secure_headers 1.3.3 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +4 -8
- data/.travis.yml +7 -4
- data/Gemfile +6 -7
- data/README.md +115 -79
- data/Rakefile +11 -116
- data/fixtures/rails_3_2_12/Gemfile +0 -6
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
- data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -1
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
- data/fixtures/rails_3_2_12/config.ru +3 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +58 -16
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +11 -1
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -7
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -51
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +10 -0
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +10 -0
- data/fixtures/rails_4_1_8/Gemfile +5 -0
- data/fixtures/rails_4_1_8/README.rdoc +28 -0
- data/fixtures/rails_4_1_8/Rakefile +6 -0
- data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
- data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
- data/fixtures/rails_4_1_8/app/models/.keep +0 -0
- data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
- data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
- data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
- data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
- data/fixtures/rails_4_1_8/config/application.rb +15 -0
- data/fixtures/rails_4_1_8/config/boot.rb +4 -0
- data/fixtures/rails_4_1_8/config/environment.rb +5 -0
- data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
- data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
- data/fixtures/rails_4_1_8/config/routes.rb +4 -0
- data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
- data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
- data/fixtures/rails_4_1_8/config.ru +4 -0
- data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
- data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
- data/fixtures/rails_4_1_8/log/.keep +0 -0
- data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
- data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
- data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
- data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
- data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
- data/lib/secure_headers/hash_helper.rb +7 -0
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
- data/lib/secure_headers/headers/content_security_policy.rb +141 -133
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/railtie.rb +19 -24
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers/view_helper.rb +68 -0
- data/lib/secure_headers.rb +65 -16
- data/lib/tasks/tasks.rake +48 -0
- data/secure_headers.gemspec +4 -4
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
- data/spec/lib/secure_headers_spec.rb +57 -61
- data/spec/spec_helper.rb +27 -1
- metadata +47 -42
- data/Guardfile +0 -6
- data/HISTORY.md +0 -155
- data/app/controllers/content_security_policy_controller.rb +0 -75
- data/config/curl-ca-bundle.crt +0 -5420
- data/config/routes.rb +0 -3
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
- data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
|
@@ -18,26 +18,7 @@ describe SecureHeaders do
|
|
|
18
18
|
allow(subject).to receive(:request).and_return(request)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
|
|
22
|
-
USER_AGENTS = {
|
|
23
|
-
:firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
|
|
24
|
-
:chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
|
|
25
|
-
:ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
|
|
26
|
-
:opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
|
|
27
|
-
:ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
|
|
28
|
-
:ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
|
|
29
|
-
:safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
|
|
30
|
-
:safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
|
|
31
|
-
:safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
|
|
32
|
-
}
|
|
33
|
-
|
|
34
|
-
def should_assign_header name, value
|
|
35
|
-
expect(response.headers).to receive(:[]=).with(name, value)
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
def should_not_assign_header name
|
|
39
|
-
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
|
40
|
-
end
|
|
21
|
+
ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection, :x_permitted_cross_domain_policies].map{|header| [header, false]}]
|
|
41
22
|
|
|
42
23
|
def stub_user_agent val
|
|
43
24
|
allow(request).to receive_message_chain(:env, :[]).and_return(val)
|
|
@@ -54,6 +35,8 @@ describe SecureHeaders do
|
|
|
54
35
|
config.x_content_type_options = nil
|
|
55
36
|
config.x_xss_protection = nil
|
|
56
37
|
config.csp = nil
|
|
38
|
+
config.x_download_options = nil
|
|
39
|
+
config.x_permitted_cross_domain_policies = nil
|
|
57
40
|
end
|
|
58
41
|
end
|
|
59
42
|
|
|
@@ -63,14 +46,8 @@ describe SecureHeaders do
|
|
|
63
46
|
subject.set_x_frame_options_header
|
|
64
47
|
subject.set_x_content_type_options_header
|
|
65
48
|
subject.set_x_xss_protection_header
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
describe "#ensure_security_headers" do
|
|
69
|
-
it "sets a before filter" do
|
|
70
|
-
options = {}
|
|
71
|
-
expect(DummyClass).to receive(:before_filter).exactly(5).times
|
|
72
|
-
DummyClass.ensure_security_headers(options)
|
|
73
|
-
end
|
|
49
|
+
subject.set_x_download_options_header
|
|
50
|
+
subject.set_x_permitted_cross_domain_policies_header
|
|
74
51
|
end
|
|
75
52
|
|
|
76
53
|
describe "#set_header" do
|
|
@@ -86,19 +63,18 @@ describe SecureHeaders do
|
|
|
86
63
|
end
|
|
87
64
|
|
|
88
65
|
describe "#set_security_headers" do
|
|
89
|
-
before(:each) do
|
|
90
|
-
allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
|
|
91
|
-
end
|
|
92
66
|
USER_AGENTS.each do |name, useragent|
|
|
93
67
|
it "sets all default headers for #{name} (smoke test)" do
|
|
94
68
|
stub_user_agent(useragent)
|
|
95
|
-
number_of_headers =
|
|
69
|
+
number_of_headers = 7
|
|
96
70
|
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
|
97
71
|
subject.set_csp_header
|
|
98
72
|
subject.set_x_frame_options_header
|
|
99
73
|
subject.set_hsts_header
|
|
100
74
|
subject.set_x_xss_protection_header
|
|
101
75
|
subject.set_x_content_type_options_header
|
|
76
|
+
subject.set_x_download_options_header
|
|
77
|
+
subject.set_x_permitted_cross_domain_policies_header
|
|
102
78
|
end
|
|
103
79
|
end
|
|
104
80
|
|
|
@@ -113,11 +89,21 @@ describe SecureHeaders do
|
|
|
113
89
|
subject.set_x_xss_protection_header(false)
|
|
114
90
|
end
|
|
115
91
|
|
|
92
|
+
it "does not set the X-Download-Options header if disabled" do
|
|
93
|
+
should_not_assign_header(XDO_HEADER_NAME)
|
|
94
|
+
subject.set_x_download_options_header(false)
|
|
95
|
+
end
|
|
96
|
+
|
|
116
97
|
it "does not set the X-Frame-Options header if disabled" do
|
|
117
98
|
should_not_assign_header(XFO_HEADER_NAME)
|
|
118
99
|
subject.set_x_frame_options_header(false)
|
|
119
100
|
end
|
|
120
101
|
|
|
102
|
+
it "does not set the X-Permitted-Cross-Domain-Policies header if disabled" do
|
|
103
|
+
should_not_assign_header(XPCDP_HEADER_NAME)
|
|
104
|
+
subject.set_x_permitted_cross_domain_policies_header(false)
|
|
105
|
+
end
|
|
106
|
+
|
|
121
107
|
it "does not set the HSTS header if disabled" do
|
|
122
108
|
should_not_assign_header(HSTS_HEADER_NAME)
|
|
123
109
|
subject.set_hsts_header(false)
|
|
@@ -131,8 +117,19 @@ describe SecureHeaders do
|
|
|
131
117
|
|
|
132
118
|
it "does not set the CSP header if disabled" do
|
|
133
119
|
stub_user_agent(USER_AGENTS[:chrome])
|
|
134
|
-
should_not_assign_header(
|
|
135
|
-
subject.set_csp_header(
|
|
120
|
+
should_not_assign_header(HEADER_NAME)
|
|
121
|
+
subject.set_csp_header(false)
|
|
122
|
+
end
|
|
123
|
+
|
|
124
|
+
it "saves the options to the env when using script hashes" do
|
|
125
|
+
opts = {
|
|
126
|
+
:default_src => 'self',
|
|
127
|
+
:script_hash_middleware => true
|
|
128
|
+
}
|
|
129
|
+
stub_user_agent(USER_AGENTS[:chrome])
|
|
130
|
+
|
|
131
|
+
expect(SecureHeaders::ContentSecurityPolicy).to receive(:add_to_env)
|
|
132
|
+
subject.set_csp_header(opts)
|
|
136
133
|
end
|
|
137
134
|
|
|
138
135
|
context "when disabled by configuration settings" do
|
|
@@ -143,6 +140,8 @@ describe SecureHeaders do
|
|
|
143
140
|
config.x_content_type_options = false
|
|
144
141
|
config.x_xss_protection = false
|
|
145
142
|
config.csp = false
|
|
143
|
+
config.x_download_options = false
|
|
144
|
+
config.x_permitted_cross_domain_policies = false
|
|
146
145
|
end
|
|
147
146
|
expect(subject).not_to receive(:set_header)
|
|
148
147
|
set_security_headers(subject)
|
|
@@ -163,6 +162,18 @@ describe SecureHeaders do
|
|
|
163
162
|
end
|
|
164
163
|
end
|
|
165
164
|
|
|
165
|
+
describe "#set_x_download_options_header" do
|
|
166
|
+
it "sets the X-Download-Options header" do
|
|
167
|
+
should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
|
168
|
+
subject.set_x_download_options_header
|
|
169
|
+
end
|
|
170
|
+
|
|
171
|
+
it "allows a custom X-Download-Options header" do
|
|
172
|
+
should_assign_header(XDO_HEADER_NAME, "noopen")
|
|
173
|
+
subject.set_x_download_options_header(:value => 'noopen')
|
|
174
|
+
end
|
|
175
|
+
end
|
|
176
|
+
|
|
166
177
|
describe "#set_strict_transport_security" do
|
|
167
178
|
it "sets the Strict-Transport-Security header" do
|
|
168
179
|
should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
|
@@ -226,7 +237,7 @@ describe SecureHeaders do
|
|
|
226
237
|
context "when using Firefox" do
|
|
227
238
|
it "sets CSP headers" do
|
|
228
239
|
stub_user_agent(USER_AGENTS[:firefox])
|
|
229
|
-
should_assign_header(
|
|
240
|
+
should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
|
|
230
241
|
subject.set_csp_header
|
|
231
242
|
end
|
|
232
243
|
end
|
|
@@ -234,7 +245,7 @@ describe SecureHeaders do
|
|
|
234
245
|
context "when using Chrome" do
|
|
235
246
|
it "sets default CSP header" do
|
|
236
247
|
stub_user_agent(USER_AGENTS[:chrome])
|
|
237
|
-
should_assign_header(
|
|
248
|
+
should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
|
|
238
249
|
subject.set_csp_header
|
|
239
250
|
end
|
|
240
251
|
end
|
|
@@ -242,36 +253,21 @@ describe SecureHeaders do
|
|
|
242
253
|
context "when using a browser besides chrome/firefox" do
|
|
243
254
|
it "sets the CSP header" do
|
|
244
255
|
stub_user_agent(USER_AGENTS[:opera])
|
|
245
|
-
should_assign_header(
|
|
256
|
+
should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
|
|
246
257
|
subject.set_csp_header
|
|
247
258
|
end
|
|
248
259
|
end
|
|
260
|
+
end
|
|
249
261
|
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
:default_src => 'self',
|
|
256
|
-
:script_src => 'https://mycdn.example.com',
|
|
257
|
-
:experimental => {
|
|
258
|
-
:script_src => 'self',
|
|
259
|
-
}
|
|
260
|
-
}
|
|
261
|
-
end
|
|
262
|
-
|
|
263
|
-
it "does not set the header in enforce mode if experimental is supplied, but enforce is disabled" do
|
|
264
|
-
opts = @opts.merge(:enforce => false)
|
|
265
|
-
should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
|
|
266
|
-
should_not_assign_header(STANDARD_HEADER_NAME)
|
|
267
|
-
subject.set_csp_header(opts)
|
|
268
|
-
end
|
|
262
|
+
describe "#set_x_permitted_cross_domain_policies_header" do
|
|
263
|
+
it "sets the X-Permitted-Cross-Domain-Policies header" do
|
|
264
|
+
should_assign_header(XPCDP_HEADER_NAME, SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
|
|
265
|
+
subject.set_x_permitted_cross_domain_policies_header
|
|
266
|
+
end
|
|
269
267
|
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
subject.set_csp_header(@opts)
|
|
274
|
-
end
|
|
268
|
+
it "allows a custom X-Permitted-Cross-Domain-Policies header" do
|
|
269
|
+
should_assign_header(XPCDP_HEADER_NAME, "master-only")
|
|
270
|
+
subject.set_x_permitted_cross_domain_policies_header(:value => 'master-only')
|
|
275
271
|
end
|
|
276
272
|
end
|
|
277
273
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -2,9 +2,35 @@ require 'rubygems'
|
|
|
2
2
|
require 'rspec'
|
|
3
3
|
|
|
4
4
|
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
|
5
|
-
|
|
5
|
+
|
|
6
|
+
if defined?(Coveralls)
|
|
7
|
+
Coveralls.wear!
|
|
8
|
+
end
|
|
9
|
+
|
|
6
10
|
include ::SecureHeaders::StrictTransportSecurity::Constants
|
|
7
11
|
include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
8
12
|
include ::SecureHeaders::XFrameOptions::Constants
|
|
9
13
|
include ::SecureHeaders::XXssProtection::Constants
|
|
10
14
|
include ::SecureHeaders::XContentTypeOptions::Constants
|
|
15
|
+
include ::SecureHeaders::XDownloadOptions::Constants
|
|
16
|
+
include ::SecureHeaders::XPermittedCrossDomainPolicies::Constants
|
|
17
|
+
|
|
18
|
+
USER_AGENTS = {
|
|
19
|
+
:firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
|
|
20
|
+
:chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
|
|
21
|
+
:ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
|
|
22
|
+
:opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
|
|
23
|
+
:ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
|
|
24
|
+
:ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
|
|
25
|
+
:safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
|
|
26
|
+
:safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
|
|
27
|
+
:safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
def should_assign_header name, value
|
|
31
|
+
expect(response.headers).to receive(:[]=).with(name, value)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def should_not_assign_header name
|
|
35
|
+
expect(response.headers).not_to receive(:[]=).with(name, anything)
|
|
36
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2015-01-23 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rake
|
|
@@ -27,7 +27,7 @@ dependencies:
|
|
|
27
27
|
- - ! '>='
|
|
28
28
|
- !ruby/object:Gem::Version
|
|
29
29
|
version: '0'
|
|
30
|
-
description:
|
|
30
|
+
description: Security related headers all in one gem.
|
|
31
31
|
email:
|
|
32
32
|
- neil.matatall@gmail.com
|
|
33
33
|
executables: []
|
|
@@ -39,14 +39,9 @@ files:
|
|
|
39
39
|
- .ruby-version
|
|
40
40
|
- .travis.yml
|
|
41
41
|
- Gemfile
|
|
42
|
-
- Guardfile
|
|
43
|
-
- HISTORY.md
|
|
44
42
|
- LICENSE
|
|
45
43
|
- README.md
|
|
46
44
|
- Rakefile
|
|
47
|
-
- app/controllers/content_security_policy_controller.rb
|
|
48
|
-
- config/curl-ca-bundle.crt
|
|
49
|
-
- config/routes.rb
|
|
50
45
|
- fixtures/rails_3_2_12/.rspec
|
|
51
46
|
- fixtures/rails_3_2_12/Gemfile
|
|
52
47
|
- fixtures/rails_3_2_12/README.rdoc
|
|
@@ -55,29 +50,17 @@ files:
|
|
|
55
50
|
- fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
|
|
56
51
|
- fixtures/rails_3_2_12/app/controllers/things_controller.rb
|
|
57
52
|
- fixtures/rails_3_2_12/app/models/.gitkeep
|
|
58
|
-
- fixtures/rails_3_2_12/app/models/thing.rb
|
|
59
53
|
- fixtures/rails_3_2_12/app/views/layouts/application.html.erb
|
|
60
54
|
- fixtures/rails_3_2_12/app/views/other_things/index.html.erb
|
|
61
55
|
- fixtures/rails_3_2_12/app/views/things/index.html.erb
|
|
62
56
|
- fixtures/rails_3_2_12/config.ru
|
|
63
57
|
- fixtures/rails_3_2_12/config/application.rb
|
|
64
58
|
- fixtures/rails_3_2_12/config/boot.rb
|
|
65
|
-
- fixtures/rails_3_2_12/config/database.yml
|
|
66
59
|
- fixtures/rails_3_2_12/config/environment.rb
|
|
67
|
-
- fixtures/rails_3_2_12/config/environments/development.rb
|
|
68
|
-
- fixtures/rails_3_2_12/config/environments/production.rb
|
|
69
60
|
- fixtures/rails_3_2_12/config/environments/test.rb
|
|
70
|
-
- fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
|
|
71
|
-
- fixtures/rails_3_2_12/config/initializers/inflections.rb
|
|
72
|
-
- fixtures/rails_3_2_12/config/initializers/mime_types.rb
|
|
73
|
-
- fixtures/rails_3_2_12/config/initializers/secret_token.rb
|
|
74
61
|
- fixtures/rails_3_2_12/config/initializers/secure_headers.rb
|
|
75
|
-
- fixtures/rails_3_2_12/config/initializers/session_store.rb
|
|
76
|
-
- fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
|
|
77
|
-
- fixtures/rails_3_2_12/config/locales/en.yml
|
|
78
62
|
- fixtures/rails_3_2_12/config/routes.rb
|
|
79
|
-
- fixtures/rails_3_2_12/
|
|
80
|
-
- fixtures/rails_3_2_12/db/seeds.rb
|
|
63
|
+
- fixtures/rails_3_2_12/config/script_hashes.yml
|
|
81
64
|
- fixtures/rails_3_2_12/lib/assets/.gitkeep
|
|
82
65
|
- fixtures/rails_3_2_12/lib/tasks/.gitkeep
|
|
83
66
|
- fixtures/rails_3_2_12/log/.gitkeep
|
|
@@ -95,32 +78,15 @@ files:
|
|
|
95
78
|
- fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
|
|
96
79
|
- fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
|
|
97
80
|
- fixtures/rails_3_2_12_no_init/app/models/.gitkeep
|
|
98
|
-
- fixtures/rails_3_2_12_no_init/app/models/thing.rb
|
|
99
81
|
- fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
|
|
100
82
|
- fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
|
|
101
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
|
|
102
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
|
|
103
83
|
- fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
|
|
104
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
|
|
105
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
|
|
106
84
|
- fixtures/rails_3_2_12_no_init/config.ru
|
|
107
85
|
- fixtures/rails_3_2_12_no_init/config/application.rb
|
|
108
86
|
- fixtures/rails_3_2_12_no_init/config/boot.rb
|
|
109
|
-
- fixtures/rails_3_2_12_no_init/config/database.yml
|
|
110
87
|
- fixtures/rails_3_2_12_no_init/config/environment.rb
|
|
111
|
-
- fixtures/rails_3_2_12_no_init/config/environments/development.rb
|
|
112
|
-
- fixtures/rails_3_2_12_no_init/config/environments/production.rb
|
|
113
88
|
- fixtures/rails_3_2_12_no_init/config/environments/test.rb
|
|
114
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
|
|
115
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
|
|
116
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
|
|
117
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
|
|
118
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
|
|
119
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
|
|
120
|
-
- fixtures/rails_3_2_12_no_init/config/locales/en.yml
|
|
121
89
|
- fixtures/rails_3_2_12_no_init/config/routes.rb
|
|
122
|
-
- fixtures/rails_3_2_12_no_init/db/schema.rb
|
|
123
|
-
- fixtures/rails_3_2_12_no_init/db/seeds.rb
|
|
124
90
|
- fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
|
|
125
91
|
- fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
|
|
126
92
|
- fixtures/rails_3_2_12_no_init/log/.gitkeep
|
|
@@ -130,22 +96,59 @@ files:
|
|
|
130
96
|
- fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
|
|
131
97
|
- fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
|
|
132
98
|
- fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
|
|
99
|
+
- fixtures/rails_4_1_8/Gemfile
|
|
100
|
+
- fixtures/rails_4_1_8/README.rdoc
|
|
101
|
+
- fixtures/rails_4_1_8/Rakefile
|
|
102
|
+
- fixtures/rails_4_1_8/app/controllers/application_controller.rb
|
|
103
|
+
- fixtures/rails_4_1_8/app/controllers/concerns/.keep
|
|
104
|
+
- fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
|
|
105
|
+
- fixtures/rails_4_1_8/app/controllers/things_controller.rb
|
|
106
|
+
- fixtures/rails_4_1_8/app/models/.keep
|
|
107
|
+
- fixtures/rails_4_1_8/app/models/concerns/.keep
|
|
108
|
+
- fixtures/rails_4_1_8/app/views/layouts/application.html.erb
|
|
109
|
+
- fixtures/rails_4_1_8/app/views/other_things/index.html.erb
|
|
110
|
+
- fixtures/rails_4_1_8/app/views/things/index.html.erb
|
|
111
|
+
- fixtures/rails_4_1_8/config.ru
|
|
112
|
+
- fixtures/rails_4_1_8/config/application.rb
|
|
113
|
+
- fixtures/rails_4_1_8/config/boot.rb
|
|
114
|
+
- fixtures/rails_4_1_8/config/environment.rb
|
|
115
|
+
- fixtures/rails_4_1_8/config/environments/test.rb
|
|
116
|
+
- fixtures/rails_4_1_8/config/initializers/secure_headers.rb
|
|
117
|
+
- fixtures/rails_4_1_8/config/routes.rb
|
|
118
|
+
- fixtures/rails_4_1_8/config/script_hashes.yml
|
|
119
|
+
- fixtures/rails_4_1_8/config/secrets.yml
|
|
120
|
+
- fixtures/rails_4_1_8/lib/assets/.keep
|
|
121
|
+
- fixtures/rails_4_1_8/lib/tasks/.keep
|
|
122
|
+
- fixtures/rails_4_1_8/log/.keep
|
|
123
|
+
- fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
|
|
124
|
+
- fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
|
|
125
|
+
- fixtures/rails_4_1_8/spec/spec_helper.rb
|
|
126
|
+
- fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
|
|
127
|
+
- fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
|
|
133
128
|
- lib/secure_headers.rb
|
|
129
|
+
- lib/secure_headers/hash_helper.rb
|
|
134
130
|
- lib/secure_headers/header.rb
|
|
135
131
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
132
|
+
- lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
|
|
136
133
|
- lib/secure_headers/headers/strict_transport_security.rb
|
|
137
134
|
- lib/secure_headers/headers/x_content_type_options.rb
|
|
135
|
+
- lib/secure_headers/headers/x_download_options.rb
|
|
138
136
|
- lib/secure_headers/headers/x_frame_options.rb
|
|
137
|
+
- lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
|
|
139
138
|
- lib/secure_headers/headers/x_xss_protection.rb
|
|
140
139
|
- lib/secure_headers/padrino.rb
|
|
141
140
|
- lib/secure_headers/railtie.rb
|
|
142
141
|
- lib/secure_headers/version.rb
|
|
142
|
+
- lib/secure_headers/view_helper.rb
|
|
143
|
+
- lib/tasks/tasks.rake
|
|
143
144
|
- secure_headers.gemspec
|
|
144
|
-
- spec/
|
|
145
|
+
- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
|
|
145
146
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
146
147
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
147
148
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
149
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
148
150
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
151
|
+
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
|
149
152
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
150
153
|
- spec/lib/secure_headers_spec.rb
|
|
151
154
|
- spec/spec_helper.rb
|
|
@@ -174,14 +177,16 @@ rubyforge_project:
|
|
|
174
177
|
rubygems_version: 1.8.23
|
|
175
178
|
signing_key:
|
|
176
179
|
specification_version: 3
|
|
177
|
-
summary: Add easily configured
|
|
178
|
-
|
|
180
|
+
summary: Add easily configured security headers to responses including content-security-policy,
|
|
181
|
+
x-frame-options, strict-transport-security, etc.
|
|
179
182
|
test_files:
|
|
180
|
-
- spec/
|
|
183
|
+
- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
|
|
181
184
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
182
185
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
183
186
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
187
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
|
184
188
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
|
189
|
+
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
|
185
190
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
186
191
|
- spec/lib/secure_headers_spec.rb
|
|
187
192
|
- spec/spec_helper.rb
|
data/Guardfile
DELETED
data/HISTORY.md
DELETED
|
@@ -1,155 +0,0 @@
|
|
|
1
|
-
1.3.3
|
|
2
|
-
======
|
|
3
|
-
|
|
4
|
-
@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
|
|
5
|
-
|
|
6
|
-
This just adds a new 'preload' option to the HSTS settings to specify that option.
|
|
7
|
-
|
|
8
|
-
1.3.2
|
|
9
|
-
======
|
|
10
|
-
|
|
11
|
-
Adds the ability to "tag" requests and a new config value: :app_name
|
|
12
|
-
|
|
13
|
-
{
|
|
14
|
-
:tag_report_uri => true,
|
|
15
|
-
:enforce => true,
|
|
16
|
-
:app_name => 'twitter',
|
|
17
|
-
:report_uri => 'csp_reports'
|
|
18
|
-
}
|
|
19
|
-
|
|
20
|
-
Results in
|
|
21
|
-
report-uri csp_reports?enforce=true&app_name=twitter
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
1.3.1
|
|
25
|
-
======
|
|
26
|
-
|
|
27
|
-
Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
|
|
28
|
-
|
|
29
|
-
1.3.0
|
|
30
|
-
======
|
|
31
|
-
|
|
32
|
-
- CSP nonce support was added back and is compliant.
|
|
33
|
-
- Bugs:
|
|
34
|
-
-- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
|
|
35
|
-
-- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
|
|
36
|
-
|
|
37
|
-
1.2.0
|
|
38
|
-
======
|
|
39
|
-
- Allow procs to be used as config values.
|
|
40
|
-
|
|
41
|
-
1.1.1
|
|
42
|
-
======
|
|
43
|
-
|
|
44
|
-
Bug fix release.
|
|
45
|
-
- Parsing of CSP reports was busted.
|
|
46
|
-
- Forwarded reports did not include the original referer, ip, UA
|
|
47
|
-
|
|
48
|
-
1.1.0
|
|
49
|
-
======
|
|
50
|
-
|
|
51
|
-
- Remove brwsr dependency (no more runtime dependencies)
|
|
52
|
-
- Stop serving X- prefixed CSP headers
|
|
53
|
-
|
|
54
|
-
This change means that all requests get all headers, even if the browser doesn't grok it.
|
|
55
|
-
|
|
56
|
-
1.0.0
|
|
57
|
-
======
|
|
58
|
-
|
|
59
|
-
Features:
|
|
60
|
-
|
|
61
|
-
- Use non-prefixed header names for Firefox >= 23, Chrome >= 25
|
|
62
|
-
- Use csp 1.0 compliant header for firefox >= 23
|
|
63
|
-
|
|
64
|
-
Bug Fix:
|
|
65
|
-
|
|
66
|
-
- Stop sending CSP on safari 5.1+
|
|
67
|
-
|
|
68
|
-
0.5.0
|
|
69
|
-
======
|
|
70
|
-
|
|
71
|
-
- X-Content-Type-Options also applied to Chrome requests
|
|
72
|
-
|
|
73
|
-
0.4.3
|
|
74
|
-
======
|
|
75
|
-
|
|
76
|
-
- Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
|
|
77
|
-
|
|
78
|
-
0.4.2
|
|
79
|
-
======
|
|
80
|
-
|
|
81
|
-
- Stupid bug where Fixnums couldn't be used for config values
|
|
82
|
-
- Doc updates
|
|
83
|
-
|
|
84
|
-
0.4.1
|
|
85
|
-
======
|
|
86
|
-
|
|
87
|
-
- Allow strings or ints in the HSTS max-age (@reedloden)
|
|
88
|
-
|
|
89
|
-
0.4.0
|
|
90
|
-
=======
|
|
91
|
-
|
|
92
|
-
- Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
|
|
93
|
-
- Should be backwards compatible, but it is a change to the API.
|
|
94
|
-
|
|
95
|
-
0.3.0
|
|
96
|
-
=======
|
|
97
|
-
|
|
98
|
-
- Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
|
|
99
|
-
|
|
100
|
-
0.2.3
|
|
101
|
-
=======
|
|
102
|
-
|
|
103
|
-
- Fix error in report-uri logic for Firefox forwarding.
|
|
104
|
-
|
|
105
|
-
0.2.2
|
|
106
|
-
=======
|
|
107
|
-
|
|
108
|
-
- Stop applying chrome-extension: to Firefox directives.
|
|
109
|
-
|
|
110
|
-
0.2.1
|
|
111
|
-
=======
|
|
112
|
-
|
|
113
|
-
- Firefox headers will now stop overriding report_uri when only a path is supplied
|
|
114
|
-
|
|
115
|
-
0.2.0
|
|
116
|
-
=======
|
|
117
|
-
|
|
118
|
-
- 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
|
|
119
|
-
- Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
|
|
120
|
-
|
|
121
|
-
```ruby
|
|
122
|
-
FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
|
|
123
|
-
CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
|
|
124
|
-
```
|
|
125
|
-
- :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
|
|
126
|
-
- Skeleton applications have been added to test isolated application configurations
|
|
127
|
-
- Cleanup by @bemurphy
|
|
128
|
-
|
|
129
|
-
0.1.1
|
|
130
|
-
=======
|
|
131
|
-
|
|
132
|
-
Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
|
|
133
|
-
|
|
134
|
-
0.1.0
|
|
135
|
-
=======
|
|
136
|
-
|
|
137
|
-
Notes:
|
|
138
|
-
------
|
|
139
|
-
|
|
140
|
-
- Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
|
|
141
|
-
|
|
142
|
-
Features:
|
|
143
|
-
------
|
|
144
|
-
|
|
145
|
-
- ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
|
|
146
|
-
- Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
|
|
147
|
-
|
|
148
|
-
Bug fixes, misc:
|
|
149
|
-
------
|
|
150
|
-
|
|
151
|
-
- Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
|
|
152
|
-
- Better support for other frameworks, including docs from @achui, @bmaland
|
|
153
|
-
- Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
|
|
154
|
-
- data: automatically whitelisted for img-src
|
|
155
|
-
- Doc updates from @ming13, @theverything, @dcollazo
|
|
@@ -1,75 +0,0 @@
|
|
|
1
|
-
require 'net/https'
|
|
2
|
-
require 'openssl'
|
|
3
|
-
|
|
4
|
-
class ContentSecurityPolicyController < ActionController::Base
|
|
5
|
-
CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
|
|
6
|
-
|
|
7
|
-
def scribe
|
|
8
|
-
csp = ::SecureHeaders::Configuration.csp || {}
|
|
9
|
-
|
|
10
|
-
forward_endpoint = csp[:forward_endpoint]
|
|
11
|
-
if forward_endpoint
|
|
12
|
-
forward_params_to(forward_endpoint)
|
|
13
|
-
end
|
|
14
|
-
|
|
15
|
-
head :ok
|
|
16
|
-
rescue StandardError => e
|
|
17
|
-
log_warning(forward_endpoint, e)
|
|
18
|
-
head :bad_request
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
private
|
|
22
|
-
|
|
23
|
-
def forward_params_to(forward_endpoint)
|
|
24
|
-
uri = URI.parse(forward_endpoint)
|
|
25
|
-
http = Net::HTTP.new(uri.host, uri.port)
|
|
26
|
-
if uri.scheme == 'https'
|
|
27
|
-
use_ssl(http)
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
if request.content_type == "application/csp-report"
|
|
31
|
-
request.body.rewind
|
|
32
|
-
params.merge!(ActiveSupport::JSON.decode(request.body.read))
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
ua = request.user_agent
|
|
36
|
-
xff = forwarded_for
|
|
37
|
-
|
|
38
|
-
request = Net::HTTP::Post.new(uri.to_s)
|
|
39
|
-
request.initialize_http_header({
|
|
40
|
-
'User-Agent' => ua,
|
|
41
|
-
'X-Forwarded-For' => xff,
|
|
42
|
-
'Content-Type' => 'application/json',
|
|
43
|
-
})
|
|
44
|
-
request.body = params.to_json
|
|
45
|
-
|
|
46
|
-
# fire and forget
|
|
47
|
-
if defined?(Delayed::Job)
|
|
48
|
-
http.delay.request(request)
|
|
49
|
-
else
|
|
50
|
-
http.request(request)
|
|
51
|
-
end
|
|
52
|
-
end
|
|
53
|
-
|
|
54
|
-
def forwarded_for
|
|
55
|
-
req_xff = request.env["HTTP_X_FORWARDED_FOR"]
|
|
56
|
-
if req_xff && req_xff != ""
|
|
57
|
-
"#{req_xff}, #{request.remote_ip}"
|
|
58
|
-
else
|
|
59
|
-
request.remote_ip
|
|
60
|
-
end
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
def use_ssl request
|
|
64
|
-
request.use_ssl = true
|
|
65
|
-
request.ca_file = CA_FILE
|
|
66
|
-
request.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
67
|
-
request.verify_depth = 9
|
|
68
|
-
end
|
|
69
|
-
|
|
70
|
-
def log_warning(forward_endpoint, e)
|
|
71
|
-
if defined?(Rails.logger)
|
|
72
|
-
Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
|
|
73
|
-
end
|
|
74
|
-
end
|
|
75
|
-
end
|