secure_headers 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. data/.travis.yml +0 -3
  2. data/Gemfile +2 -3
  3. data/HISTORY.md +35 -0
  4. data/README.md +19 -1
  5. data/app/controllers/content_security_policy_controller.rb +1 -0
  6. data/fixtures/rails_3_2_12/Gemfile +0 -6
  7. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  8. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +0 -3
  9. data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
  10. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  11. data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
  12. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  13. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +5 -0
  14. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +5 -0
  15. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -7
  16. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  17. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  18. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  19. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
  20. data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
  21. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  22. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
  23. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
  24. data/lib/secure_headers/headers/content_security_policy.rb +19 -5
  25. data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
  26. data/lib/secure_headers/headers/x_download_options.rb +39 -0
  27. data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
  28. data/lib/secure_headers/railtie.rb +6 -2
  29. data/lib/secure_headers/version.rb +1 -1
  30. data/lib/secure_headers.rb +9 -2
  31. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -0
  32. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +1 -0
  33. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
  34. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
  35. data/spec/lib/secure_headers_spec.rb +28 -2
  36. data/spec/spec_helper.rb +1 -0
  37. metadata +12 -36
  38. checksums.yaml +0 -15
  39. data/Guardfile +0 -6
  40. data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
  41. data/fixtures/rails_3_2_12/config/database.yml +0 -25
  42. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  43. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  44. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  45. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  46. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  47. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  48. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  49. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  50. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  51. data/fixtures/rails_3_2_12/db/schema.rb +0 -16
  52. data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
  53. data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
  54. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  55. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  56. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  57. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  58. data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
  59. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  60. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  61. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  62. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  63. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  64. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  65. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  66. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  67. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  68. data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
  69. data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
data/.travis.yml CHANGED
@@ -3,6 +3,3 @@ rvm:
3
3
  - "2.0.0"
4
4
  - "1.9.3"
5
5
  - "1.8.7"
6
- # - jruby-19mode
7
- # - jruby-18mode
8
- #script: ./travis.sh
data/Gemfile CHANGED
@@ -6,9 +6,8 @@ group :test do
6
6
  gem 'rails', '3.2.12'
7
7
  gem 'sqlite3', :platform => [:ruby, :mswin, :mingw]
8
8
  gem 'jdbc-sqlite3', :platform => :jruby
9
- gem 'rspec-rails'
10
- gem 'rspec'
11
- gem 'guard-rspec', :platform => :ruby_19
9
+ gem 'rspec-rails', '>= 3.1'
10
+ gem 'rspec', '>= 3.1'
12
11
  gem 'growl'
13
12
  gem 'rb-fsevent'
14
13
  gem 'debugger', :platform => :ruby_19
data/HISTORY.md CHANGED
@@ -1,3 +1,38 @@
1
+ 1.3.4
2
+ ======
3
+
4
+ * Adds X-Download-Options support
5
+ * Adds support for X-XSS-Protection reporting
6
+ * Defers loading of rails engine for faster boot times
7
+
8
+ 1.3.3
9
+ ======
10
+
11
+ @agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
12
+
13
+ This just adds a new 'preload' option to the HSTS settings to specify that option.
14
+
15
+ 1.3.2
16
+ ======
17
+
18
+ Adds the ability to "tag" requests and a new config value: :app_name
19
+
20
+ {
21
+ :tag_report_uri => true,
22
+ :enforce => true,
23
+ :app_name => 'twitter',
24
+ :report_uri => 'csp_reports'
25
+ }
26
+
27
+ Results in
28
+ report-uri csp_reports?enforce=true&app_name=twitter
29
+
30
+
31
+ 1.3.1
32
+ ======
33
+
34
+ Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
35
+
1
36
  1.3.0
2
37
  ======
3
38
 
data/README.md CHANGED
@@ -197,6 +197,24 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
197
197
  "default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
198
198
  ```
199
199
 
200
+ ### Tagging Requests
201
+
202
+ It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
203
+
204
+ ```ruby
205
+ {
206
+ :tag_report_uri => true,
207
+ :enforce => true,
208
+ :app_name => 'twitter',
209
+ :report_uri => 'csp_reports'
210
+ }
211
+ ```
212
+
213
+ Results in
214
+ ```
215
+ report-uri csp_reports?enforce=true&app_name=twitter
216
+ ```
217
+
200
218
  ### CSP Level 2 features
201
219
 
202
220
  script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
@@ -350,6 +368,6 @@ end
350
368
 
351
369
  ## License
352
370
 
353
- Copyright 2013 Twitter, Inc.
371
+ Copyright 2013-2014 Twitter, Inc and other contributors.
354
372
 
355
373
  Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
@@ -5,6 +5,7 @@ class ContentSecurityPolicyController < ActionController::Base
5
5
  CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
6
6
 
7
7
  def scribe
8
+ warn "[DEPRECATION] ContentSecurityPolicyController is removed in 2.0"
8
9
  csp = ::SecureHeaders::Configuration.csp || {}
9
10
 
10
11
  forward_endpoint = csp[:forward_endpoint]
@@ -1,12 +1,6 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
3
  gem 'rails', '3.2.12'
4
- gem 'sqlite3'
5
4
  gem 'rspec-rails', '>= 2.0.0'
6
5
  gem 'secure_headers', :path => '../..'
7
- gem 'debugger', :platform => :ruby_19
8
- gem 'ruby-debug', :platform => :ruby_18
9
- gem 'guard-rspec'
10
- gem 'rb-fsevent'
11
- gem 'growl'
12
6
 
@@ -1,6 +1,5 @@
1
1
  class ThingsController < ApplicationController
2
2
  ensure_security_headers :csp => false
3
3
  def index
4
- ######## : ) <- Marge Simpson?
5
4
  end
6
5
  end
@@ -2,9 +2,6 @@
2
2
  <html>
3
3
  <head>
4
4
  <title>Rails3212</title>
5
- <%= stylesheet_link_tag "application", :media => "all" %>
6
- <%= javascript_include_tag "application" %>
7
- <%= csrf_meta_tags %>
8
5
  </head>
9
6
  <body>
10
7
 
@@ -1,21 +1 @@
1
- <h1>Listing things</h1>
2
-
3
- <table>
4
- <tr>
5
- <th></th>
6
- <th></th>
7
- <th></th>
8
- </tr>
9
-
10
- <% @things.each do |thing| %>
11
- <tr>
12
- <td><%= link_to 'Show', thing %></td>
13
- <td><%= link_to 'Edit', edit_thing_path(thing) %></td>
14
- <td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
15
- </tr>
16
- <% end %>
17
- </table>
18
-
19
- <br />
20
-
21
- <%= link_to 'New Thing', new_thing_path %>
1
+ things
@@ -1,68 +1,14 @@
1
1
  require File.expand_path('../boot', __FILE__)
2
2
 
3
- # Pick the frameworks you want:
4
- require "active_record/railtie"
5
3
  require "action_controller/railtie"
6
- require "action_mailer/railtie"
7
- require "active_resource/railtie"
8
4
  require "sprockets/railtie"
9
- # require "rails/test_unit/railtie"
10
5
 
11
6
  if defined?(Bundler)
12
- # If you precompile assets before deploying to production, use this line
13
7
  Bundler.require(*Rails.groups(:assets => %w(development test)))
14
- # If you want your assets lazily compiled in production, use this line
15
- # Bundler.require(:default, :assets, Rails.env)
16
8
  end
17
9
 
18
10
  module Rails3212
19
11
  class Application < Rails::Application
20
- # Settings in config/environments/* take precedence over those specified here.
21
- # Application configuration should go into files in config/initializers
22
- # -- all .rb files in that directory are automatically loaded.
23
12
 
24
- # Custom directories with classes and modules you want to be autoloadable.
25
- # config.autoload_paths += %W(#{config.root}/extras)
26
-
27
- # Only load the plugins named here, in the order given (default is alphabetical).
28
- # :all can be used as a placeholder for all plugins not explicitly named.
29
- # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
30
-
31
- # Activate observers that should always be running.
32
- # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
33
-
34
- # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
35
- # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
36
- # config.time_zone = 'Central Time (US & Canada)'
37
-
38
- # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
39
- # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
40
- # config.i18n.default_locale = :de
41
-
42
- # Configure the default encoding used in templates for Ruby 1.9.
43
- config.encoding = "utf-8"
44
-
45
- # Configure sensitive parameters which will be filtered from the log file.
46
- config.filter_parameters += [:password]
47
-
48
- # Enable escaping HTML in JSON.
49
- config.active_support.escape_html_entities_in_json = true
50
-
51
- # Use SQL instead of Active Record's schema dumper when creating the database.
52
- # This is necessary if your schema can't be completely dumped by the schema dumper,
53
- # like if you have constraints or database-specific column types
54
- # config.active_record.schema_format = :sql
55
-
56
- # Enforce whitelist mode for mass assignment.
57
- # This will create an empty whitelist of attributes available for mass-assignment for all models
58
- # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
59
- # parameters by using an attr_accessible or attr_protected declaration.
60
- config.active_record.whitelist_attributes = true
61
-
62
- # Enable the asset pipeline
63
- config.assets.enabled = true
64
-
65
- # Version of your assets, change this if you want to expire all your assets
66
- config.assets.version = '1.0'
67
13
  end
68
14
  end
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
27
27
  # Tell Action Mailer not to deliver emails to the real world.
28
28
  # The :test delivery method accumulates sent emails in the
29
29
  # ActionMailer::Base.deliveries array.
30
- config.action_mailer.delivery_method = :test
30
+ # config.action_mailer.delivery_method = :test
31
31
 
32
32
  # Raise exception on mass assignment protection for Active Record models
33
- config.active_record.mass_assignment_sanitizer = :strict
33
+ # config.active_record.mass_assignment_sanitizer = :strict
34
34
 
35
35
  # Print deprecation notices to the stderr
36
36
  config.active_support.deprecation = :stderr
@@ -1,61 +1,4 @@
1
1
  Rails3212::Application.routes.draw do
2
2
  resources :things
3
-
4
-
5
- # The priority is based upon order of creation:
6
- # first created -> highest priority.
7
-
8
- # Sample of regular route:
9
- # match 'products/:id' => 'catalog#view'
10
- # Keep in mind you can assign values other than :controller and :action
11
-
12
- # Sample of named route:
13
- # match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
14
- # This route can be invoked with purchase_url(:id => product.id)
15
-
16
- # Sample resource route (maps HTTP verbs to controller actions automatically):
17
- # resources :products
18
-
19
- # Sample resource route with options:
20
- # resources :products do
21
- # member do
22
- # get 'short'
23
- # post 'toggle'
24
- # end
25
- #
26
- # collection do
27
- # get 'sold'
28
- # end
29
- # end
30
-
31
- # Sample resource route with sub-resources:
32
- # resources :products do
33
- # resources :comments, :sales
34
- # resource :seller
35
- # end
36
-
37
- # Sample resource route with more complex sub-resources
38
- # resources :products do
39
- # resources :comments
40
- # resources :sales do
41
- # get 'recent', :on => :collection
42
- # end
43
- # end
44
-
45
- # Sample resource route within a namespace:
46
- # namespace :admin do
47
- # # Directs /admin/products/* to Admin::ProductsController
48
- # # (app/controllers/admin/products_controller.rb)
49
- # resources :products
50
- # end
51
-
52
- # You can have the root of your site routed with "root"
53
- # just remember to delete public/index.html.
54
- # root :to => 'welcome#index'
55
-
56
- # See how all your routes lay out with "rake routes"
57
-
58
- # This is a legacy wild controller route that's not recommended for RESTful applications.
59
- # Note: This route will make all actions in every controller accessible via GET requests.
60
3
  match ':controller(/:action(/:id))(.:format)'
61
4
  end
@@ -25,6 +25,11 @@ describe OtherThingsController, :type => :controller do
25
25
  expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
26
26
  end
27
27
 
28
+ it "sets the X-Download-Options header" do
29
+ get :index
30
+ expect(response.headers['X-Download-Options']).to eq('noopen')
31
+ end
32
+
28
33
  it "sets the X-Content-Type-Options header" do
29
34
  get :index
30
35
  expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
@@ -28,6 +28,11 @@ describe ThingsController, :type => :controller do
28
28
  expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
29
29
  end
30
30
 
31
+ it "sets the X-Download-Options header" do
32
+ get :index
33
+ expect(response.headers['X-Download-Options']).to eq('noopen')
34
+ end
35
+
31
36
  it "sets the X-Content-Type-Options header" do
32
37
  get :index
33
38
  expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
@@ -1,12 +1,5 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
3
  gem 'rails', '3.2.12'
4
- gem 'sqlite3'
5
4
  gem 'rspec-rails', '>= 2.0.0'
6
5
  gem 'secure_headers', :path => '../..'
7
- gem 'debugger', :platform => :ruby_19
8
- gem 'ruby-debug', :platform => :ruby_18
9
- gem 'guard-rspec'
10
- gem 'rb-fsevent'
11
- gem 'growl'
12
-
@@ -1,5 +1,5 @@
1
1
  class ThingsController < ApplicationController
2
2
  def index
3
- ######## : ) <- Marge Simpson?
3
+
4
4
  end
5
5
  end
@@ -3,8 +3,6 @@
3
3
  <head>
4
4
  <title>Rails3212</title>
5
5
  <%= stylesheet_link_tag "application", :media => "all" %>
6
- <%= javascript_include_tag "application" %>
7
- <%= csrf_meta_tags %>
8
6
  </head>
9
7
  <body>
10
8
 
@@ -1,21 +0,0 @@
1
- <h1>Listing things</h1>
2
-
3
- <table>
4
- <tr>
5
- <th></th>
6
- <th></th>
7
- <th></th>
8
- </tr>
9
-
10
- <% @things.each do |thing| %>
11
- <tr>
12
- <td><%= link_to 'Show', thing %></td>
13
- <td><%= link_to 'Edit', edit_thing_path(thing) %></td>
14
- <td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
15
- </tr>
16
- <% end %>
17
- </table>
18
-
19
- <br />
20
-
21
- <%= link_to 'New Thing', new_thing_path %>
@@ -1,12 +1,8 @@
1
1
  require File.expand_path('../boot', __FILE__)
2
2
 
3
3
  # Pick the frameworks you want:
4
- require "active_record/railtie"
5
4
  require "action_controller/railtie"
6
- require "action_mailer/railtie"
7
- require "active_resource/railtie"
8
5
  require "sprockets/railtie"
9
- # require "rails/test_unit/railtie"
10
6
 
11
7
  if defined?(Bundler)
12
8
  # If you precompile assets before deploying to production, use this line
@@ -17,52 +13,5 @@ end
17
13
 
18
14
  module Rails3212
19
15
  class Application < Rails::Application
20
- # Settings in config/environments/* take precedence over those specified here.
21
- # Application configuration should go into files in config/initializers
22
- # -- all .rb files in that directory are automatically loaded.
23
-
24
- # Custom directories with classes and modules you want to be autoloadable.
25
- # config.autoload_paths += %W(#{config.root}/extras)
26
-
27
- # Only load the plugins named here, in the order given (default is alphabetical).
28
- # :all can be used as a placeholder for all plugins not explicitly named.
29
- # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
30
-
31
- # Activate observers that should always be running.
32
- # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
33
-
34
- # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
35
- # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
36
- # config.time_zone = 'Central Time (US & Canada)'
37
-
38
- # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
39
- # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
40
- # config.i18n.default_locale = :de
41
-
42
- # Configure the default encoding used in templates for Ruby 1.9.
43
- config.encoding = "utf-8"
44
-
45
- # Configure sensitive parameters which will be filtered from the log file.
46
- config.filter_parameters += [:password]
47
-
48
- # Enable escaping HTML in JSON.
49
- config.active_support.escape_html_entities_in_json = true
50
-
51
- # Use SQL instead of Active Record's schema dumper when creating the database.
52
- # This is necessary if your schema can't be completely dumped by the schema dumper,
53
- # like if you have constraints or database-specific column types
54
- # config.active_record.schema_format = :sql
55
-
56
- # Enforce whitelist mode for mass assignment.
57
- # This will create an empty whitelist of attributes available for mass-assignment for all models
58
- # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
59
- # parameters by using an attr_accessible or attr_protected declaration.
60
- config.active_record.whitelist_attributes = true
61
-
62
- # Enable the asset pipeline
63
- config.assets.enabled = true
64
-
65
- # Version of your assets, change this if you want to expire all your assets
66
- config.assets.version = '1.0'
67
16
  end
68
17
  end
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
27
27
  # Tell Action Mailer not to deliver emails to the real world.
28
28
  # The :test delivery method accumulates sent emails in the
29
29
  # ActionMailer::Base.deliveries array.
30
- config.action_mailer.delivery_method = :test
30
+ # config.action_mailer.delivery_method = :test
31
31
 
32
32
  # Raise exception on mass assignment protection for Active Record models
33
- config.active_record.mass_assignment_sanitizer = :strict
33
+ # config.active_record.mass_assignment_sanitizer = :strict
34
34
 
35
35
  # Print deprecation notices to the stderr
36
36
  config.active_support.deprecation = :stderr
@@ -1,61 +1,4 @@
1
1
  Rails3212::Application.routes.draw do
2
2
  resources :things
3
-
4
-
5
- # The priority is based upon order of creation:
6
- # first created -> highest priority.
7
-
8
- # Sample of regular route:
9
- # match 'products/:id' => 'catalog#view'
10
- # Keep in mind you can assign values other than :controller and :action
11
-
12
- # Sample of named route:
13
- # match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
14
- # This route can be invoked with purchase_url(:id => product.id)
15
-
16
- # Sample resource route (maps HTTP verbs to controller actions automatically):
17
- # resources :products
18
-
19
- # Sample resource route with options:
20
- # resources :products do
21
- # member do
22
- # get 'short'
23
- # post 'toggle'
24
- # end
25
- #
26
- # collection do
27
- # get 'sold'
28
- # end
29
- # end
30
-
31
- # Sample resource route with sub-resources:
32
- # resources :products do
33
- # resources :comments, :sales
34
- # resource :seller
35
- # end
36
-
37
- # Sample resource route with more complex sub-resources
38
- # resources :products do
39
- # resources :comments
40
- # resources :sales do
41
- # get 'recent', :on => :collection
42
- # end
43
- # end
44
-
45
- # Sample resource route within a namespace:
46
- # namespace :admin do
47
- # # Directs /admin/products/* to Admin::ProductsController
48
- # # (app/controllers/admin/products_controller.rb)
49
- # resources :products
50
- # end
51
-
52
- # You can have the root of your site routed with "root"
53
- # just remember to delete public/index.html.
54
- # root :to => 'welcome#index'
55
-
56
- # See how all your routes lay out with "rake routes"
57
-
58
- # This is a legacy wild controller route that's not recommended for RESTful applications.
59
- # Note: This route will make all actions in every controller accessible via GET requests.
60
3
  match ':controller(/:action(/:id))(.:format)'
61
4
  end
@@ -24,6 +24,11 @@ describe OtherThingsController, :type => :controller do
24
24
  expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
25
25
  end
26
26
 
27
+ it "sets the X-Download-Options header" do
28
+ get :index
29
+ expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
30
+ end
31
+
27
32
  it "sets the X-Content-Type-Options header" do
28
33
  get :index
29
34
  expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
@@ -28,6 +28,11 @@ describe ThingsController, :type => :controller do
28
28
  expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
29
29
  end
30
30
 
31
+ it "sets the X-Download-Options header" do
32
+ get :index
33
+ expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
34
+ end
35
+
31
36
  it "sets the X-Content-Type-Options header" do
32
37
  get :index
33
38
  expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
@@ -30,6 +30,7 @@ module SecureHeaders
30
30
  # :report used to determine what :ssl_request, :ua, and :request_uri are set to
31
31
  def initialize(config=nil, options={})
32
32
  @experimental = !!options.delete(:experimental)
33
+ warn "[DEPRECATION] 'experimental' config is removed in 2.0"
33
34
  @controller = options.delete(:controller)
34
35
 
35
36
  if options[:request]
@@ -60,9 +61,9 @@ module SecureHeaders
60
61
  @config.merge!(experimental_config)
61
62
  end
62
63
 
63
- # http_additions will be the only field that still doesn't support
64
- # lambdas because it's an ugly api that's showing it's age.
64
+ # these values don't support lambdas because this needs to be rewritten
65
65
  @http_additions = @config.delete(:http_additions)
66
+ @app_name = @config.delete(:app_name)
66
67
 
67
68
  normalize_csp_options
68
69
 
@@ -70,7 +71,9 @@ module SecureHeaders
70
71
  self.send("#{meta}=", @config.delete(meta))
71
72
  end
72
73
 
73
- @enforce = @config.delete(:enforce)
74
+ @enforce = !!@config.delete(:enforce)
75
+ @tag_report_uri = @config.delete(:tag_report_uri)
76
+
74
77
  normalize_reporting_endpoint
75
78
  fill_directives unless disable_fill_missing?
76
79
  end
@@ -169,16 +172,27 @@ module SecureHeaders
169
172
  end
170
173
 
171
174
  if forward_endpoint
175
+ warn "[DEPRECATION] forwarder is removed in 2.0"
172
176
  @report_uri = FF_CSP_ENDPOINT
173
177
  end
174
178
  end
179
+
180
+ if @tag_report_uri
181
+ @report_uri = "#{@report_uri}?enforce=#{@enforce}"
182
+ @report_uri += "&app_name=#{@app_name}" if @app_name
183
+ end
175
184
  end
176
185
 
177
186
  def same_origin?
178
187
  return unless report_uri && request_uri
179
188
 
180
- origin = URI.parse(request_uri)
181
- uri = URI.parse(report_uri)
189
+ begin
190
+ origin = URI.parse(request_uri)
191
+ uri = URI.parse(report_uri)
192
+ rescue URI::InvalidURIError
193
+ return false
194
+ end
195
+
182
196
  uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
183
197
  end
184
198
 
@@ -6,7 +6,7 @@ module SecureHeaders
6
6
  HSTS_HEADER_NAME = 'Strict-Transport-Security'
7
7
  HSTS_MAX_AGE = "631138519"
8
8
  DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
9
- VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
9
+ VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
10
10
  MESSAGE = "The config value supplied for the HSTS header was invalid."
11
11
  end
12
12
  include Constants
@@ -31,6 +31,7 @@ module SecureHeaders
31
31
  max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
32
32
  value = "max-age=" + max_age.to_s
33
33
  value += "; includeSubdomains" if @config[:include_subdomains]
34
+ value += "; preload" if @config[:preload]
34
35
 
35
36
  value
36
37
  end
@@ -0,0 +1,39 @@
1
+ module SecureHeaders
2
+ class XDOBuildError < StandardError; end
3
+ class XDownloadOptions < Header
4
+ module Constants
5
+ XDO_HEADER_NAME = "X-Download-Options"
6
+ DEFAULT_VALUE = 'noopen'
7
+ end
8
+ include Constants
9
+
10
+ def initialize(config = nil)
11
+ @config = config
12
+ validate_config unless @config.nil?
13
+ end
14
+
15
+ def name
16
+ XDO_HEADER_NAME
17
+ end
18
+
19
+ def value
20
+ case @config
21
+ when NilClass
22
+ DEFAULT_VALUE
23
+ when String
24
+ @config
25
+ else
26
+ @config[:value]
27
+ end
28
+ end
29
+
30
+ private
31
+
32
+ def validate_config
33
+ value = @config.is_a?(Hash) ? @config[:value] : @config
34
+ unless value.casecmp(DEFAULT_VALUE) == 0
35
+ raise XDOBuildError.new("Value can only be nil or 'noopen'")
36
+ end
37
+ end
38
+ end
39
+ end