RubyGems - secure_headers - Versions diffs - 1.3.1 → 1.3.2 - Mend

secure_headers 1.3.1 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (7) hide show

checksums.yaml +8 -8
data/HISTORY.md +16 -0
data/README.md +18 -0
data/lib/secure_headers/headers/content_security_policy.rb +10 -3
data/lib/secure_headers/version.rb +1 -1
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NjEwM2NiNzBhMjcxYjEzZjJjMjY2NzVjYzhiYTIwOWNlN2U4ZDYxNA==
+    OGRkYjRlNDU4ZTZjMWViMTM0NTlkZDc1ZDNmNjJkMjNlMGIzMDY5OA==
   data.tar.gz: !binary |-
-    YTI4M2IwZjI4MzJjZjk1YzI2ZmYwYWI2ZDU0NmM1YzBjMTQ2ZWRjYg==
+    Y2Y0OGEwODAwNDZmMzNkNWYzYzJiNDAzZTdlZDE2YmYzNzQ5MDNhMA==
 SHA512:
   metadata.gz: !binary |-
-    NDA0NDk3YmIyMGUzZDM1OWIyNGI2MTEzYjQyM2RhNWMwNmE2MmQzY2ZiNDhi
-    NDkxNWJlNzQ5Y2E2MTliZjJkZDJlNzFkNjU5YWFlOTUwOTk0ODNkMTcwM2Ux
-    NmQ2ODE1NzNlZDcyZjRlZWI4NjMwNTViOTI5Y2U3ZjBjY2Q5ZGE=
+    NGZmODE5M2ViNWJkZTRhMjRjYzEwNTRkZDkzMzdmOWQzMzdiYWU0OGM3ZGZl
+    Yjc0YjJmOTI4MWFiMTE2NGJlMDA4ZjA2YjY3YzAyMWU5ZDExMmEwZWM1ODVl
+    ZDllOGFlYTdhNjU1YjRlZjc1MjM4MjM5MDlmY2EwNzljNjU4OTA=
   data.tar.gz: !binary |-
-    NTFkNzc1Zjc3OTBlYWZiOWFhYzkxM2ExZjcwODFmOWY0NTQ1ZTcwNWVjNjIw
-    NDY4ZThlN2QxODNlZWM0MTg4MWRjN2U2YzlkOTJlYmQ2MjQ3NjY0Y2ZmZDg5
-    YmU1N2YxOGU4ZWU1MzAxYjE0Zjg4NjJhMDU1ZDdhZGY2ZGNmYmQ=
+    Y2UzZDgxNWFlMGQ3YmMwODY2OTQyNmVhZDU3YWQ5ODk3MDRjNWQwZTJhODMy
+    Njk2ODQyZjQ1MTA1YjZjMmMxZDM2YTcyOWE3ODIxN2Q1ZjQzNDQ3MmM3NGI2
+    YWU4NzZkZmQ3NWM1ZTNlZWI4NzIzMDFhZDZjODQ1MzhkMjlkMDk=

data/HISTORY.md CHANGED Viewed

@@ -1,3 +1,19 @@
+1.3.2
+======
+Adds the ability to "tag" requests and a new config value: :app_name
+{
+  :tag_report_uri => true,
+  :enforce => true,
+  :app_name => 'twitter',
+  :report_uri => 'csp_reports'
+}
+Results in
+report-uri csp_reports?enforce=true&app_name=twitter
 1.3.1
 ======

data/README.md CHANGED Viewed

@@ -197,6 +197,24 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 "default-src  'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
 ```
+### Tagging Reuqests
+It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
+```ruby
+{
+  :tag_report_uri => true,
+  :enforce => true,
+  :app_name => 'twitter',
+  :report_uri => 'csp_reports'
+}
+```
+Results in
+```
+report-uri csp_reports?enforce=true&app_name=twitter
+```
 ### CSP Level 2 features
 script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -60,9 +60,9 @@ module SecureHeaders
         @config.merge!(experimental_config)
       end
-      # http_additions will be the only field that still doesn't support
-      # lambdas because it's an ugly api that's showing it's age.
+      # these values don't support lambdas because this needs to be rewritten
       @http_additions = @config.delete(:http_additions)
+      @app_name = @config.delete(:app_name)
       normalize_csp_options
@@ -70,7 +70,9 @@ module SecureHeaders
         self.send("#{meta}=", @config.delete(meta))
       end
-      @enforce = @config.delete(:enforce)
+      @enforce = !!@config.delete(:enforce)
+      @tag_report_uri = @config.delete(:tag_report_uri)
       normalize_reporting_endpoint
       fill_directives unless disable_fill_missing?
     end
@@ -172,6 +174,11 @@ module SecureHeaders
           @report_uri = FF_CSP_ENDPOINT
         end
       end
+      if @tag_report_uri
+        @report_uri = "#{@report_uri}?enforce=#{@enforce}"
+        @report_uri += "&app_name=#{@app_name}" if @app_name
+      end
     end
     def same_origin?

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "1.3.1"
+  VERSION = "1.3.2"
 end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -79,6 +79,18 @@ module SecureHeaders
           expect(csp.value).to include("script-src 'unsafe-inline' 'unsafe-eval' https://* data: 'self' 'none'")
         end
+        it "adds a @enforce and @app_name variables to the report uri" do
+          opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => 'twitter')
+          csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
+          expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
+        end
+        it "does not add an empty @app_name variable to the report uri" do
+          opts = @opts.merge(:tag_report_uri => true, :enforce => true)
+          csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
+          expect(csp.value).to include("/csp_report?enforce=true")
+        end
         it "accepts procs for report-uris" do
           opts = {
             :default_src => 'self',

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.3.2
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-08-12 00:00:00.000000000 Z
+date: 2014-08-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake