secure_headers 1.2.0 → 1.3.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    ZDFmNDM2NjIwYzU4MjcyYWU0ODkwMjkxMjM0MDMwYTAyNjY3YWM2ZA==
+    NTdiMjdmYmVhNzk2MWQ3YmEwNDNjOWQ0YmZhZDZkNTAyNDlmYmQ1ZQ==
   data.tar.gz: !binary |-
-    N2VjN2M3MGMyY2Y5ODliOTVmZTIxZDgwOTdjYTM1NTg3MDZiMjdjNw==
+    ZTIyYjBjNmM5ZTU5YzRhZjU4MjdmNTcwNDAzMjMyZjJlOTFjOWYxMA==
 SHA512:
   metadata.gz: !binary |-
-    MTRiN2Y5NDFhYTE3ZmM2MjE4MThmMDQ3OTZmOWVhMWM5OTgxOThlNzFiOGNm
-    MzQ2ZmFiMjUyZjdmNWU4MWQwZTY3Yjc4YmM4NzVjMWNhZWE0YzI3YjlmMjcy
-    MDk3YmNiZmI3NGNmMzFmMDkxNjEyOTFkMmE5YjNlNjJlMDBkYWY=
+    NzRjM2QwM2IwZjIyZDMzYzY3OWE2MGVmZTEyNjU3MmQwMzhiODcxYjRlZDlh
+    ODFmMmExNzgxNDkzN2U5YWFiNGFjYWMwYjUxNGNiMmJiOWM4ZTA0ZmY3Y2Mz
+    MjFlMTRlNzdiMGQ0MDY5NTM1YTkyNGMxOGJjMDRmMjkyZTIyMjA=
   data.tar.gz: !binary |-
-    NzRhM2Y5NTk0OTZhMmRlYjk0ZThkYTM3ZTQxYzc3Mjk3ZTY2MjQ4MjUwN2Rm
-    YzUwMGY4ZTdlY2Q2M2M4NDgyODQ1MTc2ZWM3ZmEyOWU5NWIwNWExMjBlMDBi
-    YWNlYjllMmZmN2M4MTU0NWE3NjIwOGNjMmQ5ODBlYzE4NzM1Njk=
+    N2I3MzExNWM5MGFjZDI3YjBjMDlkNjgyNWUyODcyZGU3N2NmMjVjZTZkMWVi
+    Y2FiYmI4YjY3NzRkYzM3NWNkNjE0MGE4ZWMwMjhlMGJhYTI0NmIwYmY4MGFi
+    YjlhNjdkMTQ1YWQ0NTYwNGJiZmMxMzA3MjlkNmMyMDgyZjhlY2E=

data/Gemfile

@@ -7,12 +7,10 @@ group :test do
   gem 'sqlite3', :platform => [:ruby, :mswin, :mingw]
   gem 'jdbc-sqlite3', :platform => :jruby
   gem 'rspec-rails'
-  gem 'spork'
   gem 'rspec'
   gem 'guard-rspec', :platform => :ruby_19
   gem 'growl'
   gem 'rb-fsevent'
-  gem 'simplecov'
   gem 'debugger', :platform => :ruby_19
   gem 'ruby-debug', :platform => :ruby_18
 end

data/HISTORY.md

@@ -1,18 +1,14 @@
-1.2.0
+1.3.0
 ======
 
-Add support for procs (anything that respond_to?(:call)) as config values.
-
-csp = {
-  :default_src => 'self',
-  :report_uri => lambda {
-    if FeatureToggle.available?(:new_csp_endpoint)
-      '//example.com/new_csp'
-    else
-      '//example.com/old_csp'
-    end
-  }
-}
+- CSP nonce support was added back and is compliant.
+- Bugs:
+-- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
+-- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
+
+1.2.0
+======
+- Allow procs to be used as config values.
 
 1.1.1
 ======

data/README.md

@@ -118,9 +118,6 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 
 ```ruby
 :csp => {
-
-  # All values can be a String of space-delimited values, an Array of Strings, or procs.
-
   :enforce     => false,        # sets header to report-only, by default
   # default_src is required!
   :default_src     => nil,      # sets the default-src/allow+options directives
@@ -193,19 +190,40 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 :csp => {
   :default_src => 'self',
   :img_src => '*',
-  :connect_src => 'none'
   :object_src => ['media1.com', 'media2.com', '*.cdn.com'],
-  # alternatively :object_src => 'media1.com media2.com *.cdn.com'
-  :script_src => 'trustedscripts.example.com',
-  :report_uri => lambda {
-    if FeatureToggle.available?(:new_csp_endpoint)
-      '//example.com/new_csp'
-    else
-      '//example.com/old_csp'
-    end
-  }
+  # alternatively (NOT csv) :object_src => 'media1.com media2.com *.cdn.com'
+  :script_src => 'trustedscripts.example.com'
+}
+"default-src  'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
+```
+
+### CSP Level 2 features
+
+script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
+
+*setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.
+
+```ruby
+:csp => {
+  :default_src => 'self',
+  :script_src => 'self nonce'
 }
-"default-src  'self'; connect-src 'none'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com; report-uri [one of the two values in the example]"
+```
+
+> content-security-policy: default-src 'self'; script-src 'self' 'nonce-abc123' 'unsafe-inline'
+
+```erb
+<script nonce="<%= @content_security_policy_nonce %>">
+  console.log("whitelisted, will execute")
+</script>
+
+<script nonce="lol">
+  console.log("won't execute, not whitelisted")
+</script>
+
+<script>
+  console.log("won't execute, not whitelisted")
+</script>
 ```
 
 ## Note on Firefox handling of CSP
@@ -277,22 +295,11 @@ In your `Gemfile`:
 then in your `app.rb` file you can:
 
 ```ruby
+require 'secure_headers/padrino'
+
 module Web
   class App < Padrino::Application
-    include SecureHeaders
-
-    ::SecureHeaders::Configuration.configure do |config|
-      config.hsts                   = {:max_age => 99, :include_subdomains => true}
-      config.x_frame_options        = 'DENY'
-      config.x_content_type_options = "nosniff"
-      config.x_xss_protection       = {:value   => '1', :mode => false}
-      config.csp                    = {
-        :default_src => "https://* inline eval",
-        :report_uri => '//example.com/uri-directive',
-        :img_src => "https://* data:",
-        :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
-      }
-    end
+    register SecureHeaders::Padrino
 
     get '/' do
       set_csp_header
@@ -302,6 +309,25 @@ module Web
 end
 ```
 
+and in `config/boot.rb`:
+
+```ruby
+def before_load
+  ::SecureHeaders::Configuration.configure do |config|
+    config.hsts                   = {:max_age => 99, :include_subdomains => true}
+    config.x_frame_options        = 'DENY'
+    config.x_content_type_options = "nosniff"
+    config.x_xss_protection       = {:value   => '1', :mode => false}
+    config.csp                    = {
+      :default_src => "https://* inline eval",
+      :report_uri => '//example.com/uri-directive',
+      :img_src => "https://* data:",
+      :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
+    }
+  end
+end
+```
+
 ## Similar libraries
 
 * Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)

data/fixtures/rails_3_2_12/Gemfile

@@ -4,11 +4,9 @@ gem 'rails', '3.2.12'
 gem 'sqlite3'
 gem 'rspec-rails', '>= 2.0.0'
 gem 'secure_headers', :path => '../..'
-gem 'spork'
 gem 'debugger', :platform => :ruby_19
 gem 'ruby-debug', :platform => :ruby_18
 gem 'guard-rspec'
-gem 'guard-spork'
 gem 'rb-fsevent'
 gem 'growl'
 

data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb

@@ -5,6 +5,7 @@
   config.x_xss_protection = {:value => 1, :mode => 'block'}
   csp = {
     :default_src => "self",
+    :script_src => "self nonce",
     :disable_chrome_extension => true,
     :disable_fill_missing => true,
     :report_uri => 'somewhere',

data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb

@@ -12,12 +12,13 @@ describe OtherThingsController, :type => :controller do
       expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
     end
 
-    it "sets the X-WebKit-CSP header" do
+    it "sets the CSP header with a local reference to a nonce" do
       get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src data:; report-uri somewhere;")
+      nonce = controller.instance_exec { @content_security_policy_nonce }
+      expect(nonce).to match /[a-zA-Z0-9\+\/=]{44}/
+      expect(response.headers['Content-Security-Policy-Report-Only']).to match(/default-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-[a-zA-Z0-9\+\/=]{44}' 'unsafe-inline'; report-uri somewhere;/)
     end
 
-    #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index

data/fixtures/rails_3_2_12/spec/spec_helper.rb

@@ -1,5 +1,5 @@
 require 'rubygems'
-require 'spork'
+
 #uncomment the following line to use spork with the debugger
 #require 'spork/ext/ruby-debug'
 
@@ -13,6 +13,3 @@ require 'spork'
   require 'rspec/rails'
 # end
 
-Spork.each_run do
-
-end

data/fixtures/rails_3_2_12_no_init/Gemfile

@@ -4,11 +4,9 @@ gem 'rails', '3.2.12'
 gem 'sqlite3'
 gem 'rspec-rails', '>= 2.0.0'
 gem 'secure_headers', :path => '../..'
-gem 'spork'
 gem 'debugger', :platform => :ruby_19
 gem 'ruby-debug', :platform => :ruby_18
 gem 'guard-rspec'
-gem 'guard-spork'
 gem 'rb-fsevent'
 gem 'growl'
 

data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb

@@ -14,7 +14,7 @@ describe OtherThingsController, :type => :controller do
 
     it "sets the X-WebKit-CSP header" do
       get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src data:;")
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
     end
 
     #mock ssl

data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb

@@ -1,19 +1,5 @@
 require 'rubygems'
-require 'spork'
-#uncomment the following line to use spork with the debugger
-#require 'spork/ext/ruby-debug'
 
-Spork.prefork do
-  # Loading more in this block will cause your tests to run faster. However,
-  # if you change any configuration or code from libraries loaded here, you'll
-  # need to restart spork for it take effect.
-# This file is copied to spec/ when you run 'rails generate rspec:install'
-  ENV["RAILS_ENV"] ||= 'test'
-  require File.expand_path("../../config/environment", __FILE__)
-  require 'rspec/rails'
-  # require 'ruby-debug'
-end
-
-Spork.each_run do
-
-end
+ENV["RAILS_ENV"] ||= 'test'
+require File.expand_path("../../config/environment", __FILE__)
+require 'rspec/rails'

data/lib/secure_headers/headers/content_security_policy.rb

@@ -1,4 +1,5 @@
 require 'uri'
+require 'base64'
 
 module SecureHeaders
   class ContentSecurityPolicyBuildError < StandardError; end
@@ -8,7 +9,7 @@ module SecureHeaders
       STANDARD_HEADER_NAME = "Content-Security-Policy"
       FF_CSP_ENDPOINT = "/content_security_policy/forward_report"
       DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
-      META = [:enforce, :http_additions, :disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
+      META = [:disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
     end
     include Constants
 
@@ -30,6 +31,7 @@ module SecureHeaders
     def initialize(config=nil, options={})
       @experimental = !!options.delete(:experimental)
       @controller = options.delete(:controller)
+
       if options[:request]
         parse_request(options[:request])
       else
@@ -45,6 +47,10 @@ module SecureHeaders
       configure(config) if config
     end
 
+    def nonce
+      @nonce ||= SecureRandom.base64(32).chomp
+    end
+
     def configure(config)
       @config = config.dup
 
@@ -54,18 +60,24 @@ module SecureHeaders
         @config.merge!(experimental_config)
       end
 
+      # http_additions will be the only field that still doesn't support
+      # lambdas because it's an ugly api that's showing it's age.
+      @http_additions = @config.delete(:http_additions)
+
+      normalize_csp_options
+
       META.each do |meta|
         self.send("#{meta}=", @config.delete(meta))
       end
 
-      normalize_csp_options
+      @enforce = @config.delete(:enforce)
       normalize_reporting_endpoint
       fill_directives unless disable_fill_missing?
     end
 
     def name
       base = STANDARD_HEADER_NAME
-      if !enforce || experimental
+      if !@enforce || experimental
         base += "-Report-Only"
       end
       base
@@ -86,15 +98,9 @@ module SecureHeaders
       raise "Expected to find default_src directive value" unless @config[:default_src]
       append_http_additions unless ssl_request?
       header_value = [
-        # ensure default-src is first
-        build_directive(:default_src),
         generic_directives(@config),
         report_uri_directive
-      ].join
-
-      #store the value for next time
-      @config = header_value
-      header_value.strip
+      ].join.strip
     rescue StandardError => e
       raise ContentSecurityPolicyBuildError.new("Couldn't build CSP header :( #{e}")
     end
@@ -111,27 +117,27 @@ module SecureHeaders
     end
 
     def append_http_additions
-      return unless http_additions
-      http_additions.each do |k, v|
+      return unless @http_additions
+      @http_additions.each do |k, v|
         @config[k] ||= []
         @config[k] << v
       end
     end
 
     def normalize_csp_options
-      @config = @config.inject({}) do |hash, (k, v)|
-        config_val = if v.respond_to?(:call)
-          v.call
-        else
-          v
-        end
-
+      @config = @config.inject({}) do |hash, (key, value)|
+        # lambdas
+        config_val = value.respond_to?(:call) ? value.call : value
+        # space-delimeted strings
         config_val = config_val.split if config_val.is_a? String
-        config_val = config_val.map do |val|
-          translate_dir_value(val)
+        # array of strings
+        if config_val.respond_to?(:map) #skip booleans
+          config_val = config_val.map do |val|
+            translate_dir_value(val)
+          end.flatten.uniq
         end
 
-        hash[k] = config_val
+        hash[key] = config_val
         hash
       end
 
@@ -145,6 +151,9 @@ module SecureHeaders
         # self/none are special sources/src-dir-values and need to be quoted in chrome
       elsif %{self none}.include?(val)
         "'#{val}'"
+      elsif val == 'nonce'
+        @controller.instance_variable_set(:@content_security_policy_nonce, nonce)
+        ["'nonce-#{nonce}'", "'unsafe-inline'"]
       else
         val
       end
@@ -192,9 +201,10 @@ module SecureHeaders
       if config[:img_src]
         config[:img_src] = config[:img_src] + ['data:'] unless config[:img_src].include?('data:')
       else
-        config[:img_src] = ['data:']
+        config[:img_src] = config[:default_src] + ['data:']
       end
 
+      header_value = build_directive(:default_src)
       config.keys.sort_by{|k| k.to_s}.each do |k| # ensure consistent ordering
         header_value += build_directive(k)
       end

data/lib/secure_headers/padrino.rb

@@ -0,0 +1,14 @@
+module SecureHeaders
+  module Padrino
+    class << self
+      ##
+      # Main class that register this extension.
+      #
+      def registered(app)
+        app.extend SecureHeaders::ClassMethods
+        app.helpers SecureHeaders::InstanceMethods
+      end
+      alias :included :registered
+    end
+  end
+end

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "1.2.0"
+  VERSION = "1.3.0"
 end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -91,11 +91,14 @@ module SecureHeaders
 
         it "accepts procs for other fields" do
           opts = {
-            :default_src => lambda { "http://lambda/result" }
+            :default_src => lambda { "http://lambda/result" },
+            :enforce => lambda { true },
+            :disable_fill_missing => lambda { true }
           }
 
-          csp = ContentSecurityPolicy.new(opts).value
-          expect(csp).to match("default-src http://lambda/result")
+          csp = ContentSecurityPolicy.new(opts)
+          expect(csp.value).to eq("default-src http://lambda/result; img-src http://lambda/result data:;")
+          expect(csp.name).to match("Content-Security-Policy")
         end
       end
     end
@@ -219,7 +222,7 @@ module SecureHeaders
       context "auto-whitelists data: uris for img-src" do
         it "sets the value if no img-src specified" do
           csp = ContentSecurityPolicy.new({:default_src => 'self', :disable_fill_missing => true, :disable_chrome_extension => true}, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src 'self'; img-src data:;")
+          expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
         end
 
         it "appends the value if img-src is specified" do
@@ -243,14 +246,14 @@ module SecureHeaders
       context "Firefox" do
         it "builds a csp header for firefox" do
           csp = ContentSecurityPolicy.new(default_opts, :request => request_for(FIREFOX))
-          expect(csp.value).to eq("default-src https://*; img-src data:; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* about:; report-uri /csp_report;")
+          expect(csp.value).to eq("default-src https://*; img-src https://* data:; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* about:; report-uri /csp_report;")
         end
       end
 
       context "Chrome" do
         it "builds a csp header for chrome" do
           csp = ContentSecurityPolicy.new(default_opts, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src https://*; img-src data:; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* about:; report-uri /csp_report;")
+          expect(csp.value).to eq("default-src https://*; img-src https://* data:; script-src 'unsafe-inline' 'unsafe-eval' https://* data:; style-src 'unsafe-inline' https://* about:; report-uri /csp_report;")
         end
 
         it "ignores :forward_endpoint settings" do
@@ -259,6 +262,31 @@ module SecureHeaders
         end
       end
 
+      context "when using a nonce" do
+        it "adds a nonce and unsafe-inline to the script-src value" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(CHROME))
+          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
+        end
+
+        it "adds a nonce and unsafe-inline to the style-src value" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce"), :request => request_for(CHROME))
+          expect(header.value).to include("style-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
+        end
+
+        it "adds an identical nonce to the style and script-src directives" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce", :script_src => "self nonce"), :request => request_for(CHROME))
+          nonce = header.nonce
+          value = header.value
+          expect(value).to include("style-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
+          expect(value).to include("script-src 'self' 'nonce-#{nonce}' 'unsafe-inline'")
+        end
+
+        it "does not add 'unsafe-inline' twice" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce inline"), :request => request_for(CHROME))
+          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline';")
+        end
+      end
+
       context "when supplying a experimental values" do
         let(:options) {{
           :disable_chrome_extension => true,
@@ -272,7 +300,7 @@ module SecureHeaders
 
         it "returns the original value" do
           header = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(header.value).to eq("default-src 'self'; img-src data:; script-src https://*;")
+          expect(header.value).to eq("default-src 'self'; img-src 'self' data:; script-src https://*;")
         end
 
         it "it returns the experimental value if requested" do
@@ -333,17 +361,17 @@ module SecureHeaders
 
           it "uses the value in the experimental block over SSL" do
             csp = ContentSecurityPolicy.new(options, :experimental => true, :request => request_for(FIREFOX, '/', :ssl => true))
-            expect(csp.value).to eq("default-src 'self'; img-src data:; script-src 'self';")
+            expect(csp.value).to eq("default-src 'self'; img-src 'self' data:; script-src 'self';")
           end
 
           it "detects the :ssl => true option" do
             csp = ContentSecurityPolicy.new(options, :experimental => true, :ua => FIREFOX, :ssl => true)
-            expect(csp.value).to eq("default-src 'self'; img-src data:; script-src 'self';")
+            expect(csp.value).to eq("default-src 'self'; img-src 'self' data:; script-src 'self';")
           end
 
           it "merges the values from experimental/http_additions when not over SSL" do
             csp = ContentSecurityPolicy.new(options, :experimental => true, :request => request_for(FIREFOX))
-            expect(csp.value).to eq("default-src 'self'; img-src data:; script-src 'self' https://mycdn.example.com;")
+            expect(csp.value).to eq("default-src 'self'; img-src 'self' data:; script-src 'self' https://mycdn.example.com;")
           end
         end
       end

data/spec/spec_helper.rb

@@ -1,24 +1,10 @@
 require 'rubygems'
-require 'spork'
-
-unless Spork.using_spork?
-  require 'simplecov'
-  SimpleCov.start do
-    add_filter "spec"
-  end
-end
-
-Spork.prefork do
-  require 'rspec'
-end
-
-Spork.each_run do
-  require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
-  require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
-  include ::SecureHeaders::StrictTransportSecurity::Constants
-  include ::SecureHeaders::ContentSecurityPolicy::Constants
-  include ::SecureHeaders::XFrameOptions::Constants
-  include ::SecureHeaders::XXssProtection::Constants
-  include ::SecureHeaders::XContentTypeOptions::Constants
-end
-
+require 'rspec'
+
+require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
+require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
+include ::SecureHeaders::StrictTransportSecurity::Constants
+include ::SecureHeaders::ContentSecurityPolicy::Constants
+include ::SecureHeaders::XFrameOptions::Constants
+include ::SecureHeaders::XXssProtection::Constants
+include ::SecureHeaders::XContentTypeOptions::Constants

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-06-13 00:00:00.000000000 Z
+date: 2014-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -46,7 +46,6 @@ files:
 - config/routes.rb
 - fixtures/rails_3_2_12/.rspec
 - fixtures/rails_3_2_12/Gemfile
-- fixtures/rails_3_2_12/Guardfile
 - fixtures/rails_3_2_12/README.rdoc
 - fixtures/rails_3_2_12/Rakefile
 - fixtures/rails_3_2_12/app/controllers/application_controller.rb
@@ -87,7 +86,6 @@ files:
 - fixtures/rails_3_2_12/vendor/plugins/.gitkeep
 - fixtures/rails_3_2_12_no_init/.rspec
 - fixtures/rails_3_2_12_no_init/Gemfile
-- fixtures/rails_3_2_12_no_init/Guardfile
 - fixtures/rails_3_2_12_no_init/README.rdoc
 - fixtures/rails_3_2_12_no_init/Rakefile
 - fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
@@ -136,6 +134,7 @@ files:
 - lib/secure_headers/headers/x_content_type_options.rb
 - lib/secure_headers/headers/x_frame_options.rb
 - lib/secure_headers/headers/x_xss_protection.rb
+- lib/secure_headers/padrino.rb
 - lib/secure_headers/railtie.rb
 - lib/secure_headers/version.rb
 - secure_headers.gemspec
@@ -168,7 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.1.1
 signing_key: 
 specification_version: 4
 summary: Add easily configured browser headers to responses including content security

data/fixtures/rails_3_2_12/Guardfile

@@ -1,14 +0,0 @@
-guard 'spork', :rspec_port => 1234, :aggressive_kill => false do
-  watch('spec/spec_helper.rb') { :rspec }
-end
-
-guard 'rspec', :cli => "--color --drb --drb-port 1234", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
-  watch(%r{^spec/.+_spec\.rb$})
-  watch('../../../lib')
-  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
-  watch('spec/spec_helper.rb')  { "spec" }
-  watch(%r{^app/controllers/(.+)_(controller)\.rb$})  { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
-  watch(%r{^spec/support/(.+)\.rb$})                  { "spec" }
-  watch('app/controllers/application_controller.rb')  { "spec/controllers" }
-end
-

data/fixtures/rails_3_2_12_no_init/Guardfile

@@ -1,14 +0,0 @@
-guard 'spork', :rspec_port => 1235, :aggressive_kill => false do
-  watch('spec/spec_helper.rb') { :rspec }
-end
-
-guard 'rspec', :cli => "--color --drb --drb-port 1235", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
-  watch(%r{^spec/.+_spec\.rb$})
-  watch('../../../lib')
-  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
-  watch('spec/spec_helper.rb')  { "spec" }
-  watch(%r{^app/controllers/(.+)_(controller)\.rb$})  { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
-  watch(%r{^spec/support/(.+)\.rb$})                  { "spec" }
-  watch('app/controllers/application_controller.rb')  { "spec/controllers" }
-end
-