secure_headers 1.2.0 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +4 -8
- data/.travis.yml +7 -4
- data/Gemfile +6 -9
- data/README.md +185 -105
- data/Rakefile +11 -116
- data/fixtures/rails_3_2_12/Gemfile +0 -8
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
- data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +3 -1
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
- data/fixtures/rails_3_2_12/config.ru +3 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +59 -16
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +11 -1
- data/fixtures/rails_3_2_12/spec/spec_helper.rb +1 -4
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -9
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +11 -1
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +10 -0
- data/fixtures/rails_3_2_12_no_init/spec/spec_helper.rb +3 -17
- data/fixtures/rails_4_1_8/Gemfile +5 -0
- data/fixtures/rails_4_1_8/README.rdoc +28 -0
- data/fixtures/rails_4_1_8/Rakefile +6 -0
- data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
- data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/models/.keep +0 -0
- data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
- data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
- data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
- data/fixtures/rails_4_1_8/config/application.rb +15 -0
- data/fixtures/rails_4_1_8/config/boot.rb +4 -0
- data/fixtures/rails_4_1_8/config/environment.rb +5 -0
- data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
- data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
- data/fixtures/rails_4_1_8/config/routes.rb +4 -0
- data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
- data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
- data/fixtures/rails_4_1_8/config.ru +4 -0
- data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
- data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
- data/fixtures/rails_4_1_8/log/.keep +0 -0
- data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
- data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
- data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
- data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
- data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
- data/lib/secure_headers/hash_helper.rb +7 -0
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
- data/lib/secure_headers/headers/content_security_policy.rb +160 -124
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/padrino.rb +14 -0
- data/lib/secure_headers/railtie.rb +19 -24
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers/view_helper.rb +68 -0
- data/lib/secure_headers.rb +65 -16
- data/lib/tasks/tasks.rake +48 -0
- data/secure_headers.gemspec +4 -4
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +119 -204
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +1 -0
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
- data/spec/lib/secure_headers_spec.rb +61 -66
- data/spec/spec_helper.rb +29 -17
- metadata +55 -47
- checksums.yaml +0 -15
- data/Guardfile +0 -6
- data/HISTORY.md +0 -131
- data/app/controllers/content_security_policy_controller.rb +0 -75
- data/config/curl-ca-bundle.crt +0 -5420
- data/config/routes.rb +0 -3
- data/fixtures/rails_3_2_12/Guardfile +0 -14
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/Guardfile +0 -14
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
- data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
|
@@ -18,35 +18,10 @@ describe SecureHeaders do
|
|
|
18
18
|
allow(subject).to receive(:request).and_return(request)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
|
|
22
|
-
USER_AGENTS = {
|
|
23
|
-
:firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
|
|
24
|
-
:chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
|
|
25
|
-
:ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
|
|
26
|
-
:opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
|
|
27
|
-
:ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
|
|
28
|
-
:ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
|
|
29
|
-
:safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
|
|
30
|
-
:safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
|
|
31
|
-
:safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
|
|
32
|
-
}
|
|
33
|
-
|
|
34
|
-
def should_assign_header name, value
|
|
35
|
-
expect(response.headers).to receive(:[]=).with(name, value)
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
def should_not_assign_header name
|
|
39
|
-
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
|
40
|
-
end
|
|
41
|
-
|
|
42
21
|
def stub_user_agent val
|
|
43
22
|
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
|
44
23
|
end
|
|
45
24
|
|
|
46
|
-
def options_for header
|
|
47
|
-
ALL_HEADERS.reject{|k,v| k == header}
|
|
48
|
-
end
|
|
49
|
-
|
|
50
25
|
def reset_config
|
|
51
26
|
::SecureHeaders::Configuration.configure do |config|
|
|
52
27
|
config.hsts = nil
|
|
@@ -54,6 +29,8 @@ describe SecureHeaders do
|
|
|
54
29
|
config.x_content_type_options = nil
|
|
55
30
|
config.x_xss_protection = nil
|
|
56
31
|
config.csp = nil
|
|
32
|
+
config.x_download_options = nil
|
|
33
|
+
config.x_permitted_cross_domain_policies = nil
|
|
57
34
|
end
|
|
58
35
|
end
|
|
59
36
|
|
|
@@ -63,14 +40,8 @@ describe SecureHeaders do
|
|
|
63
40
|
subject.set_x_frame_options_header
|
|
64
41
|
subject.set_x_content_type_options_header
|
|
65
42
|
subject.set_x_xss_protection_header
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
describe "#ensure_security_headers" do
|
|
69
|
-
it "sets a before filter" do
|
|
70
|
-
options = {}
|
|
71
|
-
expect(DummyClass).to receive(:before_filter).exactly(5).times
|
|
72
|
-
DummyClass.ensure_security_headers(options)
|
|
73
|
-
end
|
|
43
|
+
subject.set_x_download_options_header
|
|
44
|
+
subject.set_x_permitted_cross_domain_policies_header
|
|
74
45
|
end
|
|
75
46
|
|
|
76
47
|
describe "#set_header" do
|
|
@@ -86,19 +57,18 @@ describe SecureHeaders do
|
|
|
86
57
|
end
|
|
87
58
|
|
|
88
59
|
describe "#set_security_headers" do
|
|
89
|
-
before(:each) do
|
|
90
|
-
allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
|
|
91
|
-
end
|
|
92
60
|
USER_AGENTS.each do |name, useragent|
|
|
93
61
|
it "sets all default headers for #{name} (smoke test)" do
|
|
94
62
|
stub_user_agent(useragent)
|
|
95
|
-
number_of_headers =
|
|
63
|
+
number_of_headers = 7
|
|
96
64
|
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
|
97
65
|
subject.set_csp_header
|
|
98
66
|
subject.set_x_frame_options_header
|
|
99
67
|
subject.set_hsts_header
|
|
100
68
|
subject.set_x_xss_protection_header
|
|
101
69
|
subject.set_x_content_type_options_header
|
|
70
|
+
subject.set_x_download_options_header
|
|
71
|
+
subject.set_x_permitted_cross_domain_policies_header
|
|
102
72
|
end
|
|
103
73
|
end
|
|
104
74
|
|
|
@@ -113,11 +83,21 @@ describe SecureHeaders do
|
|
|
113
83
|
subject.set_x_xss_protection_header(false)
|
|
114
84
|
end
|
|
115
85
|
|
|
86
|
+
it "does not set the X-Download-Options header if disabled" do
|
|
87
|
+
should_not_assign_header(XDO_HEADER_NAME)
|
|
88
|
+
subject.set_x_download_options_header(false)
|
|
89
|
+
end
|
|
90
|
+
|
|
116
91
|
it "does not set the X-Frame-Options header if disabled" do
|
|
117
92
|
should_not_assign_header(XFO_HEADER_NAME)
|
|
118
93
|
subject.set_x_frame_options_header(false)
|
|
119
94
|
end
|
|
120
95
|
|
|
96
|
+
it "does not set the X-Permitted-Cross-Domain-Policies header if disabled" do
|
|
97
|
+
should_not_assign_header(XPCDP_HEADER_NAME)
|
|
98
|
+
subject.set_x_permitted_cross_domain_policies_header(false)
|
|
99
|
+
end
|
|
100
|
+
|
|
121
101
|
it "does not set the HSTS header if disabled" do
|
|
122
102
|
should_not_assign_header(HSTS_HEADER_NAME)
|
|
123
103
|
subject.set_hsts_header(false)
|
|
@@ -131,8 +111,19 @@ describe SecureHeaders do
|
|
|
131
111
|
|
|
132
112
|
it "does not set the CSP header if disabled" do
|
|
133
113
|
stub_user_agent(USER_AGENTS[:chrome])
|
|
134
|
-
should_not_assign_header(
|
|
135
|
-
subject.set_csp_header(
|
|
114
|
+
should_not_assign_header(HEADER_NAME)
|
|
115
|
+
subject.set_csp_header(false)
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
it "saves the options to the env when using script hashes" do
|
|
119
|
+
opts = {
|
|
120
|
+
:default_src => 'self',
|
|
121
|
+
:script_hash_middleware => true
|
|
122
|
+
}
|
|
123
|
+
stub_user_agent(USER_AGENTS[:chrome])
|
|
124
|
+
|
|
125
|
+
expect(SecureHeaders::ContentSecurityPolicy).to receive(:add_to_env)
|
|
126
|
+
subject.set_csp_header(opts)
|
|
136
127
|
end
|
|
137
128
|
|
|
138
129
|
context "when disabled by configuration settings" do
|
|
@@ -143,6 +134,8 @@ describe SecureHeaders do
|
|
|
143
134
|
config.x_content_type_options = false
|
|
144
135
|
config.x_xss_protection = false
|
|
145
136
|
config.csp = false
|
|
137
|
+
config.x_download_options = false
|
|
138
|
+
config.x_permitted_cross_domain_policies = false
|
|
146
139
|
end
|
|
147
140
|
expect(subject).not_to receive(:set_header)
|
|
148
141
|
set_security_headers(subject)
|
|
@@ -163,6 +156,18 @@ describe SecureHeaders do
|
|
|
163
156
|
end
|
|
164
157
|
end
|
|
165
158
|
|
|
159
|
+
describe "#set_x_download_options_header" do
|
|
160
|
+
it "sets the X-Download-Options header" do
|
|
161
|
+
should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
162
|
+
subject.set_x_download_options_header
|
|
163
|
+
end
|
|
164
|
+
|
|
165
|
+
it "allows a custom X-Download-Options header" do
|
|
166
|
+
should_assign_header(XDO_HEADER_NAME, "noopen")
|
|
167
|
+
subject.set_x_download_options_header(:value => 'noopen')
|
|
168
|
+
end
|
|
169
|
+
end
|
|
170
|
+
|
|
166
171
|
describe "#set_strict_transport_security" do
|
|
167
172
|
it "sets the Strict-Transport-Security header" do
|
|
168
173
|
should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
@@ -178,6 +183,11 @@ describe SecureHeaders do
|
|
|
178
183
|
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
|
|
179
184
|
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
|
|
180
185
|
end
|
|
186
|
+
|
|
187
|
+
it "allows you to specify preload" do
|
|
188
|
+
should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains; preload")
|
|
189
|
+
subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true, :preload => true)
|
|
190
|
+
end
|
|
181
191
|
end
|
|
182
192
|
|
|
183
193
|
describe "#set_x_xss_protection" do
|
|
@@ -221,7 +231,7 @@ describe SecureHeaders do
|
|
|
221
231
|
context "when using Firefox" do
|
|
222
232
|
it "sets CSP headers" do
|
|
223
233
|
stub_user_agent(USER_AGENTS[:firefox])
|
|
224
|
-
should_assign_header(
|
|
234
|
+
should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
|
|
225
235
|
subject.set_csp_header
|
|
226
236
|
end
|
|
227
237
|
end
|
|
@@ -229,7 +239,7 @@ describe SecureHeaders do
|
|
|
229
239
|
context "when using Chrome" do
|
|
230
240
|
it "sets default CSP header" do
|
|
231
241
|
stub_user_agent(USER_AGENTS[:chrome])
|
|
232
|
-
should_assign_header(
|
|
242
|
+
should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
|
|
233
243
|
subject.set_csp_header
|
|
234
244
|
end
|
|
235
245
|
end
|
|
@@ -237,36 +247,21 @@ describe SecureHeaders do
|
|
|
237
247
|
context "when using a browser besides chrome/firefox" do
|
|
238
248
|
it "sets the CSP header" do
|
|
239
249
|
stub_user_agent(USER_AGENTS[:opera])
|
|
240
|
-
should_assign_header(
|
|
250
|
+
should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
|
|
241
251
|
subject.set_csp_header
|
|
242
252
|
end
|
|
243
253
|
end
|
|
254
|
+
end
|
|
244
255
|
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
:default_src => 'self',
|
|
251
|
-
:script_src => 'https://mycdn.example.com',
|
|
252
|
-
:experimental => {
|
|
253
|
-
:script_src => 'self',
|
|
254
|
-
}
|
|
255
|
-
}
|
|
256
|
-
end
|
|
257
|
-
|
|
258
|
-
it "does not set the header in enforce mode if experimental is supplied, but enforce is disabled" do
|
|
259
|
-
opts = @opts.merge(:enforce => false)
|
|
260
|
-
should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
|
|
261
|
-
should_not_assign_header(STANDARD_HEADER_NAME)
|
|
262
|
-
subject.set_csp_header(opts)
|
|
263
|
-
end
|
|
256
|
+
describe "#set_x_permitted_cross_domain_policies_header" do
|
|
257
|
+
it "sets the X-Permitted-Cross-Domain-Policies header" do
|
|
258
|
+
should_assign_header(XPCDP_HEADER_NAME, SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
|
|
259
|
+
subject.set_x_permitted_cross_domain_policies_header
|
|
260
|
+
end
|
|
264
261
|
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
subject.set_csp_header(@opts)
|
|
269
|
-
end
|
|
262
|
+
it "allows a custom X-Permitted-Cross-Domain-Policies header" do
|
|
263
|
+
should_assign_header(XPCDP_HEADER_NAME, "master-only")
|
|
264
|
+
subject.set_x_permitted_cross_domain_policies_header(:value => 'master-only')
|
|
270
265
|
end
|
|
271
266
|
end
|
|
272
267
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -1,24 +1,36 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
require '
|
|
2
|
+
require 'rspec'
|
|
3
3
|
|
|
4
|
-
|
|
5
|
-
require 'simplecov'
|
|
6
|
-
SimpleCov.start do
|
|
7
|
-
add_filter "spec"
|
|
8
|
-
end
|
|
9
|
-
end
|
|
4
|
+
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
|
10
5
|
|
|
11
|
-
|
|
12
|
-
|
|
6
|
+
if defined?(Coveralls)
|
|
7
|
+
Coveralls.wear!
|
|
13
8
|
end
|
|
14
9
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
10
|
+
include ::SecureHeaders::StrictTransportSecurity::Constants
|
|
11
|
+
include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
12
|
+
include ::SecureHeaders::XFrameOptions::Constants
|
|
13
|
+
include ::SecureHeaders::XXssProtection::Constants
|
|
14
|
+
include ::SecureHeaders::XContentTypeOptions::Constants
|
|
15
|
+
include ::SecureHeaders::XDownloadOptions::Constants
|
|
16
|
+
include ::SecureHeaders::XPermittedCrossDomainPolicies::Constants
|
|
17
|
+
|
|
18
|
+
USER_AGENTS = {
|
|
19
|
+
:firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
|
|
20
|
+
:chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
|
|
21
|
+
:ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
|
|
22
|
+
:opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
|
|
23
|
+
:ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
|
|
24
|
+
:ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
|
|
25
|
+
:safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
|
|
26
|
+
:safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
|
|
27
|
+
:safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
def should_assign_header name, value
|
|
31
|
+
expect(response.headers).to receive(:[]=).with(name, value)
|
|
23
32
|
end
|
|
24
33
|
|
|
34
|
+
def should_not_assign_header name
|
|
35
|
+
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
|
36
|
+
end
|
metadata
CHANGED
|
@@ -1,18 +1,20 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.2
|
|
5
|
+
prerelease:
|
|
5
6
|
platform: ruby
|
|
6
7
|
authors:
|
|
7
8
|
- Neil Matatall
|
|
8
9
|
autorequire:
|
|
9
10
|
bindir: bin
|
|
10
11
|
cert_chain: []
|
|
11
|
-
date:
|
|
12
|
+
date: 2015-05-05 00:00:00.000000000 Z
|
|
12
13
|
dependencies:
|
|
13
14
|
- !ruby/object:Gem::Dependency
|
|
14
15
|
name: rake
|
|
15
16
|
requirement: !ruby/object:Gem::Requirement
|
|
17
|
+
none: false
|
|
16
18
|
requirements:
|
|
17
19
|
- - ! '>='
|
|
18
20
|
- !ruby/object:Gem::Version
|
|
@@ -20,11 +22,12 @@ dependencies:
|
|
|
20
22
|
type: :development
|
|
21
23
|
prerelease: false
|
|
22
24
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
+
none: false
|
|
23
26
|
requirements:
|
|
24
27
|
- - ! '>='
|
|
25
28
|
- !ruby/object:Gem::Version
|
|
26
29
|
version: '0'
|
|
27
|
-
description:
|
|
30
|
+
description: Security related headers all in one gem.
|
|
28
31
|
email:
|
|
29
32
|
- neil.matatall@gmail.com
|
|
30
33
|
executables: []
|
|
@@ -36,46 +39,28 @@ files:
|
|
|
36
39
|
- .ruby-version
|
|
37
40
|
- .travis.yml
|
|
38
41
|
- Gemfile
|
|
39
|
-
- Guardfile
|
|
40
|
-
- HISTORY.md
|
|
41
42
|
- LICENSE
|
|
42
43
|
- README.md
|
|
43
44
|
- Rakefile
|
|
44
|
-
- app/controllers/content_security_policy_controller.rb
|
|
45
|
-
- config/curl-ca-bundle.crt
|
|
46
|
-
- config/routes.rb
|
|
47
45
|
- fixtures/rails_3_2_12/.rspec
|
|
48
46
|
- fixtures/rails_3_2_12/Gemfile
|
|
49
|
-
- fixtures/rails_3_2_12/Guardfile
|
|
50
47
|
- fixtures/rails_3_2_12/README.rdoc
|
|
51
48
|
- fixtures/rails_3_2_12/Rakefile
|
|
52
49
|
- fixtures/rails_3_2_12/app/controllers/application_controller.rb
|
|
53
50
|
- fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
|
|
54
51
|
- fixtures/rails_3_2_12/app/controllers/things_controller.rb
|
|
55
52
|
- fixtures/rails_3_2_12/app/models/.gitkeep
|
|
56
|
-
- fixtures/rails_3_2_12/app/models/thing.rb
|
|
57
53
|
- fixtures/rails_3_2_12/app/views/layouts/application.html.erb
|
|
58
54
|
- fixtures/rails_3_2_12/app/views/other_things/index.html.erb
|
|
59
55
|
- fixtures/rails_3_2_12/app/views/things/index.html.erb
|
|
60
56
|
- fixtures/rails_3_2_12/config.ru
|
|
61
57
|
- fixtures/rails_3_2_12/config/application.rb
|
|
62
58
|
- fixtures/rails_3_2_12/config/boot.rb
|
|
63
|
-
- fixtures/rails_3_2_12/config/database.yml
|
|
64
59
|
- fixtures/rails_3_2_12/config/environment.rb
|
|
65
|
-
- fixtures/rails_3_2_12/config/environments/development.rb
|
|
66
|
-
- fixtures/rails_3_2_12/config/environments/production.rb
|
|
67
60
|
- fixtures/rails_3_2_12/config/environments/test.rb
|
|
68
|
-
- fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
|
|
69
|
-
- fixtures/rails_3_2_12/config/initializers/inflections.rb
|
|
70
|
-
- fixtures/rails_3_2_12/config/initializers/mime_types.rb
|
|
71
|
-
- fixtures/rails_3_2_12/config/initializers/secret_token.rb
|
|
72
61
|
- fixtures/rails_3_2_12/config/initializers/secure_headers.rb
|
|
73
|
-
- fixtures/rails_3_2_12/config/initializers/session_store.rb
|
|
74
|
-
- fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
|
|
75
|
-
- fixtures/rails_3_2_12/config/locales/en.yml
|
|
76
62
|
- fixtures/rails_3_2_12/config/routes.rb
|
|
77
|
-
- fixtures/rails_3_2_12/
|
|
78
|
-
- fixtures/rails_3_2_12/db/seeds.rb
|
|
63
|
+
- fixtures/rails_3_2_12/config/script_hashes.yml
|
|
79
64
|
- fixtures/rails_3_2_12/lib/assets/.gitkeep
|
|
80
65
|
- fixtures/rails_3_2_12/lib/tasks/.gitkeep
|
|
81
66
|
- fixtures/rails_3_2_12/log/.gitkeep
|
|
@@ -87,39 +72,21 @@ files:
|
|
|
87
72
|
- fixtures/rails_3_2_12/vendor/plugins/.gitkeep
|
|
88
73
|
- fixtures/rails_3_2_12_no_init/.rspec
|
|
89
74
|
- fixtures/rails_3_2_12_no_init/Gemfile
|
|
90
|
-
- fixtures/rails_3_2_12_no_init/Guardfile
|
|
91
75
|
- fixtures/rails_3_2_12_no_init/README.rdoc
|
|
92
76
|
- fixtures/rails_3_2_12_no_init/Rakefile
|
|
93
77
|
- fixtures/rails_3_2_12_no_init/app/controllers/application_controller.rb
|
|
94
78
|
- fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
|
|
95
79
|
- fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
|
|
96
80
|
- fixtures/rails_3_2_12_no_init/app/models/.gitkeep
|
|
97
|
-
- fixtures/rails_3_2_12_no_init/app/models/thing.rb
|
|
98
81
|
- fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
|
|
99
82
|
- fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
|
|
100
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
|
|
101
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
|
|
102
83
|
- fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
|
|
103
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
|
|
104
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
|
|
105
84
|
- fixtures/rails_3_2_12_no_init/config.ru
|
|
106
85
|
- fixtures/rails_3_2_12_no_init/config/application.rb
|
|
107
86
|
- fixtures/rails_3_2_12_no_init/config/boot.rb
|
|
108
|
-
- fixtures/rails_3_2_12_no_init/config/database.yml
|
|
109
87
|
- fixtures/rails_3_2_12_no_init/config/environment.rb
|
|
110
|
-
- fixtures/rails_3_2_12_no_init/config/environments/development.rb
|
|
111
|
-
- fixtures/rails_3_2_12_no_init/config/environments/production.rb
|
|
112
88
|
- fixtures/rails_3_2_12_no_init/config/environments/test.rb
|
|
113
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
|
|
114
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
|
|
115
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
|
|
116
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
|
|
117
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
|
|
118
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
|
|
119
|
-
- fixtures/rails_3_2_12_no_init/config/locales/en.yml
|
|
120
89
|
- fixtures/rails_3_2_12_no_init/config/routes.rb
|
|
121
|
-
- fixtures/rails_3_2_12_no_init/db/schema.rb
|
|
122
|
-
- fixtures/rails_3_2_12_no_init/db/seeds.rb
|
|
123
90
|
- fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
|
|
124
91
|
- fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
|
|
125
92
|
- fixtures/rails_3_2_12_no_init/log/.gitkeep
|
|
@@ -129,21 +96,59 @@ files:
|
|
|
129
96
|
- fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
|
|
130
97
|
- fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
|
|
131
98
|
- fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
|
|
99
|
+
- fixtures/rails_4_1_8/Gemfile
|
|
100
|
+
- fixtures/rails_4_1_8/README.rdoc
|
|
101
|
+
- fixtures/rails_4_1_8/Rakefile
|
|
102
|
+
- fixtures/rails_4_1_8/app/controllers/application_controller.rb
|
|
103
|
+
- fixtures/rails_4_1_8/app/controllers/concerns/.keep
|
|
104
|
+
- fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
|
|
105
|
+
- fixtures/rails_4_1_8/app/controllers/things_controller.rb
|
|
106
|
+
- fixtures/rails_4_1_8/app/models/.keep
|
|
107
|
+
- fixtures/rails_4_1_8/app/models/concerns/.keep
|
|
108
|
+
- fixtures/rails_4_1_8/app/views/layouts/application.html.erb
|
|
109
|
+
- fixtures/rails_4_1_8/app/views/other_things/index.html.erb
|
|
110
|
+
- fixtures/rails_4_1_8/app/views/things/index.html.erb
|
|
111
|
+
- fixtures/rails_4_1_8/config.ru
|
|
112
|
+
- fixtures/rails_4_1_8/config/application.rb
|
|
113
|
+
- fixtures/rails_4_1_8/config/boot.rb
|
|
114
|
+
- fixtures/rails_4_1_8/config/environment.rb
|
|
115
|
+
- fixtures/rails_4_1_8/config/environments/test.rb
|
|
116
|
+
- fixtures/rails_4_1_8/config/initializers/secure_headers.rb
|
|
117
|
+
- fixtures/rails_4_1_8/config/routes.rb
|
|
118
|
+
- fixtures/rails_4_1_8/config/script_hashes.yml
|
|
119
|
+
- fixtures/rails_4_1_8/config/secrets.yml
|
|
120
|
+
- fixtures/rails_4_1_8/lib/assets/.keep
|
|
121
|
+
- fixtures/rails_4_1_8/lib/tasks/.keep
|
|
122
|
+
- fixtures/rails_4_1_8/log/.keep
|
|
123
|
+
- fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
|
|
124
|
+
- fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
|
|
125
|
+
- fixtures/rails_4_1_8/spec/spec_helper.rb
|
|
126
|
+
- fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
|
|
127
|
+
- fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
|
|
132
128
|
- lib/secure_headers.rb
|
|
129
|
+
- lib/secure_headers/hash_helper.rb
|
|
133
130
|
- lib/secure_headers/header.rb
|
|
134
131
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
132
|
+
- lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
|
|
135
133
|
- lib/secure_headers/headers/strict_transport_security.rb
|
|
136
134
|
- lib/secure_headers/headers/x_content_type_options.rb
|
|
135
|
+
- lib/secure_headers/headers/x_download_options.rb
|
|
137
136
|
- lib/secure_headers/headers/x_frame_options.rb
|
|
137
|
+
- lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
|
|
138
138
|
- lib/secure_headers/headers/x_xss_protection.rb
|
|
139
|
+
- lib/secure_headers/padrino.rb
|
|
139
140
|
- lib/secure_headers/railtie.rb
|
|
140
141
|
- lib/secure_headers/version.rb
|
|
142
|
+
- lib/secure_headers/view_helper.rb
|
|
143
|
+
- lib/tasks/tasks.rake
|
|
141
144
|
- secure_headers.gemspec
|
|
142
|
-
- spec/
|
|
145
|
+
- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
|
|
143
146
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
144
147
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
145
148
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
149
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
146
150
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
151
|
+
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
|
147
152
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
148
153
|
- spec/lib/secure_headers_spec.rb
|
|
149
154
|
- spec/spec_helper.rb
|
|
@@ -151,34 +156,37 @@ files:
|
|
|
151
156
|
homepage: https://github.com/twitter/secureheaders
|
|
152
157
|
licenses:
|
|
153
158
|
- Apache Public License 2.0
|
|
154
|
-
metadata: {}
|
|
155
159
|
post_install_message:
|
|
156
160
|
rdoc_options: []
|
|
157
161
|
require_paths:
|
|
158
162
|
- lib
|
|
159
163
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
164
|
+
none: false
|
|
160
165
|
requirements:
|
|
161
166
|
- - ! '>='
|
|
162
167
|
- !ruby/object:Gem::Version
|
|
163
168
|
version: '0'
|
|
164
169
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
170
|
+
none: false
|
|
165
171
|
requirements:
|
|
166
172
|
- - ! '>='
|
|
167
173
|
- !ruby/object:Gem::Version
|
|
168
174
|
version: '0'
|
|
169
175
|
requirements: []
|
|
170
176
|
rubyforge_project:
|
|
171
|
-
rubygems_version:
|
|
177
|
+
rubygems_version: 1.8.23
|
|
172
178
|
signing_key:
|
|
173
|
-
specification_version:
|
|
174
|
-
summary: Add easily configured
|
|
175
|
-
|
|
179
|
+
specification_version: 3
|
|
180
|
+
summary: Add easily configured security headers to responses including content-security-policy,
|
|
181
|
+
x-frame-options, strict-transport-security, etc.
|
|
176
182
|
test_files:
|
|
177
|
-
- spec/
|
|
183
|
+
- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
|
|
178
184
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
179
185
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
180
186
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
187
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
181
188
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
189
|
+
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
|
182
190
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
183
191
|
- spec/lib/secure_headers_spec.rb
|
|
184
192
|
- spec/spec_helper.rb
|
checksums.yaml
DELETED
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
!binary "U0hBMQ==":
|
|
3
|
-
metadata.gz: !binary |-
|
|
4
|
-
ZDFmNDM2NjIwYzU4MjcyYWU0ODkwMjkxMjM0MDMwYTAyNjY3YWM2ZA==
|
|
5
|
-
data.tar.gz: !binary |-
|
|
6
|
-
N2VjN2M3MGMyY2Y5ODliOTVmZTIxZDgwOTdjYTM1NTg3MDZiMjdjNw==
|
|
7
|
-
SHA512:
|
|
8
|
-
metadata.gz: !binary |-
|
|
9
|
-
MTRiN2Y5NDFhYTE3ZmM2MjE4MThmMDQ3OTZmOWVhMWM5OTgxOThlNzFiOGNm
|
|
10
|
-
MzQ2ZmFiMjUyZjdmNWU4MWQwZTY3Yjc4YmM4NzVjMWNhZWE0YzI3YjlmMjcy
|
|
11
|
-
MDk3YmNiZmI3NGNmMzFmMDkxNjEyOTFkMmE5YjNlNjJlMDBkYWY=
|
|
12
|
-
data.tar.gz: !binary |-
|
|
13
|
-
NzRhM2Y5NTk0OTZhMmRlYjk0ZThkYTM3ZTQxYzc3Mjk3ZTY2MjQ4MjUwN2Rm
|
|
14
|
-
YzUwMGY4ZTdlY2Q2M2M4NDgyODQ1MTc2ZWM3ZmEyOWU5NWIwNWExMjBlMDBi
|
|
15
|
-
YWNlYjllMmZmN2M4MTU0NWE3NjIwOGNjMmQ5ODBlYzE4NzM1Njk=
|
data/Guardfile
DELETED
data/HISTORY.md
DELETED
|
@@ -1,131 +0,0 @@
|
|
|
1
|
-
1.2.0
|
|
2
|
-
======
|
|
3
|
-
|
|
4
|
-
Add support for procs (anything that respond_to?(:call)) as config values.
|
|
5
|
-
|
|
6
|
-
csp = {
|
|
7
|
-
:default_src => 'self',
|
|
8
|
-
:report_uri => lambda {
|
|
9
|
-
if FeatureToggle.available?(:new_csp_endpoint)
|
|
10
|
-
'//example.com/new_csp'
|
|
11
|
-
else
|
|
12
|
-
'//example.com/old_csp'
|
|
13
|
-
end
|
|
14
|
-
}
|
|
15
|
-
}
|
|
16
|
-
|
|
17
|
-
1.1.1
|
|
18
|
-
======
|
|
19
|
-
|
|
20
|
-
Bug fix release.
|
|
21
|
-
- Parsing of CSP reports was busted.
|
|
22
|
-
- Forwarded reports did not include the original referer, ip, UA
|
|
23
|
-
|
|
24
|
-
1.1.0
|
|
25
|
-
======
|
|
26
|
-
|
|
27
|
-
- Remove brwsr dependency (no more runtime dependencies)
|
|
28
|
-
- Stop serving X- prefixed CSP headers
|
|
29
|
-
|
|
30
|
-
This change means that all requests get all headers, even if the browser doesn't grok it.
|
|
31
|
-
|
|
32
|
-
1.0.0
|
|
33
|
-
======
|
|
34
|
-
|
|
35
|
-
Features:
|
|
36
|
-
|
|
37
|
-
- Use non-prefixed header names for Firefox >= 23, Chrome >= 25
|
|
38
|
-
- Use csp 1.0 compliant header for firefox >= 23
|
|
39
|
-
|
|
40
|
-
Bug Fix:
|
|
41
|
-
|
|
42
|
-
- Stop sending CSP on safari 5.1+
|
|
43
|
-
|
|
44
|
-
0.5.0
|
|
45
|
-
======
|
|
46
|
-
|
|
47
|
-
- X-Content-Type-Options also applied to Chrome requests
|
|
48
|
-
|
|
49
|
-
0.4.3
|
|
50
|
-
======
|
|
51
|
-
|
|
52
|
-
- Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
|
|
53
|
-
|
|
54
|
-
0.4.2
|
|
55
|
-
======
|
|
56
|
-
|
|
57
|
-
- Stupid bug where Fixnums couldn't be used for config values
|
|
58
|
-
- Doc updates
|
|
59
|
-
|
|
60
|
-
0.4.1
|
|
61
|
-
======
|
|
62
|
-
|
|
63
|
-
- Allow strings or ints in the HSTS max-age (@reedloden)
|
|
64
|
-
|
|
65
|
-
0.4.0
|
|
66
|
-
=======
|
|
67
|
-
|
|
68
|
-
- Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
|
|
69
|
-
- Should be backwards compatible, but it is a change to the API.
|
|
70
|
-
|
|
71
|
-
0.3.0
|
|
72
|
-
=======
|
|
73
|
-
|
|
74
|
-
- Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
|
|
75
|
-
|
|
76
|
-
0.2.3
|
|
77
|
-
=======
|
|
78
|
-
|
|
79
|
-
- Fix error in report-uri logic for Firefox forwarding.
|
|
80
|
-
|
|
81
|
-
0.2.2
|
|
82
|
-
=======
|
|
83
|
-
|
|
84
|
-
- Stop applying chrome-extension: to Firefox directives.
|
|
85
|
-
|
|
86
|
-
0.2.1
|
|
87
|
-
=======
|
|
88
|
-
|
|
89
|
-
- Firefox headers will now stop overriding report_uri when only a path is supplied
|
|
90
|
-
|
|
91
|
-
0.2.0
|
|
92
|
-
=======
|
|
93
|
-
|
|
94
|
-
- 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
|
|
95
|
-
- Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
|
|
96
|
-
|
|
97
|
-
```ruby
|
|
98
|
-
FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
|
|
99
|
-
CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
|
|
100
|
-
```
|
|
101
|
-
- :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
|
|
102
|
-
- Skeleton applications have been added to test isolated application configurations
|
|
103
|
-
- Cleanup by @bemurphy
|
|
104
|
-
|
|
105
|
-
0.1.1
|
|
106
|
-
=======
|
|
107
|
-
|
|
108
|
-
Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
|
|
109
|
-
|
|
110
|
-
0.1.0
|
|
111
|
-
=======
|
|
112
|
-
|
|
113
|
-
Notes:
|
|
114
|
-
------
|
|
115
|
-
|
|
116
|
-
- Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
|
|
117
|
-
|
|
118
|
-
Features:
|
|
119
|
-
------
|
|
120
|
-
|
|
121
|
-
- ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
|
|
122
|
-
- Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
|
|
123
|
-
|
|
124
|
-
Bug fixes, misc:
|
|
125
|
-
------
|
|
126
|
-
|
|
127
|
-
- Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
|
|
128
|
-
- Better support for other frameworks, including docs from @achui, @bmaland
|
|
129
|
-
- Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
|
|
130
|
-
- data: automatically whitelisted for img-src
|
|
131
|
-
- Doc updates from @ming13, @theverything, @dcollazo
|