secure_headers 1.2.0 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (121) hide show
  1. data/.gitignore +4 -8
  2. data/.travis.yml +7 -4
  3. data/Gemfile +6 -9
  4. data/README.md +185 -105
  5. data/Rakefile +11 -116
  6. data/fixtures/rails_3_2_12/Gemfile +0 -8
  7. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  8. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  9. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  10. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  11. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  12. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  13. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
  14. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  15. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  16. data/fixtures/rails_3_2_12/config.ru +3 -0
  17. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +59 -16
  18. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +11 -1
  19. data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -4
  20. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
  21. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  22. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  23. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  24. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  25. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
  26. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  27. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  28. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +11 -1
  29. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +10 -0
  30. data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -17
  31. data/fixtures/rails_4_1_8/Gemfile +5 -0
  32. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  33. data/fixtures/rails_4_1_8/Rakefile +6 -0
  34. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  35. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  36. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  37. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  38. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  39. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  40. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  41. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  42. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  43. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  44. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  45. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  46. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  47. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  48. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  49. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  50. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  51. data/fixtures/rails_4_1_8/config.ru +4 -0
  52. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  53. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  54. data/fixtures/rails_4_1_8/log/.keep +0 -0
  55. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  56. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  57. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  58. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  59. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  60. data/lib/secure_headers/hash_helper.rb +7 -0
  61. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  62. data/lib/secure_headers/headers/content_security_policy.rb +160 -124
  63. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  64. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  65. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  66. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  67. data/lib/secure_headers/padrino.rb +14 -0
  68. data/lib/secure_headers/railtie.rb +19 -24
  69. data/lib/secure_headers/version.rb +1 -1
  70. data/lib/secure_headers/view_helper.rb +68 -0
  71. data/lib/secure_headers.rb +65 -16
  72. data/lib/tasks/tasks.rake +48 -0
  73. data/secure_headers.gemspec +4 -4
  74. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  75. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +119 -204
  76. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +1 -0
  77. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  78. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  79. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
  80. data/spec/lib/secure_headers_spec.rb +61 -66
  81. data/spec/spec_helper.rb +29 -17
  82. metadata +55 -47
  83. checksums.yaml +0 -15
  84. data/Guardfile +0 -6
  85. data/HISTORY.md +0 -131
  86. data/app/controllers/content_security_policy_controller.rb +0 -75
  87. data/config/curl-ca-bundle.crt +0 -5420
  88. data/config/routes.rb +0 -3
  89. data/fixtures/rails_3_2_12/Guardfile +0 -14
  90. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  91. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  92. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  93. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  94. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  95. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  96. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  97. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  98. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  99. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  100. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  101. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  102. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  103. data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
  104. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  105. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  106. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  107. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  108. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  109. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  110. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  111. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  112. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  113. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  114. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  115. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  116. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  117. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  118. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  119. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  120. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
  121. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
@@ -18,35 +18,10 @@ describe SecureHeaders do
18
18
  allow(subject).to receive(:request).and_return(request)
19
19
  end
20
20
 
21
- ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
22
- USER_AGENTS = {
23
- :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
24
- :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
25
- :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
26
- :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
27
- :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
28
- :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
29
- :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
30
- :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
31
- :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
32
- }
33
-
34
- def should_assign_header name, value
35
- expect(response.headers).to receive(:[]=).with(name, value)
36
- end
37
-
38
- def should_not_assign_header name
39
- expect(response.headers).not_to receive(:[]=).with(name, anything)
40
- end
41
-
42
21
  def stub_user_agent val
43
22
  allow(request).to receive_message_chain(:env, :[]).and_return(val)
44
23
  end
45
24
 
46
- def options_for header
47
- ALL_HEADERS.reject{|k,v| k == header}
48
- end
49
-
50
25
  def reset_config
51
26
  ::SecureHeaders::Configuration.configure do |config|
52
27
  config.hsts = nil
@@ -54,6 +29,8 @@ describe SecureHeaders do
54
29
  config.x_content_type_options = nil
55
30
  config.x_xss_protection = nil
56
31
  config.csp = nil
32
+ config.x_download_options = nil
33
+ config.x_permitted_cross_domain_policies = nil
57
34
  end
58
35
  end
59
36
 
@@ -63,14 +40,8 @@ describe SecureHeaders do
63
40
  subject.set_x_frame_options_header
64
41
  subject.set_x_content_type_options_header
65
42
  subject.set_x_xss_protection_header
66
- end
67
-
68
- describe "#ensure_security_headers" do
69
- it "sets a before filter" do
70
- options = {}
71
- expect(DummyClass).to receive(:before_filter).exactly(5).times
72
- DummyClass.ensure_security_headers(options)
73
- end
43
+ subject.set_x_download_options_header
44
+ subject.set_x_permitted_cross_domain_policies_header
74
45
  end
75
46
 
76
47
  describe "#set_header" do
@@ -86,19 +57,18 @@ describe SecureHeaders do
86
57
  end
87
58
 
88
59
  describe "#set_security_headers" do
89
- before(:each) do
90
- allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
91
- end
92
60
  USER_AGENTS.each do |name, useragent|
93
61
  it "sets all default headers for #{name} (smoke test)" do
94
62
  stub_user_agent(useragent)
95
- number_of_headers = 5
63
+ number_of_headers = 7
96
64
  expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
97
65
  subject.set_csp_header
98
66
  subject.set_x_frame_options_header
99
67
  subject.set_hsts_header
100
68
  subject.set_x_xss_protection_header
101
69
  subject.set_x_content_type_options_header
70
+ subject.set_x_download_options_header
71
+ subject.set_x_permitted_cross_domain_policies_header
102
72
  end
103
73
  end
104
74
 
@@ -113,11 +83,21 @@ describe SecureHeaders do
113
83
  subject.set_x_xss_protection_header(false)
114
84
  end
115
85
 
86
+ it "does not set the X-Download-Options header if disabled" do
87
+ should_not_assign_header(XDO_HEADER_NAME)
88
+ subject.set_x_download_options_header(false)
89
+ end
90
+
116
91
  it "does not set the X-Frame-Options header if disabled" do
117
92
  should_not_assign_header(XFO_HEADER_NAME)
118
93
  subject.set_x_frame_options_header(false)
119
94
  end
120
95
 
96
+ it "does not set the X-Permitted-Cross-Domain-Policies header if disabled" do
97
+ should_not_assign_header(XPCDP_HEADER_NAME)
98
+ subject.set_x_permitted_cross_domain_policies_header(false)
99
+ end
100
+
121
101
  it "does not set the HSTS header if disabled" do
122
102
  should_not_assign_header(HSTS_HEADER_NAME)
123
103
  subject.set_hsts_header(false)
@@ -131,8 +111,19 @@ describe SecureHeaders do
131
111
 
132
112
  it "does not set the CSP header if disabled" do
133
113
  stub_user_agent(USER_AGENTS[:chrome])
134
- should_not_assign_header(STANDARD_HEADER_NAME)
135
- subject.set_csp_header(options_for(:csp).merge(:csp => false))
114
+ should_not_assign_header(HEADER_NAME)
115
+ subject.set_csp_header(false)
116
+ end
117
+
118
+ it "saves the options to the env when using script hashes" do
119
+ opts = {
120
+ :default_src => 'self',
121
+ :script_hash_middleware => true
122
+ }
123
+ stub_user_agent(USER_AGENTS[:chrome])
124
+
125
+ expect(SecureHeaders::ContentSecurityPolicy).to receive(:add_to_env)
126
+ subject.set_csp_header(opts)
136
127
  end
137
128
 
138
129
  context "when disabled by configuration settings" do
@@ -143,6 +134,8 @@ describe SecureHeaders do
143
134
  config.x_content_type_options = false
144
135
  config.x_xss_protection = false
145
136
  config.csp = false
137
+ config.x_download_options = false
138
+ config.x_permitted_cross_domain_policies = false
146
139
  end
147
140
  expect(subject).not_to receive(:set_header)
148
141
  set_security_headers(subject)
@@ -163,6 +156,18 @@ describe SecureHeaders do
163
156
  end
164
157
  end
165
158
 
159
+ describe "#set_x_download_options_header" do
160
+ it "sets the X-Download-Options header" do
161
+ should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
162
+ subject.set_x_download_options_header
163
+ end
164
+
165
+ it "allows a custom X-Download-Options header" do
166
+ should_assign_header(XDO_HEADER_NAME, "noopen")
167
+ subject.set_x_download_options_header(:value => 'noopen')
168
+ end
169
+ end
170
+
166
171
  describe "#set_strict_transport_security" do
167
172
  it "sets the Strict-Transport-Security header" do
168
173
  should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
@@ -178,6 +183,11 @@ describe SecureHeaders do
178
183
  should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
179
184
  subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
180
185
  end
186
+
187
+ it "allows you to specify preload" do
188
+ should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
189
+ subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
190
+ end
181
191
  end
182
192
 
183
193
  describe "#set_x_xss_protection" do
@@ -221,7 +231,7 @@ describe SecureHeaders do
221
231
  context "when using Firefox" do
222
232
  it "sets CSP headers" do
223
233
  stub_user_agent(USER_AGENTS[:firefox])
224
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
234
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
225
235
  subject.set_csp_header
226
236
  end
227
237
  end
@@ -229,7 +239,7 @@ describe SecureHeaders do
229
239
  context "when using Chrome" do
230
240
  it "sets default CSP header" do
231
241
  stub_user_agent(USER_AGENTS[:chrome])
232
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
242
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
233
243
  subject.set_csp_header
234
244
  end
235
245
  end
@@ -237,36 +247,21 @@ describe SecureHeaders do
237
247
  context "when using a browser besides chrome/firefox" do
238
248
  it "sets the CSP header" do
239
249
  stub_user_agent(USER_AGENTS[:opera])
240
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
250
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
241
251
  subject.set_csp_header
242
252
  end
243
253
  end
254
+ end
244
255
 
245
- context "when using the experimental key" do
246
- before(:each) do
247
- stub_user_agent(USER_AGENTS[:chrome])
248
- @opts = {
249
- :enforce => true,
250
- :default_src => 'self',
251
- :script_src => 'https://mycdn.example.com',
252
- :experimental => {
253
- :script_src => 'self',
254
- }
255
- }
256
- end
257
-
258
- it "does not set the header in enforce mode if experimental is supplied, but enforce is disabled" do
259
- opts = @opts.merge(:enforce => false)
260
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
261
- should_not_assign_header(STANDARD_HEADER_NAME)
262
- subject.set_csp_header(opts)
263
- end
256
+ describe "#set_x_permitted_cross_domain_policies_header" do
257
+ it "sets the X-Permitted-Cross-Domain-Policies header" do
258
+ should_assign_header(XPCDP_HEADER_NAME, SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
259
+ subject.set_x_permitted_cross_domain_policies_header
260
+ end
264
261
 
265
- it "sets a header in enforce mode as well as report-only mode" do
266
- should_assign_header(STANDARD_HEADER_NAME, anything)
267
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
268
- subject.set_csp_header(@opts)
269
- end
262
+ it "allows a custom X-Permitted-Cross-Domain-Policies header" do
263
+ should_assign_header(XPCDP_HEADER_NAME, "master-only")
264
+ subject.set_x_permitted_cross_domain_policies_header(:value => 'master-only')
270
265
  end
271
266
  end
272
267
  end
data/spec/spec_helper.rb CHANGED
@@ -1,24 +1,36 @@
1
1
  require 'rubygems'
2
- require 'spork'
2
+ require 'rspec'
3
3
 
4
- unless Spork.using_spork?
5
- require 'simplecov'
6
- SimpleCov.start do
7
- add_filter "spec"
8
- end
9
- end
4
+ require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
10
5
 
11
- Spork.prefork do
12
- require 'rspec'
6
+ if defined?(Coveralls)
7
+ Coveralls.wear!
13
8
  end
14
9
 
15
- Spork.each_run do
16
- require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
17
- require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
18
- include ::SecureHeaders::StrictTransportSecurity::Constants
19
- include ::SecureHeaders::ContentSecurityPolicy::Constants
20
- include ::SecureHeaders::XFrameOptions::Constants
21
- include ::SecureHeaders::XXssProtection::Constants
22
- include ::SecureHeaders::XContentTypeOptions::Constants
10
+ include ::SecureHeaders::StrictTransportSecurity::Constants
11
+ include ::SecureHeaders::ContentSecurityPolicy::Constants
12
+ include ::SecureHeaders::XFrameOptions::Constants
13
+ include ::SecureHeaders::XXssProtection::Constants
14
+ include ::SecureHeaders::XContentTypeOptions::Constants
15
+ include ::SecureHeaders::XDownloadOptions::Constants
16
+ include ::SecureHeaders::XPermittedCrossDomainPolicies::Constants
17
+
18
+ USER_AGENTS = {
19
+ :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
20
+ :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
21
+ :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
22
+ :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
23
+ :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
24
+ :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
25
+ :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
26
+ :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
27
+ :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
28
+ }
29
+
30
+ def should_assign_header name, value
31
+ expect(response.headers).to receive(:[]=).with(name, value)
23
32
  end
24
33
 
34
+ def should_not_assign_header name
35
+ expect(response.headers).not_to receive(:[]=).with(name, anything)
36
+ end
metadata CHANGED
@@ -1,18 +1,20 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 2.0.2
5
+ prerelease:
5
6
  platform: ruby
6
7
  authors:
7
8
  - Neil Matatall
8
9
  autorequire:
9
10
  bindir: bin
10
11
  cert_chain: []
11
- date: 2014-06-13 00:00:00.000000000 Z
12
+ date: 2015-05-05 00:00:00.000000000 Z
12
13
  dependencies:
13
14
  - !ruby/object:Gem::Dependency
14
15
  name: rake
15
16
  requirement: !ruby/object:Gem::Requirement
17
+ none: false
16
18
  requirements:
17
19
  - - ! '>='
18
20
  - !ruby/object:Gem::Version
@@ -20,11 +22,12 @@ dependencies:
20
22
  type: :development
21
23
  prerelease: false
22
24
  version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
23
26
  requirements:
24
27
  - - ! '>='
25
28
  - !ruby/object:Gem::Version
26
29
  version: '0'
27
- description: Add easily configured browser headers to responses.
30
+ description: Security related headers all in one gem.
28
31
  email:
29
32
  - neil.matatall@gmail.com
30
33
  executables: []
@@ -36,46 +39,28 @@ files:
36
39
  - .ruby-version
37
40
  - .travis.yml
38
41
  - Gemfile
39
- - Guardfile
40
- - HISTORY.md
41
42
  - LICENSE
42
43
  - README.md
43
44
  - Rakefile
44
- - app/controllers/content_security_policy_controller.rb
45
- - config/curl-ca-bundle.crt
46
- - config/routes.rb
47
45
  - fixtures/rails_3_2_12/.rspec
48
46
  - fixtures/rails_3_2_12/Gemfile
49
- - fixtures/rails_3_2_12/Guardfile
50
47
  - fixtures/rails_3_2_12/README.rdoc
51
48
  - fixtures/rails_3_2_12/Rakefile
52
49
  - fixtures/rails_3_2_12/app/controllers/application_controller.rb
53
50
  - fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
54
51
  - fixtures/rails_3_2_12/app/controllers/things_controller.rb
55
52
  - fixtures/rails_3_2_12/app/models/.gitkeep
56
- - fixtures/rails_3_2_12/app/models/thing.rb
57
53
  - fixtures/rails_3_2_12/app/views/layouts/application.html.erb
58
54
  - fixtures/rails_3_2_12/app/views/other_things/index.html.erb
59
55
  - fixtures/rails_3_2_12/app/views/things/index.html.erb
60
56
  - fixtures/rails_3_2_12/config.ru
61
57
  - fixtures/rails_3_2_12/config/application.rb
62
58
  - fixtures/rails_3_2_12/config/boot.rb
63
- - fixtures/rails_3_2_12/config/database.yml
64
59
  - fixtures/rails_3_2_12/config/environment.rb
65
- - fixtures/rails_3_2_12/config/environments/development.rb
66
- - fixtures/rails_3_2_12/config/environments/production.rb
67
60
  - fixtures/rails_3_2_12/config/environments/test.rb
68
- - fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
69
- - fixtures/rails_3_2_12/config/initializers/inflections.rb
70
- - fixtures/rails_3_2_12/config/initializers/mime_types.rb
71
- - fixtures/rails_3_2_12/config/initializers/secret_token.rb
72
61
  - fixtures/rails_3_2_12/config/initializers/secure_headers.rb
73
- - fixtures/rails_3_2_12/config/initializers/session_store.rb
74
- - fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
75
- - fixtures/rails_3_2_12/config/locales/en.yml
76
62
  - fixtures/rails_3_2_12/config/routes.rb
77
- - fixtures/rails_3_2_12/db/schema.rb
78
- - fixtures/rails_3_2_12/db/seeds.rb
63
+ - fixtures/rails_3_2_12/config/script_hashes.yml
79
64
  - fixtures/rails_3_2_12/lib/assets/.gitkeep
80
65
  - fixtures/rails_3_2_12/lib/tasks/.gitkeep
81
66
  - fixtures/rails_3_2_12/log/.gitkeep
@@ -87,39 +72,21 @@ files:
87
72
  - fixtures/rails_3_2_12/vendor/plugins/.gitkeep
88
73
  - fixtures/rails_3_2_12_no_init/.rspec
89
74
  - fixtures/rails_3_2_12_no_init/Gemfile
90
- - fixtures/rails_3_2_12_no_init/Guardfile
91
75
  - fixtures/rails_3_2_12_no_init/README.rdoc
92
76
  - fixtures/rails_3_2_12_no_init/Rakefile
93
77
  - fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
94
78
  - fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
95
79
  - fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
96
80
  - fixtures/rails_3_2_12_no_init/app/models/.gitkeep
97
- - fixtures/rails_3_2_12_no_init/app/models/thing.rb
98
81
  - fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
99
82
  - fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
100
- - fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
101
- - fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
102
83
  - fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
103
- - fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
104
- - fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
105
84
  - fixtures/rails_3_2_12_no_init/config.ru
106
85
  - fixtures/rails_3_2_12_no_init/config/application.rb
107
86
  - fixtures/rails_3_2_12_no_init/config/boot.rb
108
- - fixtures/rails_3_2_12_no_init/config/database.yml
109
87
  - fixtures/rails_3_2_12_no_init/config/environment.rb
110
- - fixtures/rails_3_2_12_no_init/config/environments/development.rb
111
- - fixtures/rails_3_2_12_no_init/config/environments/production.rb
112
88
  - fixtures/rails_3_2_12_no_init/config/environments/test.rb
113
- - fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
114
- - fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
115
- - fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
116
- - fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
117
- - fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
118
- - fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
119
- - fixtures/rails_3_2_12_no_init/config/locales/en.yml
120
89
  - fixtures/rails_3_2_12_no_init/config/routes.rb
121
- - fixtures/rails_3_2_12_no_init/db/schema.rb
122
- - fixtures/rails_3_2_12_no_init/db/seeds.rb
123
90
  - fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
124
91
  - fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
125
92
  - fixtures/rails_3_2_12_no_init/log/.gitkeep
@@ -129,21 +96,59 @@ files:
129
96
  - fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
130
97
  - fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
131
98
  - fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
99
+ - fixtures/rails_4_1_8/Gemfile
100
+ - fixtures/rails_4_1_8/README.rdoc
101
+ - fixtures/rails_4_1_8/Rakefile
102
+ - fixtures/rails_4_1_8/app/controllers/application_controller.rb
103
+ - fixtures/rails_4_1_8/app/controllers/concerns/.keep
104
+ - fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
105
+ - fixtures/rails_4_1_8/app/controllers/things_controller.rb
106
+ - fixtures/rails_4_1_8/app/models/.keep
107
+ - fixtures/rails_4_1_8/app/models/concerns/.keep
108
+ - fixtures/rails_4_1_8/app/views/layouts/application.html.erb
109
+ - fixtures/rails_4_1_8/app/views/other_things/index.html.erb
110
+ - fixtures/rails_4_1_8/app/views/things/index.html.erb
111
+ - fixtures/rails_4_1_8/config.ru
112
+ - fixtures/rails_4_1_8/config/application.rb
113
+ - fixtures/rails_4_1_8/config/boot.rb
114
+ - fixtures/rails_4_1_8/config/environment.rb
115
+ - fixtures/rails_4_1_8/config/environments/test.rb
116
+ - fixtures/rails_4_1_8/config/initializers/secure_headers.rb
117
+ - fixtures/rails_4_1_8/config/routes.rb
118
+ - fixtures/rails_4_1_8/config/script_hashes.yml
119
+ - fixtures/rails_4_1_8/config/secrets.yml
120
+ - fixtures/rails_4_1_8/lib/assets/.keep
121
+ - fixtures/rails_4_1_8/lib/tasks/.keep
122
+ - fixtures/rails_4_1_8/log/.keep
123
+ - fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
124
+ - fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
125
+ - fixtures/rails_4_1_8/spec/spec_helper.rb
126
+ - fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
127
+ - fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
132
128
  - lib/secure_headers.rb
129
+ - lib/secure_headers/hash_helper.rb
133
130
  - lib/secure_headers/header.rb
134
131
  - lib/secure_headers/headers/content_security_policy.rb
132
+ - lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
135
133
  - lib/secure_headers/headers/strict_transport_security.rb
136
134
  - lib/secure_headers/headers/x_content_type_options.rb
135
+ - lib/secure_headers/headers/x_download_options.rb
137
136
  - lib/secure_headers/headers/x_frame_options.rb
137
+ - lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
138
138
  - lib/secure_headers/headers/x_xss_protection.rb
139
+ - lib/secure_headers/padrino.rb
139
140
  - lib/secure_headers/railtie.rb
140
141
  - lib/secure_headers/version.rb
142
+ - lib/secure_headers/view_helper.rb
143
+ - lib/tasks/tasks.rake
141
144
  - secure_headers.gemspec
142
- - spec/controllers/content_security_policy_controller_spec.rb
145
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
143
146
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
144
147
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
145
148
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
149
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
146
150
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
151
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
147
152
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
148
153
  - spec/lib/secure_headers_spec.rb
149
154
  - spec/spec_helper.rb
@@ -151,34 +156,37 @@ files:
151
156
  homepage: https://github.com/twitter/secureheaders
152
157
  licenses:
153
158
  - Apache Public License 2.0
154
- metadata: {}
155
159
  post_install_message:
156
160
  rdoc_options: []
157
161
  require_paths:
158
162
  - lib
159
163
  required_ruby_version: !ruby/object:Gem::Requirement
164
+ none: false
160
165
  requirements:
161
166
  - - ! '>='
162
167
  - !ruby/object:Gem::Version
163
168
  version: '0'
164
169
  required_rubygems_version: !ruby/object:Gem::Requirement
170
+ none: false
165
171
  requirements:
166
172
  - - ! '>='
167
173
  - !ruby/object:Gem::Version
168
174
  version: '0'
169
175
  requirements: []
170
176
  rubyforge_project:
171
- rubygems_version: 2.2.2
177
+ rubygems_version: 1.8.23
172
178
  signing_key:
173
- specification_version: 4
174
- summary: Add easily configured browser headers to responses including content security
175
- policy, x-frame-options, strict-transport-security and more.
179
+ specification_version: 3
180
+ summary: Add easily configured security headers to responses including content-security-policy,
181
+ x-frame-options, strict-transport-security, etc.
176
182
  test_files:
177
- - spec/controllers/content_security_policy_controller_spec.rb
183
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
178
184
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
179
185
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
180
186
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
187
+ - spec/lib/secure_headers/headers/x_download_options_spec.rb
181
188
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
189
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
182
190
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
183
191
  - spec/lib/secure_headers_spec.rb
184
192
  - spec/spec_helper.rb
checksums.yaml DELETED
@@ -1,15 +0,0 @@
1
- ---
2
- !binary "U0hBMQ==":
3
- metadata.gz: !binary |-
4
- ZDFmNDM2NjIwYzU4MjcyYWU0ODkwMjkxMjM0MDMwYTAyNjY3YWM2ZA==
5
- data.tar.gz: !binary |-
6
- N2VjN2M3MGMyY2Y5ODliOTVmZTIxZDgwOTdjYTM1NTg3MDZiMjdjNw==
7
- SHA512:
8
- metadata.gz: !binary |-
9
- MTRiN2Y5NDFhYTE3ZmM2MjE4MThmMDQ3OTZmOWVhMWM5OTgxOThlNzFiOGNm
10
- MzQ2ZmFiMjUyZjdmNWU4MWQwZTY3Yjc4YmM4NzVjMWNhZWE0YzI3YjlmMjcy
11
- MDk3YmNiZmI3NGNmMzFmMDkxNjEyOTFkMmE5YjNlNjJlMDBkYWY=
12
- data.tar.gz: !binary |-
13
- NzRhM2Y5NTk0OTZhMmRlYjk0ZThkYTM3ZTQxYzc3Mjk3ZTY2MjQ4MjUwN2Rm
14
- YzUwMGY4ZTdlY2Q2M2M4NDgyODQ1MTc2ZWM3ZmEyOWU5NWIwNWExMjBlMDBi
15
- YWNlYjllMmZmN2M4MTU0NWE3NjIwOGNjMmQ5ODBlYzE4NzM1Njk=
data/Guardfile DELETED
@@ -1,6 +0,0 @@
1
- guard 'rspec' do
2
- watch(%r{^spec/.+_spec\.rb$})
3
- watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
4
- watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
5
- watch('spec/spec_helper.rb') { "spec" }
6
- end
data/HISTORY.md DELETED
@@ -1,131 +0,0 @@
1
- 1.2.0
2
- ======
3
-
4
- Add support for procs (anything that respond_to?(:call)) as config values.
5
-
6
- csp = {
7
- :default_src => 'self',
8
- :report_uri => lambda {
9
- if FeatureToggle.available?(:new_csp_endpoint)
10
- '//example.com/new_csp'
11
- else
12
- '//example.com/old_csp'
13
- end
14
- }
15
- }
16
-
17
- 1.1.1
18
- ======
19
-
20
- Bug fix release.
21
- - Parsing of CSP reports was busted.
22
- - Forwarded reports did not include the original referer, ip, UA
23
-
24
- 1.1.0
25
- ======
26
-
27
- - Remove brwsr dependency (no more runtime dependencies)
28
- - Stop serving X- prefixed CSP headers
29
-
30
- This change means that all requests get all headers, even if the browser doesn't grok it.
31
-
32
- 1.0.0
33
- ======
34
-
35
- Features:
36
-
37
- - Use non-prefixed header names for Firefox >= 23, Chrome >= 25
38
- - Use csp 1.0 compliant header for firefox >= 23
39
-
40
- Bug Fix:
41
-
42
- - Stop sending CSP on safari 5.1+
43
-
44
- 0.5.0
45
- ======
46
-
47
- - X-Content-Type-Options also applied to Chrome requests
48
-
49
- 0.4.3
50
- ======
51
-
52
- - Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
53
-
54
- 0.4.2
55
- ======
56
-
57
- - Stupid bug where Fixnums couldn't be used for config values
58
- - Doc updates
59
-
60
- 0.4.1
61
- ======
62
-
63
- - Allow strings or ints in the HSTS max-age (@reedloden)
64
-
65
- 0.4.0
66
- =======
67
-
68
- - Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
69
- - Should be backwards compatible, but it is a change to the API.
70
-
71
- 0.3.0
72
- =======
73
-
74
- - Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
75
-
76
- 0.2.3
77
- =======
78
-
79
- - Fix error in report-uri logic for Firefox forwarding.
80
-
81
- 0.2.2
82
- =======
83
-
84
- - Stop applying chrome-extension: to Firefox directives.
85
-
86
- 0.2.1
87
- =======
88
-
89
- - Firefox headers will now stop overriding report_uri when only a path is supplied
90
-
91
- 0.2.0
92
- =======
93
-
94
- - 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
95
- - Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
96
-
97
- ```ruby
98
- FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
99
- CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
100
- ```
101
- - :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
102
- - Skeleton applications have been added to test isolated application configurations
103
- - Cleanup by @bemurphy
104
-
105
- 0.1.1
106
- =======
107
-
108
- Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
109
-
110
- 0.1.0
111
- =======
112
-
113
- Notes:
114
- ------
115
-
116
- - Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
117
-
118
- Features:
119
- ------
120
-
121
- - ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
122
- - Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
123
-
124
- Bug fixes, misc:
125
- ------
126
-
127
- - Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
128
- - Better support for other frameworks, including docs from @achui, @bmaland
129
- - Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
130
- - data: automatically whitelisted for img-src
131
- - Doc updates from @ming13, @theverything, @dcollazo