  8. data/README.md +74 -27
  9. data/fixtures/rails_3_2_12/Gemfile +0 -3
  10. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  11. data/fixtures/rails_3_2_12/config/application.rb +4 -4
  12. data/fixtures/rails_3_2_12/config/environments/development.rb +3 -3
  13. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  14. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -0
  15. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +15 -14
  16. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +12 -12
  17. data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
  18. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -3
  19. data/fixtures/rails_3_2_12_no_init/config/application.rb +1 -4
  20. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +3 -3
  21. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  22. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +12 -12
  23. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +12 -12
  24. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
  25. data/lib/secure_headers/headers/content_security_policy.rb +52 -35
  26. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  27. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  28. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  29. data/lib/secure_headers/padrino.rb +14 -0
  30. data/lib/secure_headers/railtie.rb +6 -2
  31. data/lib/secure_headers/version.rb +1 -1
  32. data/lib/secure_headers.rb +8 -1
  33. data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
  34. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +117 -85
  35. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
  36. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
  37. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  38. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
  39. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
  40. data/spec/lib/secure_headers_spec.rb +38 -12
  41. data/spec/spec_helper.rb +10 -24
  42. metadata +11 -20
  43. data/.rvmrc +0 -1
  44. data/fixtures/rails_3_2_12/Guardfile +0 -14
  45. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  46. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  47. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  48. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  49. data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
  50. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  51. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  52. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  53. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
checksums.yaml ADDED
@@ -0,0 +1,15 @@
1
+ ---
2
+ !binary "U0hBMQ==":
3
+ metadata.gz: !binary |-
4
+ NzcxMzdhM2IwMTAxN2IyNTc5OTg5OGY1MmJlZGFlNWJmNjBjM2MzMw==
5
+ data.tar.gz: !binary |-
6
+ ODNmNjA1YmY1ODEzMWIxYTU2YWYzYmY3NGFjM2Y1ZDU4MDQ0ODkwMQ==
7
+ SHA512:
8
+ metadata.gz: !binary |-
9
+ NGEwNTVlZjBmMTcwN2QxYjI5YjVkZGJhZmJiYTJlY2M3YzEyM2JiN2Q3MzY0
10
+ NzdmNWNhMDIzMmVhNzNkZWRmZTZiYmQ1OWE5MjMwYTY2MDE1NGVhMWU3Mjg4
11
+ OTdmZTZiOGI0N2NhNGYzZThkMjc3ZWYxMjU5YzhiYTNjNmFmZjE=
12
+ data.tar.gz: !binary |-
13
+ MTI1NTNhYzExYjVmYjMwNjNjMGUzMDlmYmVmZTk1YjJiN2UwODM4MzYwNzhj
14
+ Y2ZhMzYxNTNkM2Y0MWY1YTQ1ZWMyYmQ4NDA3NjJhOGViNTU0MmEwYWY4MTNm
15
+ MTczMzNjOTliYWYzODFiY2RiNDZmOGQ2ZWU4ZjdiNWJhMTZlMzA=
data/.ruby-gemset ADDED
@@ -0,0 +1 @@
1
+ secureheaders
data/.ruby-version ADDED
@@ -0,0 +1 @@
1
+ ruby-1.9.3-p484
data/.travis.yml CHANGED
@@ -1,4 +1,6 @@
1
1
  rvm:
2
+ - "2.1.0"
3
+ - "2.0.0"
2
4
  - "1.9.3"
3
5
  - "1.8.7"
4
6
  # - jruby-19mode
data/Gemfile CHANGED
@@ -7,14 +7,10 @@ group :test do
7
7
  gem 'sqlite3', :platform => [:ruby, :mswin, :mingw]
8
8
  gem 'jdbc-sqlite3', :platform => :jruby
9
9
  gem 'rspec-rails'
10
- gem 'spork'
11
- gem 'pry'
12
10
  gem 'rspec'
13
- gem 'guard-spork', :platform => :ruby_19
14
11
  gem 'guard-rspec', :platform => :ruby_19
15
12
  gem 'growl'
16
13
  gem 'rb-fsevent'
17
- gem 'simplecov'
18
14
  gem 'debugger', :platform => :ruby_19
19
15
  gem 'ruby-debug', :platform => :ruby_18
20
16
  end
data/Guardfile CHANGED
@@ -1,8 +1,4 @@
1
- guard 'spork', :aggressive_kill => false do
2
- watch('spec/spec_helper.rb') { :rspec }
3
- end
4
-
5
- guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
1
+ guard 'rspec' do
6
2
  watch(%r{^spec/.+_spec\.rb$})
7
3
  watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
8
4
  watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
data/HISTORY.md CHANGED
@@ -1,3 +1,50 @@
1
+ 1.3.4
2
+ ======
3
+
4
+ * Adds X-Download-Options support
5
+ * Adds support for X-XSS-Protection reporting
6
+ * Defers loading of rails engine for faster boot times
7
+
8
+ 1.3.3
9
+ ======
10
+
11
+ @agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
12
+
13
+ This just adds a new 'preload' option to the HSTS settings to specify that option.
14
+
15
+ 1.3.2
16
+ ======
17
+
18
+ Adds the ability to "tag" requests and a new config value: :app_name
19
+
20
+ {
21
+ :tag_report_uri => true,
22
+ :enforce => true,
23
+ :app_name => 'twitter',
24
+ :report_uri => 'csp_reports'
25
+ }
26
+
27
+ Results in
28
+ report-uri csp_reports?enforce=true&app_name=twitter
29
+
30
+
31
+ 1.3.1
32
+ ======
33
+
34
+ Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
35
+
36
+ 1.3.0
37
+ ======
38
+
39
+ - CSP nonce support was added back and is compliant.
40
+ - Bugs:
41
+ -- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
42
+ -- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
43
+
44
+ 1.2.0
45
+ ======
46
+ - Allow procs to be used as config values.
47
+
1
48
  1.1.1
2
49
  ======
3
50
 
data/README.md CHANGED
@@ -85,9 +85,10 @@ Or simply add it to application controller
85
85
 
86
86
  ```ruby
87
87
  ensure_security_headers(
88
- :hsts => {:include_subdomains, :x_frame_options => false},
88
+ :hsts => {:include_subdomains => true, :max_age => 20.years.to_i},
89
89
  :x_frame_options => 'DENY',
90
- :csp => false)
90
+ :csp => false
91
+ )
91
92
  ```
92
93
 
93
94
  ## Options for ensure\_security\_headers
@@ -162,13 +163,6 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
162
163
  :img_src => 'http://mycdn.example.com'
163
164
  }
164
165
  }
165
-
166
- # script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
167
- # you to whitelist inline script blocks. For more information, see
168
- # https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
169
- :script_nonce => lambda { @script_nonce = SecureRandom.hex }
170
- # which can be used to whitelist a script block:
171
- # script_tag :nonce = @script_nonce { inline_script_call() }
172
166
  }
173
167
  ```
174
168
 
@@ -203,9 +197,54 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
203
197
  "default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
204
198
  ```
205
199
 
206
- ## Note on Firefox handling of CSP
200
+ ### Tagging Requests
201
+
202
+ It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
203
+
204
+ ```ruby
205
+ {
206
+ :tag_report_uri => true,
207
+ :enforce => true,
208
+ :app_name => 'twitter',
209
+ :report_uri => 'csp_reports'
210
+ }
211
+ ```
212
+
213
+ Results in
214
+ ```
215
+ report-uri csp_reports?enforce=true&app_name=twitter
216
+ ```
217
+
218
+ ### CSP Level 2 features
219
+
220
+ script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
221
+
222
+ *setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.
223
+
224
+ ```ruby
225
+ :csp => {
226
+ :default_src => 'self',
227
+ :script_src => 'self nonce'
228
+ }
229
+ ```
230
+
231
+ > content-security-policy: default-src 'self'; script-src 'self' 'nonce-abc123' 'unsafe-inline'
207
232
 
208
- Currently, Firefox does not support the w3c draft standard. So there are a few steps taken to make the two interchangeable.
233
+ ```erb
234
+ <script nonce="<%= @content_security_policy_nonce %>">
235
+ console.log("whitelisted, will execute")
236
+ </script>
237
+
238
+ <script nonce="lol">
239
+ console.log("won't execute, not whitelisted")
240
+ </script>
241
+
242
+ <script>
243
+ console.log("won't execute, not whitelisted")
244
+ </script>
245
+ ```
246
+
247
+ ## Note on Firefox handling of CSP
209
248
 
210
249
  * CSP reports will not POST cross\-origin. This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
211
250
 
@@ -274,22 +313,11 @@ In your `Gemfile`:
274
313
  then in your `app.rb` file you can:
275
314
 
276
315
  ```ruby
316
+ require 'secure_headers/padrino'
317
+
277
318
  module Web
278
319
  class App < Padrino::Application
279
- include SecureHeaders
280
-
281
- ::SecureHeaders::Configuration.configure do |config|
282
- config.hsts = {:max_age => 99, :include_subdomains => true}
283
- config.x_frame_options = 'DENY'
284
- config.x_content_type_options = "nosniff"
285
- config.x_xss_protection = {:value => '1', :mode => false}
286
- config.csp = {
287
- :default_src => "https://* inline eval",
288
- :report_uri => '//example.com/uri-directive',
289
- :img_src => "https://* data:",
290
- :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
291
- }
292
- end
320
+ register SecureHeaders::Padrino
293
321
 
294
322
  get '/' do
295
323
  set_csp_header
@@ -299,12 +327,31 @@ module Web
299
327
  end
300
328
  ```
301
329
 
330
+ and in `config/boot.rb`:
331
+
332
+ ```ruby
333
+ def before_load
334
+ ::SecureHeaders::Configuration.configure do |config|
335
+ config.hsts = {:max_age => 99, :include_subdomains => true}
336
+ config.x_frame_options = 'DENY'
337
+ config.x_content_type_options = "nosniff"
338
+ config.x_xss_protection = {:value => '1', :mode => false}
339
+ config.csp = {
340
+ :default_src => "https://* inline eval",
341
+ :report_uri => '//example.com/uri-directive',
342
+ :img_src => "https://* data:",
343
+ :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
344
+ }
345
+ end
346
+ end
347
+ ```
348
+
302
349
  ## Similar libraries
303
350
 
304
351
  * Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
305
352
  * J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines)
306
353
  * ASP.NET - [NWebsec](http://nwebsec.codeplex.com/)
307
- * Python - [django-csp](https://github.com/mozilla/django-csp/tree/master/csp) + [commonware](https://github.com/jsocol/commonware/tree/master/commonware/request)
354
+ * Python - [django-csp](https://github.com/mozilla/django-csp/) + [commonware](https://github.com/jsocol/commonware/)
308
355
  * Go - [secureheader](https://github.com/kr/secureheader)
309
356
 
310
357
  ## Authors
@@ -321,6 +368,6 @@ end
321
368
 
322
369
  ## License
323
370
 
324
- Copyright 2013 Twitter, Inc.
371
+ Copyright 2013-2014 Twitter, Inc and other contributors.
325
372
 
326
373
  Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
@@ -1,14 +1,11 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
3
  gem 'rails', '3.2.12'
4
- gem 'sqlite3'
5
4
  gem 'rspec-rails', '>= 2.0.0'
6
5
  gem 'secure_headers', :path => '../..'
7
- gem 'spork'
8
6
  gem 'debugger', :platform => :ruby_19
9
7
  gem 'ruby-debug', :platform => :ruby_18
10
8
  gem 'guard-rspec'
11
- gem 'guard-spork'
12
9
  gem 'rb-fsevent'
13
10
  gem 'growl'
14
11
 
@@ -1,21 +1 @@
1
- <h1>Listing things</h1>
2
-
3
- <table>
4
- <tr>
5
- <th></th>
6
- <th></th>
7
- <th></th>
8
- </tr>
9
-
10
- <% @things.each do |thing| %>
11
- <tr>
12
- <td><%= link_to 'Show', thing %></td>
13
- <td><%= link_to 'Edit', edit_thing_path(thing) %></td>
14
- <td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
15
- </tr>
16
- <% end %>
17
- </table>
18
-
19
- <br />
20
-
21
- <%= link_to 'New Thing', new_thing_path %>
1
+ things
@@ -1,10 +1,10 @@
1
1
  require File.expand_path('../boot', __FILE__)
2
2
 
3
3
  # Pick the frameworks you want:
4
- require "active_record/railtie"
4
+ # require "active_record/railtie"
5
5
  require "action_controller/railtie"
6
- require "action_mailer/railtie"
7
- require "active_resource/railtie"
6
+ # require "action_mailer/railtie"
7
+ # require "active_resource/railtie"
8
8
  require "sprockets/railtie"
9
9
  # require "rails/test_unit/railtie"
10
10
 
@@ -57,7 +57,7 @@ module Rails3212
57
57
  # This will create an empty whitelist of attributes available for mass-assignment for all models
58
58
  # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
59
59
  # parameters by using an attr_accessible or attr_protected declaration.
60
- config.active_record.whitelist_attributes = true
60
+ # config.active_record.whitelist_attributes = true
61
61
 
62
62
  # Enable the asset pipeline
63
63
  config.assets.enabled = true
@@ -14,7 +14,7 @@ Rails3212::Application.configure do
14
14
  config.action_controller.perform_caching = false
15
15
 
16
16
  # Don't care if the mailer can't send
17
- config.action_mailer.raise_delivery_errors = false
17
+ # config.action_mailer.raise_delivery_errors = false
18
18
 
19
19
  # Print deprecation notices to the Rails logger
20
20
  config.active_support.deprecation = :log
@@ -23,11 +23,11 @@ Rails3212::Application.configure do
23
23
  config.action_dispatch.best_standards_support = :builtin
24
24
 
25
25
  # Raise exception on mass assignment protection for Active Record models
26
- config.active_record.mass_assignment_sanitizer = :strict
26
+ # config.active_record.mass_assignment_sanitizer = :strict
27
27
 
28
28
  # Log the query plan for queries taking more than this (works
29
29
  # with SQLite, MySQL, and PostgreSQL)
30
- config.active_record.auto_explain_threshold_in_seconds = 0.5
30
+ # config.active_record.auto_explain_threshold_in_seconds = 0.5
31
31
 
32
32
  # Do not compress assets
33
33
  config.assets.compress = false
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
27
27
  # Tell Action Mailer not to deliver emails to the real world.
28
28
  # The :test delivery method accumulates sent emails in the
29
29
  # ActionMailer::Base.deliveries array.
30
- config.action_mailer.delivery_method = :test
30
+ # config.action_mailer.delivery_method = :test
31
31
 
32
32
  # Raise exception on mass assignment protection for Active Record models
33
- config.active_record.mass_assignment_sanitizer = :strict
33
+ # config.active_record.mass_assignment_sanitizer = :strict
34
34
 
35
35
  # Print deprecation notices to the stderr
36
36
  config.active_support.deprecation = :stderr
@@ -5,6 +5,7 @@
5
5
  config.x_xss_protection = {:value => 1, :mode => 'block'}
6
6
  csp = {
7
7
  :default_src => "self",
8
+ :script_src => "self nonce",
8
9
  :disable_chrome_extension => true,
9
10
  :disable_fill_missing => true,
10
11
  :report_uri => 'somewhere',
@@ -1,44 +1,45 @@
1
1
  require 'spec_helper'
2
2
 
3
- describe OtherThingsController do
3
+ describe OtherThingsController, :type => :controller do
4
4
  describe "headers" do
5
- before(:each) do
6
- # Chrome
7
- request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
8
- end
9
-
10
5
  it "sets the X-XSS-Protection header" do
11
6
  get :index
12
- response.headers['X-XSS-Protection'].should == '1; mode=block'
7
+ expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
13
8
  end
14
9
 
15
10
  it "sets the X-Frame-Options header" do
16
11
  get :index
17
- response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
12
+ expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
18
13
  end
19
14
 
20
- it "sets the X-WebKit-CSP header" do
15
+ it "sets the CSP header with a local reference to a nonce" do
21
16
  get :index
22
- response.headers['Content-Security-Policy-Report-Only'].should == "default-src 'self'; img-src data:; report-uri somewhere;"
17
+ nonce = controller.instance_exec { @content_security_policy_nonce }
18
+ expect(nonce).to match /[a-zA-Z0-9\+\/=]{44}/
19
+ expect(response.headers['Content-Security-Policy-Report-Only']).to match(/default-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-[a-zA-Z0-9\+\/=]{44}' 'unsafe-inline'; report-uri somewhere;/)
23
20
  end
24
21
 
25
- #mock ssl
26
22
  it "sets the Strict-Transport-Security header" do
27
23
  request.env['HTTPS'] = 'on'
28
24
  get :index
29
- response.headers['Strict-Transport-Security'].should == "max-age=315576000"
25
+ expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
26
+ end
27
+
28
+ it "sets the X-Download-Options header" do
29
+ get :index
30
+ expect(response.headers['X-Download-Options']).to eq('noopen')
30
31
  end
31
32
 
32
33
  it "sets the X-Content-Type-Options header" do
33
34
  get :index
34
- response.headers['X-Content-Type-Options'].should == "nosniff"
35
+ expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
35
36
  end
36
37
 
37
38
  context "using IE" do
38
39
  it "sets the X-Content-Type-Options header" do
39
40
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
40
41
  get :index
41
- response.headers['X-Content-Type-Options'].should == "nosniff"
42
+ expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
42
43
  end
43
44
  end
44
45
  end
@@ -4,45 +4,45 @@ require 'spec_helper'
4
4
  # all values are defaulted because no initializer is configured, and the values in app controller
5
5
  # only provide csp => false
6
6
 
7
- describe ThingsController do
7
+ describe ThingsController, :type => :controller do
8
8
  describe "headers" do
9
- before(:each) do
10
- # Chrome
11
- request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
12
- end
13
-
14
9
  it "sets the X-XSS-Protection header" do
15
10
  get :index
16
- response.headers['X-XSS-Protection'].should == '1; mode=block'
11
+ expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
17
12
  end
18
13
 
19
14
  it "sets the X-Frame-Options header" do
20
15
  get :index
21
- response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
16
+ expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
22
17
  end
23
18
 
24
19
  it "sets the X-WebKit-CSP header" do
25
20
  get :index
26
- response.headers['Content-Security-Policy-Report-Only'].should == nil
21
+ expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
27
22
  end
28
23
 
29
24
  #mock ssl
30
25
  it "sets the Strict-Transport-Security header" do
31
26
  request.env['HTTPS'] = 'on'
32
27
  get :index
33
- response.headers['Strict-Transport-Security'].should == "max-age=315576000"
28
+ expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
29
+ end
30
+
31
+ it "sets the X-Download-Options header" do
32
+ get :index
33
+ expect(response.headers['X-Download-Options']).to eq('noopen')
34
34
  end
35
35
 
36
36
  it "sets the X-Content-Type-Options header" do
37
37
  get :index
38
- response.headers['X-Content-Type-Options'].should == "nosniff"
38
+ expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
39
39
  end
40
40
 
41
41
  context "using IE" do
42
42
  it "sets the X-Content-Type-Options header" do
43
43
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
44
44
  get :index
45
- response.headers['X-Content-Type-Options'].should == "nosniff"
45
+ expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
46
46
  end
47
47
  end
48
48
  end
@@ -1,5 +1,5 @@
1
1
  require 'rubygems'
2
- require 'spork'
2
+
3
3
  #uncomment the following line to use spork with the debugger
4
4
  #require 'spork/ext/ruby-debug'
5
5
 
@@ -11,9 +11,5 @@ require 'spork'
11
11
  ENV["RAILS_ENV"] ||= 'test'
12
12
  require File.expand_path("../../config/environment", __FILE__)
13
13
  require 'rspec/rails'
14
- require 'rspec/autorun'
15
14
  # end
16
15
 
17
- Spork.each_run do
18
-
19
- end
@@ -1,14 +1,11 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
3
  gem 'rails', '3.2.12'
4
- gem 'sqlite3'
5
4
  gem 'rspec-rails', '>= 2.0.0'
6
5
  gem 'secure_headers', :path => '../..'
7
- gem 'spork'
8
6
  gem 'debugger', :platform => :ruby_19
9
7
  gem 'ruby-debug', :platform => :ruby_18
10
8
  gem 'guard-rspec'
11
- gem 'guard-spork'
12
9
  gem 'rb-fsevent'
13
10
  gem 'growl'
14
11
 
@@ -1,10 +1,7 @@
1
1
  require File.expand_path('../boot', __FILE__)
2
2
 
3
3
  # Pick the frameworks you want:
4
- require "active_record/railtie"
5
4
  require "action_controller/railtie"
6
- require "action_mailer/railtie"
7
- require "active_resource/railtie"
8
5
  require "sprockets/railtie"
9
6
  # require "rails/test_unit/railtie"
10
7
 
@@ -57,7 +54,7 @@ module Rails3212
57
54
  # This will create an empty whitelist of attributes available for mass-assignment for all models
58
55
  # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
59
56
  # parameters by using an attr_accessible or attr_protected declaration.
60
- config.active_record.whitelist_attributes = true
57
+ # config.active_record.whitelist_attributes = true
61
58
 
62
59
  # Enable the asset pipeline
63
60
  config.assets.enabled = true
@@ -14,7 +14,7 @@ Rails3212::Application.configure do
14
14
  config.action_controller.perform_caching = false
15
15
 
16
16
  # Don't care if the mailer can't send
17
- config.action_mailer.raise_delivery_errors = false
17
+ # config.action_mailer.raise_delivery_errors = false
18
18
 
19
19
  # Print deprecation notices to the Rails logger
20
20
  config.active_support.deprecation = :log
@@ -23,11 +23,11 @@ Rails3212::Application.configure do
23
23
  config.action_dispatch.best_standards_support = :builtin
24
24
 
25
25
  # Raise exception on mass assignment protection for Active Record models
26
- config.active_record.mass_assignment_sanitizer = :strict
26
+ # config.active_record.mass_assignment_sanitizer = :strict
27
27
 
28
28
  # Log the query plan for queries taking more than this (works
29
29
  # with SQLite, MySQL, and PostgreSQL)
30
- config.active_record.auto_explain_threshold_in_seconds = 0.5
30
+ # config.active_record.auto_explain_threshold_in_seconds = 0.5
31
31
 
32
32
  # Do not compress assets
33
33
  config.assets.compress = false
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
27
27
  # Tell Action Mailer not to deliver emails to the real world.
28
28
  # The :test delivery method accumulates sent emails in the
29
29
  # ActionMailer::Base.deliveries array.
30
- config.action_mailer.delivery_method = :test
30
+ # config.action_mailer.delivery_method = :test
31
31
 
32
32
  # Raise exception on mass assignment protection for Active Record models
33
- config.active_record.mass_assignment_sanitizer = :strict
33
+ # config.active_record.mass_assignment_sanitizer = :strict
34
34
 
35
35
  # Print deprecation notices to the stderr
36
36
  config.active_support.deprecation = :stderr
@@ -1,44 +1,44 @@
1
1
  require 'spec_helper'
2
2
 
3
- describe OtherThingsController do
3
+ describe OtherThingsController, :type => :controller do
4
4
  describe "headers" do
5
- before(:each) do
6
- # Chrome
7
- request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
8
- end
9
-
10
5
  it "sets the X-XSS-Protection header" do
11
6
  get :index
12
- response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
7
+ expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
13
8
  end
14
9
 
15
10
  it "sets the X-Frame-Options header" do
16
11
  get :index
17
- response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
12
+ expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
18
13
  end
19
14
 
20
15
  it "sets the X-WebKit-CSP header" do
21
16
  get :index
22
- response.headers['Content-Security-Policy-Report-Only'].should == "default-src 'self'; img-src data:;"
17
+ expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
23
18
  end
24
19
 
25
20
  #mock ssl
26
21
  it "sets the Strict-Transport-Security header" do
27
22
  request.env['HTTPS'] = 'on'
28
23
  get :index
29
- response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
24
+ expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
25
+ end
26
+
27
+ it "sets the X-Download-Options header" do
28
+ get :index
29
+ expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
30
30
  end
31
31
 
32
32
  it "sets the X-Content-Type-Options header" do
33
33
  get :index
34
- response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
34
+ expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
35
35
  end
36
36
 
37
37
  context "using IE" do
38
38
  it "sets the X-Content-Type-Options header" do
39
39
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
40
40
  get :index
41
- response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
41
+ expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
42
42
  end
43
43
  end
44
44
  end