secure_headers 1.1.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (128) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +4 -8
  3. data/.ruby-gemset +1 -0
  4. data/.ruby-version +1 -0
  5. data/.travis.yml +8 -3
  6. data/Gemfile +6 -11
  7. data/README.md +219 -104
  8. data/Rakefile +11 -116
  9. data/fixtures/rails_3_2_12/Gemfile +0 -8
  10. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  11. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  12. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  13. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  14. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  15. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  16. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
  17. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  18. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  19. data/fixtures/rails_3_2_12/config.ru +3 -0
  20. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +57 -19
  21. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +18 -13
  22. data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -5
  23. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
  24. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  25. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  26. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  27. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  28. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
  29. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  30. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  31. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +17 -12
  32. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +17 -12
  33. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -18
  34. data/fixtures/rails_4_1_8/Gemfile +5 -0
  35. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  36. data/fixtures/rails_4_1_8/Rakefile +6 -0
  37. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  38. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  39. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  40. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  41. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  42. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  43. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  44. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  45. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  46. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  47. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  48. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  49. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  50. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  51. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  52. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  53. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  54. data/fixtures/rails_4_1_8/config.ru +4 -0
  55. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  56. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  57. data/fixtures/rails_4_1_8/log/.keep +0 -0
  58. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  59. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  60. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  61. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  62. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  63. data/lib/secure_headers/hash_helper.rb +7 -0
  64. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  65. data/lib/secure_headers/headers/content_security_policy.rb +160 -129
  66. data/lib/secure_headers/headers/public_key_pins.rb +95 -0
  67. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  68. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  69. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  70. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  71. data/lib/secure_headers/padrino.rb +14 -0
  72. data/lib/secure_headers/railtie.rb +19 -24
  73. data/lib/secure_headers/version.rb +1 -1
  74. data/lib/secure_headers/view_helper.rb +68 -0
  75. data/lib/secure_headers.rb +78 -16
  76. data/lib/tasks/tasks.rake +48 -0
  77. data/secure_headers.gemspec +4 -4
  78. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  79. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +127 -220
  80. data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +37 -0
  81. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +21 -20
  82. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +12 -12
  83. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  84. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +12 -12
  85. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  86. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +20 -19
  87. data/spec/lib/secure_headers_spec.rb +115 -73
  88. data/spec/spec_helper.rb +30 -18
  89. metadata +62 -58
  90. data/.rvmrc +0 -1
  91. data/Guardfile +0 -10
  92. data/HISTORY.md +0 -115
  93. data/app/controllers/content_security_policy_controller.rb +0 -75
  94. data/config/curl-ca-bundle.crt +0 -5420
  95. data/config/routes.rb +0 -3
  96. data/fixtures/rails_3_2_12/Guardfile +0 -14
  97. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  98. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  99. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  100. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  101. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  102. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  103. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  104. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  105. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  106. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  107. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  108. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  109. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  110. data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
  111. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  112. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  113. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  114. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  115. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  116. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  117. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  118. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  119. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  120. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  121. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  122. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  123. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  124. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  125. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  126. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  127. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
  128. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
metadata CHANGED
@@ -1,83 +1,63 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.1
5
- prerelease:
4
+ version: 2.1.0
6
5
  platform: ruby
7
6
  authors:
8
7
  - Neil Matatall
9
8
  autorequire:
10
9
  bindir: bin
11
10
  cert_chain: []
12
- date: 2013-12-19 00:00:00.000000000 Z
11
+ date: 2015-05-07 00:00:00.000000000 Z
13
12
  dependencies:
14
13
  - !ruby/object:Gem::Dependency
15
14
  name: rake
16
15
  requirement: !ruby/object:Gem::Requirement
17
- none: false
18
16
  requirements:
19
- - - ! '>='
17
+ - - ">="
20
18
  - !ruby/object:Gem::Version
21
19
  version: '0'
22
20
  type: :development
23
21
  prerelease: false
24
22
  version_requirements: !ruby/object:Gem::Requirement
25
- none: false
26
23
  requirements:
27
- - - ! '>='
24
+ - - ">="
28
25
  - !ruby/object:Gem::Version
29
26
  version: '0'
30
- description: Add easily configured browser headers to responses.
27
+ description: Security related headers all in one gem.
31
28
  email:
32
29
  - neil.matatall@gmail.com
33
30
  executables: []
34
31
  extensions: []
35
32
  extra_rdoc_files: []
36
33
  files:
37
- - .gitignore
38
- - .rvmrc
39
- - .travis.yml
34
+ - ".gitignore"
35
+ - ".ruby-gemset"
36
+ - ".ruby-version"
37
+ - ".travis.yml"
40
38
  - Gemfile
41
- - Guardfile
42
- - HISTORY.md
43
39
  - LICENSE
44
40
  - README.md
45
41
  - Rakefile
46
- - app/controllers/content_security_policy_controller.rb
47
- - config/curl-ca-bundle.crt
48
- - config/routes.rb
49
42
  - fixtures/rails_3_2_12/.rspec
50
43
  - fixtures/rails_3_2_12/Gemfile
51
- - fixtures/rails_3_2_12/Guardfile
52
44
  - fixtures/rails_3_2_12/README.rdoc
53
45
  - fixtures/rails_3_2_12/Rakefile
54
46
  - fixtures/rails_3_2_12/app/controllers/application_controller.rb
55
47
  - fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
56
48
  - fixtures/rails_3_2_12/app/controllers/things_controller.rb
57
49
  - fixtures/rails_3_2_12/app/models/.gitkeep
58
- - fixtures/rails_3_2_12/app/models/thing.rb
59
50
  - fixtures/rails_3_2_12/app/views/layouts/application.html.erb
60
51
  - fixtures/rails_3_2_12/app/views/other_things/index.html.erb
61
52
  - fixtures/rails_3_2_12/app/views/things/index.html.erb
62
53
  - fixtures/rails_3_2_12/config.ru
63
54
  - fixtures/rails_3_2_12/config/application.rb
64
55
  - fixtures/rails_3_2_12/config/boot.rb
65
- - fixtures/rails_3_2_12/config/database.yml
66
56
  - fixtures/rails_3_2_12/config/environment.rb
67
- - fixtures/rails_3_2_12/config/environments/development.rb
68
- - fixtures/rails_3_2_12/config/environments/production.rb
69
57
  - fixtures/rails_3_2_12/config/environments/test.rb
70
- - fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
71
- - fixtures/rails_3_2_12/config/initializers/inflections.rb
72
- - fixtures/rails_3_2_12/config/initializers/mime_types.rb
73
- - fixtures/rails_3_2_12/config/initializers/secret_token.rb
74
58
  - fixtures/rails_3_2_12/config/initializers/secure_headers.rb
75
- - fixtures/rails_3_2_12/config/initializers/session_store.rb
76
- - fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
77
- - fixtures/rails_3_2_12/config/locales/en.yml
78
59
  - fixtures/rails_3_2_12/config/routes.rb
79
- - fixtures/rails_3_2_12/db/schema.rb
80
- - fixtures/rails_3_2_12/db/seeds.rb
60
+ - fixtures/rails_3_2_12/config/script_hashes.yml
81
61
  - fixtures/rails_3_2_12/lib/assets/.gitkeep
82
62
  - fixtures/rails_3_2_12/lib/tasks/.gitkeep
83
63
  - fixtures/rails_3_2_12/log/.gitkeep
@@ -89,39 +69,21 @@ files:
89
69
  - fixtures/rails_3_2_12/vendor/plugins/.gitkeep
90
70
  - fixtures/rails_3_2_12_no_init/.rspec
91
71
  - fixtures/rails_3_2_12_no_init/Gemfile
92
- - fixtures/rails_3_2_12_no_init/Guardfile
93
72
  - fixtures/rails_3_2_12_no_init/README.rdoc
94
73
  - fixtures/rails_3_2_12_no_init/Rakefile
95
74
  - fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
96
75
  - fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
97
76
  - fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
98
77
  - fixtures/rails_3_2_12_no_init/app/models/.gitkeep
99
- - fixtures/rails_3_2_12_no_init/app/models/thing.rb
100
78
  - fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
101
79
  - fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
102
- - fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
103
- - fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
104
80
  - fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
105
- - fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
106
- - fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
107
81
  - fixtures/rails_3_2_12_no_init/config.ru
108
82
  - fixtures/rails_3_2_12_no_init/config/application.rb
109
83
  - fixtures/rails_3_2_12_no_init/config/boot.rb
110
- - fixtures/rails_3_2_12_no_init/config/database.yml
111
84
  - fixtures/rails_3_2_12_no_init/config/environment.rb
112
- - fixtures/rails_3_2_12_no_init/config/environments/development.rb
113
- - fixtures/rails_3_2_12_no_init/config/environments/production.rb
114
85
  - fixtures/rails_3_2_12_no_init/config/environments/test.rb
115
- - fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
116
- - fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
117
- - fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
118
- - fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
119
- - fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
120
- - fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
121
- - fixtures/rails_3_2_12_no_init/config/locales/en.yml
122
86
  - fixtures/rails_3_2_12_no_init/config/routes.rb
123
- - fixtures/rails_3_2_12_no_init/db/schema.rb
124
- - fixtures/rails_3_2_12_no_init/db/seeds.rb
125
87
  - fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
126
88
  - fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
127
89
  - fixtures/rails_3_2_12_no_init/log/.gitkeep
@@ -131,21 +93,61 @@ files:
131
93
  - fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
132
94
  - fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
133
95
  - fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
96
+ - fixtures/rails_4_1_8/Gemfile
97
+ - fixtures/rails_4_1_8/README.rdoc
98
+ - fixtures/rails_4_1_8/Rakefile
99
+ - fixtures/rails_4_1_8/app/controllers/application_controller.rb
100
+ - fixtures/rails_4_1_8/app/controllers/concerns/.keep
101
+ - fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
102
+ - fixtures/rails_4_1_8/app/controllers/things_controller.rb
103
+ - fixtures/rails_4_1_8/app/models/.keep
104
+ - fixtures/rails_4_1_8/app/models/concerns/.keep
105
+ - fixtures/rails_4_1_8/app/views/layouts/application.html.erb
106
+ - fixtures/rails_4_1_8/app/views/other_things/index.html.erb
107
+ - fixtures/rails_4_1_8/app/views/things/index.html.erb
108
+ - fixtures/rails_4_1_8/config.ru
109
+ - fixtures/rails_4_1_8/config/application.rb
110
+ - fixtures/rails_4_1_8/config/boot.rb
111
+ - fixtures/rails_4_1_8/config/environment.rb
112
+ - fixtures/rails_4_1_8/config/environments/test.rb
113
+ - fixtures/rails_4_1_8/config/initializers/secure_headers.rb
114
+ - fixtures/rails_4_1_8/config/routes.rb
115
+ - fixtures/rails_4_1_8/config/script_hashes.yml
116
+ - fixtures/rails_4_1_8/config/secrets.yml
117
+ - fixtures/rails_4_1_8/lib/assets/.keep
118
+ - fixtures/rails_4_1_8/lib/tasks/.keep
119
+ - fixtures/rails_4_1_8/log/.keep
120
+ - fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
121
+ - fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
122
+ - fixtures/rails_4_1_8/spec/spec_helper.rb
123
+ - fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
124
+ - fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
134
125
  - lib/secure_headers.rb
126
+ - lib/secure_headers/hash_helper.rb
135
127
  - lib/secure_headers/header.rb
136
128
  - lib/secure_headers/headers/content_security_policy.rb
129
+ - lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
130
+ - lib/secure_headers/headers/public_key_pins.rb
137
131
  - lib/secure_headers/headers/strict_transport_security.rb
138
132
  - lib/secure_headers/headers/x_content_type_options.rb
133
+ - lib/secure_headers/headers/x_download_options.rb
139
134
  - lib/secure_headers/headers/x_frame_options.rb
135
+ - lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
140
136
  - lib/secure_headers/headers/x_xss_protection.rb
137
+ - lib/secure_headers/padrino.rb
141
138
  - lib/secure_headers/railtie.rb
142
139
  - lib/secure_headers/version.rb
140
+ - lib/secure_headers/view_helper.rb
141
+ - lib/tasks/tasks.rake
143
142
  - secure_headers.gemspec
144
- - spec/controllers/content_security_policy_controller_spec.rb
143
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
145
144
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
145
+ - spec/lib/secure_headers/headers/public_key_pins_spec.rb
146
146
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
147
147
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
148
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
148
149
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
150
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
149
151
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
150
152
  - spec/lib/secure_headers_spec.rb
151
153
  - spec/spec_helper.rb
@@ -153,35 +155,37 @@ files:
153
155
  homepage: https://github.com/twitter/secureheaders
154
156
  licenses:
155
157
  - Apache Public License 2.0
158
+ metadata: {}
156
159
  post_install_message:
157
160
  rdoc_options: []
158
161
  require_paths:
159
162
  - lib
160
163
  required_ruby_version: !ruby/object:Gem::Requirement
161
- none: false
162
164
  requirements:
163
- - - ! '>='
165
+ - - ">="
164
166
  - !ruby/object:Gem::Version
165
167
  version: '0'
166
168
  required_rubygems_version: !ruby/object:Gem::Requirement
167
- none: false
168
169
  requirements:
169
- - - ! '>='
170
+ - - ">="
170
171
  - !ruby/object:Gem::Version
171
172
  version: '0'
172
173
  requirements: []
173
174
  rubyforge_project:
174
- rubygems_version: 1.8.25
175
+ rubygems_version: 2.2.3
175
176
  signing_key:
176
- specification_version: 3
177
- summary: Add easily configured browser headers to responses including content security
178
- policy, x-frame-options, strict-transport-security and more.
177
+ specification_version: 4
178
+ summary: Add easily configured security headers to responses including content-security-policy,
179
+ x-frame-options, strict-transport-security, etc.
179
180
  test_files:
180
- - spec/controllers/content_security_policy_controller_spec.rb
181
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
181
182
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
183
+ - spec/lib/secure_headers/headers/public_key_pins_spec.rb
182
184
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
183
185
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
186
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
184
187
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
188
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
185
189
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
186
190
  - spec/lib/secure_headers_spec.rb
187
191
  - spec/spec_helper.rb
data/.rvmrc DELETED
@@ -1 +0,0 @@
1
- rvm use 1.9.3@secureheaders --create
data/Guardfile DELETED
@@ -1,10 +0,0 @@
1
- guard 'spork', :aggressive_kill => false do
2
- watch('spec/spec_helper.rb') { :rspec }
3
- end
4
-
5
- guard 'rspec', :cli => "--color --drb --debug", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
6
- watch(%r{^spec/.+_spec\.rb$})
7
- watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
8
- watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
9
- watch('spec/spec_helper.rb') { "spec" }
10
- end
data/HISTORY.md DELETED
@@ -1,115 +0,0 @@
1
- 1.1.1
2
- ======
3
-
4
- Bug fix release.
5
- - Parsing of CSP reports was busted.
6
- - Forwarded reports did not include the original referer, ip, UA
7
-
8
- 1.1.0
9
- ======
10
-
11
- - Remove brwsr dependency (no more runtime dependencies)
12
- - Stop serving X- prefixed CSP headers
13
-
14
- This change means that all requests get all headers, even if the browser doesn't grok it.
15
-
16
- 1.0.0
17
- ======
18
-
19
- Features:
20
-
21
- - Use non-prefixed header names for Firefox >= 23, Chrome >= 25
22
- - Use csp 1.0 compliant header for firefox >= 23
23
-
24
- Bug Fix:
25
-
26
- - Stop sending CSP on safari 5.1+
27
-
28
- 0.5.0
29
- ======
30
-
31
- - X-Content-Type-Options also applied to Chrome requests
32
-
33
- 0.4.3
34
- ======
35
-
36
- - Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
37
-
38
- 0.4.2
39
- ======
40
-
41
- - Stupid bug where Fixnums couldn't be used for config values
42
- - Doc updates
43
-
44
- 0.4.1
45
- ======
46
-
47
- - Allow strings or ints in the HSTS max-age (@reedloden)
48
-
49
- 0.4.0
50
- =======
51
-
52
- - Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
53
- - Should be backwards compatible, but it is a change to the API.
54
-
55
- 0.3.0
56
- =======
57
-
58
- - Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
59
-
60
- 0.2.3
61
- =======
62
-
63
- - Fix error in report-uri logic for Firefox forwarding.
64
-
65
- 0.2.2
66
- =======
67
-
68
- - Stop applying chrome-extension: to Firefox directives.
69
-
70
- 0.2.1
71
- =======
72
-
73
- - Firefox headers will now stop overriding report_uri when only a path is supplied
74
-
75
- 0.2.0
76
- =======
77
-
78
- - 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
79
- - Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
80
-
81
- ```ruby
82
- FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
83
- CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
84
- ```
85
- - :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
86
- - Skeleton applications have been added to test isolated application configurations
87
- - Cleanup by @bemurphy
88
-
89
- 0.1.1
90
- =======
91
-
92
- Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
93
-
94
- 0.1.0
95
- =======
96
-
97
- Notes:
98
- ------
99
-
100
- - Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
101
-
102
- Features:
103
- ------
104
-
105
- - ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
106
- - Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
107
-
108
- Bug fixes, misc:
109
- ------
110
-
111
- - Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
112
- - Better support for other frameworks, including docs from @achui, @bmaland
113
- - Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
114
- - data: automatically whitelisted for img-src
115
- - Doc updates from @ming13, @theverything, @dcollazo
@@ -1,75 +0,0 @@
1
- require 'net/https'
2
- require 'openssl'
3
-
4
- class ContentSecurityPolicyController < ActionController::Base
5
- CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
6
-
7
- def scribe
8
- csp = ::SecureHeaders::Configuration.csp || {}
9
-
10
- forward_endpoint = csp[:forward_endpoint]
11
- if forward_endpoint
12
- forward_params_to(forward_endpoint)
13
- end
14
-
15
- head :ok
16
- rescue StandardError => e
17
- log_warning(forward_endpoint, e)
18
- head :bad_request
19
- end
20
-
21
- private
22
-
23
- def forward_params_to(forward_endpoint)
24
- uri = URI.parse(forward_endpoint)
25
- http = Net::HTTP.new(uri.host, uri.port)
26
- if uri.scheme == 'https'
27
- use_ssl(http)
28
- end
29
-
30
- if request.content_type == "application/csp-report"
31
- request.body.rewind
32
- params.merge!(ActiveSupport::JSON.decode(request.body.read))
33
- end
34
-
35
- ua = request.user_agent
36
- xff = forwarded_for
37
-
38
- request = Net::HTTP::Post.new(uri.to_s)
39
- request.initialize_http_header({
40
- 'User-Agent' => ua,
41
- 'X-Forwarded-For' => xff,
42
- 'Content-Type' => 'application/json',
43
- })
44
- request.body = params.to_json
45
-
46
- # fire and forget
47
- if defined?(Delayed::Job)
48
- http.delay.request(request)
49
- else
50
- http.request(request)
51
- end
52
- end
53
-
54
- def forwarded_for
55
- req_xff = request.env["HTTP_X_FORWARDED_FOR"]
56
- if req_xff && req_xff != ""
57
- "#{req_xff}, #{request.remote_ip}"
58
- else
59
- request.remote_ip
60
- end
61
- end
62
-
63
- def use_ssl request
64
- request.use_ssl = true
65
- request.ca_file = CA_FILE
66
- request.verify_mode = OpenSSL::SSL::VERIFY_PEER
67
- request.verify_depth = 9
68
- end
69
-
70
- def log_warning(forward_endpoint, e)
71
- if defined?(Rails.logger)
72
- Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
73
- end
74
- end
75
- end