secure_headers 1.1.1 → 1.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. checksums.yaml +15 -0
  2. data/.ruby-gemset +1 -0
  3. data/.ruby-version +1 -0
  4. data/.travis.yml +2 -0
  5. data/Gemfile +0 -4
  6. data/Guardfile +1 -5
  7. data/HISTORY.md +47 -0
  8. data/README.md +74 -27
  9. data/fixtures/rails_3_2_12/Gemfile +0 -3
  10. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  11. data/fixtures/rails_3_2_12/config/application.rb +4 -4
  12. data/fixtures/rails_3_2_12/config/environments/development.rb +3 -3
  13. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  14. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -0
  15. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +15 -14
  16. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +12 -12
  17. data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
  18. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -3
  19. data/fixtures/rails_3_2_12_no_init/config/application.rb +1 -4
  20. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +3 -3
  21. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  22. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +12 -12
  23. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +12 -12
  24. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
  25. data/lib/secure_headers/headers/content_security_policy.rb +52 -35
  26. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  27. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  28. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  29. data/lib/secure_headers/padrino.rb +14 -0
  30. data/lib/secure_headers/railtie.rb +6 -2
  31. data/lib/secure_headers/version.rb +1 -1
  32. data/lib/secure_headers.rb +8 -1
  33. data/spec/controllers/content_security_policy_controller_spec.rb +19 -19
  34. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +117 -85
  35. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
  36. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
  37. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  38. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
  39. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
  40. data/spec/lib/secure_headers_spec.rb +38 -12
  41. data/spec/spec_helper.rb +10 -24
  42. metadata +11 -20
  43. data/.rvmrc +0 -1
  44. data/fixtures/rails_3_2_12/Guardfile +0 -14
  45. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  46. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  47. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  48. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  49. data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
  50. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  51. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  52. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  53. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
@@ -4,45 +4,45 @@ require 'spec_helper'
4
4
  # all values are defaulted because no initializer is configured, and the values in app controller
5
5
  # only provide csp => false
6
6
 
7
- describe ThingsController do
7
+ describe ThingsController, :type => :controller do
8
8
  describe "headers" do
9
- before(:each) do
10
- # Chrome
11
- request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
12
- end
13
-
14
9
  it "sets the X-XSS-Protection header" do
15
10
  get :index
16
- response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
11
+ expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
17
12
  end
18
13
 
19
14
  it "sets the X-Frame-Options header" do
20
15
  get :index
21
- response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
16
+ expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
22
17
  end
23
18
 
24
19
  it "sets the X-WebKit-CSP header" do
25
20
  get :index
26
- response.headers['Content-Security-Policy-Report-Only'].should == nil
21
+ expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
27
22
  end
28
23
 
29
24
  #mock ssl
30
25
  it "sets the Strict-Transport-Security header" do
31
26
  request.env['HTTPS'] = 'on'
32
27
  get :index
33
- response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
28
+ expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
29
+ end
30
+
31
+ it "sets the X-Download-Options header" do
32
+ get :index
33
+ expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
34
34
  end
35
35
 
36
36
  it "sets the X-Content-Type-Options header" do
37
37
  get :index
38
- response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
38
+ expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
39
39
  end
40
40
 
41
41
  context "using IE" do
42
42
  it "sets the X-Content-Type-Options header" do
43
43
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
44
44
  get :index
45
- response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
45
+ expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
46
46
  end
47
47
  end
48
48
  end
@@ -1,20 +1,5 @@
1
1
  require 'rubygems'
2
- require 'spork'
3
- #uncomment the following line to use spork with the debugger
4
- #require 'spork/ext/ruby-debug'
5
2
 
6
- Spork.prefork do
7
- # Loading more in this block will cause your tests to run faster. However,
8
- # if you change any configuration or code from libraries loaded here, you'll
9
- # need to restart spork for it take effect.
10
- # This file is copied to spec/ when you run 'rails generate rspec:install'
11
- ENV["RAILS_ENV"] ||= 'test'
12
- require File.expand_path("../../config/environment", __FILE__)
13
- require 'rspec/rails'
14
- require 'rspec/autorun'
15
- # require 'ruby-debug'
16
- end
17
-
18
- Spork.each_run do
19
-
20
- end
3
+ ENV["RAILS_ENV"] ||= 'test'
4
+ require File.expand_path("../../config/environment", __FILE__)
5
+ require 'rspec/rails'
@@ -1,4 +1,5 @@
1
1
  require 'uri'
2
+ require 'base64'
2
3
 
3
4
  module SecureHeaders
4
5
  class ContentSecurityPolicyBuildError < StandardError; end
@@ -8,7 +9,7 @@ module SecureHeaders
8
9
  STANDARD_HEADER_NAME = "Content-Security-Policy"
9
10
  FF_CSP_ENDPOINT = "/content_security_policy/forward_report"
10
11
  DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
11
- META = [:enforce, :http_additions, :disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
12
+ META = [:disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
12
13
  end
13
14
  include Constants
14
15
 
@@ -30,6 +31,7 @@ module SecureHeaders
30
31
  def initialize(config=nil, options={})
31
32
  @experimental = !!options.delete(:experimental)
32
33
  @controller = options.delete(:controller)
34
+
33
35
  if options[:request]
34
36
  parse_request(options[:request])
35
37
  else
@@ -45,6 +47,10 @@ module SecureHeaders
45
47
  configure(config) if config
46
48
  end
47
49
 
50
+ def nonce
51
+ @nonce ||= SecureRandom.base64(32).chomp
52
+ end
53
+
48
54
  def configure(config)
49
55
  @config = config.dup
50
56
 
@@ -54,21 +60,26 @@ module SecureHeaders
54
60
  @config.merge!(experimental_config)
55
61
  end
56
62
 
63
+ # these values don't support lambdas because this needs to be rewritten
64
+ @http_additions = @config.delete(:http_additions)
65
+ @app_name = @config.delete(:app_name)
66
+
67
+ normalize_csp_options
68
+
57
69
  META.each do |meta|
58
70
  self.send("#{meta}=", @config.delete(meta))
59
71
  end
60
72
 
61
- @report_uri = @config.delete(:report_uri)
62
- @script_nonce = @config.delete(:script_nonce)
73
+ @enforce = !!@config.delete(:enforce)
74
+ @tag_report_uri = @config.delete(:tag_report_uri)
63
75
 
64
- normalize_csp_options
65
76
  normalize_reporting_endpoint
66
77
  fill_directives unless disable_fill_missing?
67
78
  end
68
79
 
69
80
  def name
70
81
  base = STANDARD_HEADER_NAME
71
- if !enforce || experimental
82
+ if !@enforce || experimental
72
83
  base += "-Report-Only"
73
84
  end
74
85
  base
@@ -89,16 +100,9 @@ module SecureHeaders
89
100
  raise "Expected to find default_src directive value" unless @config[:default_src]
90
101
  append_http_additions unless ssl_request?
91
102
  header_value = [
92
- # ensure default-src is first
93
- build_directive(:default_src),
94
103
  generic_directives(@config),
95
- report_uri_directive,
96
- script_nonce_directive,
97
- ].join
98
-
99
- #store the value for next time
100
- @config = header_value
101
- header_value.strip
104
+ report_uri_directive
105
+ ].join.strip
102
106
  rescue StandardError => e
103
107
  raise ContentSecurityPolicyBuildError.new("Couldn't build CSP header :( #{e}")
104
108
  end
@@ -115,20 +119,31 @@ module SecureHeaders
115
119
  end
116
120
 
117
121
  def append_http_additions
118
- return unless http_additions
119
- http_additions.each do |k, v|
122
+ return unless @http_additions
123
+ @http_additions.each do |k, v|
120
124
  @config[k] ||= []
121
125
  @config[k] << v
122
126
  end
123
127
  end
124
128
 
125
129
  def normalize_csp_options
126
- @config.each do |k,v|
127
- @config[k] = v.split if v.is_a? String
128
- @config[k] = @config[k].map do |val|
129
- translate_dir_value(val)
130
+ @config = @config.inject({}) do |hash, (key, value)|
131
+ # lambdas
132
+ config_val = value.respond_to?(:call) ? value.call : value
133
+ # space-delimeted strings
134
+ config_val = config_val.split if config_val.is_a? String
135
+ # array of strings
136
+ if config_val.respond_to?(:map) #skip booleans
137
+ config_val = config_val.map do |val|
138
+ translate_dir_value(val)
139
+ end.flatten.uniq
130
140
  end
141
+
142
+ hash[key] = config_val
143
+ hash
131
144
  end
145
+
146
+ @report_uri = @config.delete(:report_uri).join(" ") if @config[:report_uri]
132
147
  end
133
148
 
134
149
  # translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
@@ -138,6 +153,9 @@ module SecureHeaders
138
153
  # self/none are special sources/src-dir-values and need to be quoted in chrome
139
154
  elsif %{self none}.include?(val)
140
155
  "'#{val}'"
156
+ elsif val == 'nonce'
157
+ @controller.instance_variable_set(:@content_security_policy_nonce, nonce)
158
+ ["'nonce-#{nonce}'", "'unsafe-inline'"]
141
159
  else
142
160
  val
143
161
  end
@@ -156,13 +174,23 @@ module SecureHeaders
156
174
  @report_uri = FF_CSP_ENDPOINT
157
175
  end
158
176
  end
177
+
178
+ if @tag_report_uri
179
+ @report_uri = "#{@report_uri}?enforce=#{@enforce}"
180
+ @report_uri += "&app_name=#{@app_name}" if @app_name
181
+ end
159
182
  end
160
183
 
161
184
  def same_origin?
162
185
  return unless report_uri && request_uri
163
186
 
164
- origin = URI.parse(request_uri)
165
- uri = URI.parse(report_uri)
187
+ begin
188
+ origin = URI.parse(request_uri)
189
+ uri = URI.parse(report_uri)
190
+ rescue URI::InvalidURIError
191
+ return false
192
+ end
193
+
166
194
  uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
167
195
  end
168
196
 
@@ -180,26 +208,15 @@ module SecureHeaders
180
208
  "report-uri #{@report_uri};"
181
209
  end
182
210
 
183
- def script_nonce_directive
184
- return '' if @script_nonce.nil?
185
- nonce_value = if @script_nonce.is_a?(String)
186
- @script_nonce
187
- elsif @controller
188
- @controller.instance_exec(&@script_nonce)
189
- else
190
- @script_nonce.call
191
- end
192
- "script-nonce #{nonce_value};"
193
- end
194
-
195
211
  def generic_directives(config)
196
212
  header_value = ''
197
213
  if config[:img_src]
198
214
  config[:img_src] = config[:img_src] + ['data:'] unless config[:img_src].include?('data:')
199
215
  else
200
- config[:img_src] = ['data:']
216
+ config[:img_src] = config[:default_src] + ['data:']
201
217
  end
202
218
 
219
+ header_value = build_directive(:default_src)
203
220
  config.keys.sort_by{|k| k.to_s}.each do |k| # ensure consistent ordering
204
221
  header_value += build_directive(k)
205
222
  end
@@ -6,7 +6,7 @@ module SecureHeaders
6
6
  HSTS_HEADER_NAME = 'Strict-Transport-Security'
7
7
  HSTS_MAX_AGE = "631138519"
8
8
  DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
9
- VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
9
+ VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
10
10
  MESSAGE = "The config value supplied for the HSTS header was invalid."
11
11
  end
12
12
  include Constants
@@ -31,6 +31,7 @@ module SecureHeaders
31
31
  max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
32
32
  value = "max-age=" + max_age.to_s
33
33
  value += "; includeSubdomains" if @config[:include_subdomains]
34
+ value += "; preload" if @config[:preload]
34
35
 
35
36
  value
36
37
  end
@@ -0,0 +1,39 @@
1
+ module SecureHeaders
2
+ class XDOBuildError < StandardError; end
3
+ class XDownloadOptions < Header
4
+ module Constants
5
+ XDO_HEADER_NAME = "X-Download-Options"
6
+ DEFAULT_VALUE = 'noopen'
7
+ end
8
+ include Constants
9
+
10
+ def initialize(config = nil)
11
+ @config = config
12
+ validate_config unless @config.nil?
13
+ end
14
+
15
+ def name
16
+ XDO_HEADER_NAME
17
+ end
18
+
19
+ def value
20
+ case @config
21
+ when NilClass
22
+ DEFAULT_VALUE
23
+ when String
24
+ @config
25
+ else
26
+ @config[:value]
27
+ end
28
+ end
29
+
30
+ private
31
+
32
+ def validate_config
33
+ value = @config.is_a?(Hash) ? @config[:value] : @config
34
+ unless value.casecmp(DEFAULT_VALUE) == 0
35
+ raise XDOBuildError.new("Value can only be nil or 'noopen'")
36
+ end
37
+ end
38
+ end
39
+ end
@@ -4,7 +4,7 @@ module SecureHeaders
4
4
  module Constants
5
5
  X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
6
6
  DEFAULT_VALUE = "1"
7
- VALID_X_XSS_HEADER = /\A[01](; mode=block)?\z/i
7
+ VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
8
8
  end
9
9
  include Constants
10
10
 
@@ -26,6 +26,7 @@ module SecureHeaders
26
26
  else
27
27
  value = @config[:value].to_s
28
28
  value += "; mode=#{@config[:mode]}" if @config[:mode]
29
+ value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
29
30
  value
30
31
  end
31
32
  end
@@ -0,0 +1,14 @@
1
+ module SecureHeaders
2
+ module Padrino
3
+ class << self
4
+ ##
5
+ # Main class that register this extension.
6
+ #
7
+ def registered(app)
8
+ app.extend SecureHeaders::ClassMethods
9
+ app.helpers SecureHeaders::InstanceMethods
10
+ end
11
+ alias :included :registered
12
+ end
13
+ end
14
+ end
@@ -3,7 +3,11 @@ if defined?(Rails::Railtie)
3
3
  module SecureHeaders
4
4
  class Railtie < Rails::Engine
5
5
  isolate_namespace ::SecureHeaders if defined? isolate_namespace # rails 3.0
6
- ActionController::Base.send :include, ::SecureHeaders
6
+ initializer "secure_headers.action_controller" do
7
+ ActiveSupport.on_load(:action_controller) do
8
+ include ::SecureHeaders
9
+ end
10
+ end
7
11
  end
8
12
  end
9
13
  else
@@ -34,4 +38,4 @@ else
34
38
  if defined? ActionController::Routing
35
39
  ActionController::Routing::RouteSet::Mapper.send :include, ::SecureHeaders::Routing::MapperExtensions
36
40
  end
37
- end
41
+ end
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "1.1.1"
2
+ VERSION = "1.3.4"
3
3
  end
@@ -2,7 +2,7 @@ module SecureHeaders
2
2
  module Configuration
3
3
  class << self
4
4
  attr_accessor :hsts, :x_frame_options, :x_content_type_options,
5
- :x_xss_protection, :csp
5
+ :x_xss_protection, :csp, :x_download_options
6
6
 
7
7
  def configure &block
8
8
  instance_eval &block
@@ -38,6 +38,7 @@ module SecureHeaders
38
38
  before_filter :set_csp_header
39
39
  before_filter :set_x_xss_protection_header
40
40
  before_filter :set_x_content_type_options_header
41
+ before_filter :set_x_download_options_header
41
42
  end
42
43
 
43
44
  # we can't use ||= because I'm overloading false => disable, nil => default
@@ -55,6 +56,7 @@ module SecureHeaders
55
56
  set_x_frame_options_header(options[:x_frame_options])
56
57
  set_x_xss_protection_header(options[:x_xss_protection])
57
58
  set_x_content_type_options_header(options[:x_content_type_options])
59
+ set_x_download_options_header(options[:x_download_options])
58
60
  end
59
61
 
60
62
  # backwards compatibility jank, to be removed in 1.0. Old API required a request
@@ -99,6 +101,10 @@ module SecureHeaders
99
101
  set_a_header(:hsts, StrictTransportSecurity, options)
100
102
  end
101
103
 
104
+ def set_x_download_options_header(options=self.class.secure_headers_options[:x_download_options])
105
+ set_a_header(:x_download_options, XDownloadOptions, options)
106
+ end
107
+
102
108
  private
103
109
 
104
110
  def set_a_header(name, klass, options=nil)
@@ -128,4 +134,5 @@ require "secure_headers/headers/x_frame_options"
128
134
  require "secure_headers/headers/strict_transport_security"
129
135
  require "secure_headers/headers/x_xss_protection"
130
136
  require "secure_headers/headers/x_content_type_options"
137
+ require "secure_headers/headers/x_download_options"
131
138
  require "secure_headers/railtie"
@@ -32,58 +32,58 @@ describe ContentSecurityPolicyController do
32
32
  let(:secondary_endpoint) { "https://internal.example.com" }
33
33
 
34
34
  before(:each) do
35
- SecureHeaders::Configuration.stub(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
36
- subject.should_receive :head
37
- subject.stub(:params).and_return(params)
38
- subject.stub(:request).and_return(FakeRequest.new)
39
- Net::HTTP.any_instance.stub(:request)
35
+ allow(SecureHeaders::Configuration).to receive(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
36
+ expect(subject).to receive :head
37
+ allow(subject).to receive(:params).and_return(params)
38
+ allow(subject).to receive(:request).and_return(FakeRequest.new)
39
+ allow_any_instance_of(Net::HTTP).to receive(:request)
40
40
  end
41
41
 
42
42
  context "delivery endpoint" do
43
43
  it "posts over ssl" do
44
- subject.should_receive(:use_ssl)
44
+ expect(subject).to receive(:use_ssl)
45
45
  subject.scribe
46
46
  end
47
47
 
48
48
  it "posts over plain http" do
49
- SecureHeaders::Configuration.stub(:csp).and_return(:report_uri => 'http://example.com')
50
- subject.should_not_receive(:use_ssl)
49
+ allow(SecureHeaders::Configuration).to receive(:csp).and_return(:report_uri => 'http://example.com')
50
+ expect(subject).not_to receive(:use_ssl)
51
51
  subject.scribe
52
52
  end
53
53
  end
54
54
 
55
55
  it "makes a POST request" do
56
- Net::HTTP.stub(:new).and_return(request)
57
- request.should_receive(:request).with(instance_of(::Net::HTTP::Post))
58
- params.stub(:to_json)
56
+ allow(Net::HTTP).to receive(:new).and_return(request)
57
+ expect(request).to receive(:request).with(instance_of(::Net::HTTP::Post))
58
+ allow(params).to receive(:to_json)
59
59
  subject.scribe
60
60
  end
61
61
 
62
62
  it "POSTs to the configured forward_endpoint" do
63
- Net::HTTP::Post.should_receive(:new).with(secondary_endpoint).and_return(request)
63
+ expect(Net::HTTP::Post).to receive(:new).with(secondary_endpoint).and_return(request)
64
64
  subject.scribe
65
65
  end
66
66
 
67
67
  it "does not POST if there is no forwarder configured" do
68
- SecureHeaders::Configuration.stub(:csp).and_return({})
69
- Net::HTTP::Post.should_not_receive(:new)
68
+ allow(SecureHeaders::Configuration).to receive(:csp).and_return({})
69
+ expect(Net::HTTP::Post).not_to receive(:new)
70
70
  subject.scribe
71
71
  end
72
72
 
73
73
  it "eliminates known phony CSP reports" do
74
- SecureHeaders::Configuration.stub(:csp).and_return(:report_uri => nil)
75
- Net::HTTP::Post.should_not_receive :new
74
+ allow(SecureHeaders::Configuration).to receive(:csp).and_return(:report_uri => nil)
75
+ expect(Net::HTTP::Post).not_to receive :new
76
76
  subject.scribe
77
77
  end
78
78
 
79
79
  it "logs errors when it cannot forward the CSP report" do
80
80
  class Rails; def logger; end; end
81
81
  logger = double(:repond_to? => true)
82
- Rails.stub(:logger).and_return(logger)
82
+ allow(Rails).to receive(:logger).and_return(logger)
83
83
 
84
- SecureHeaders::Configuration.stub(:csp).and_raise(StandardError)
84
+ allow(SecureHeaders::Configuration).to receive(:csp).and_raise(StandardError)
85
85
 
86
- logger.should_receive(:warn)
86
+ expect(logger).to receive(:warn)
87
87
  subject.scribe
88
88
  end
89
89
  end