secure_headers 1.3.4 → 2.0.0.pre
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -13
- data/.gitignore +4 -8
- data/.travis.yml +0 -3
- data/Gemfile +4 -5
- data/Guardfile +4 -2
- data/README.md +102 -48
- data/Rakefile +0 -116
- data/fixtures/rails_3_2_12/Gemfile +0 -5
- data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
- data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
- data/fixtures/rails_3_2_12/config/application.rb +0 -54
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -1
- data/fixtures/rails_3_2_12/config/routes.rb +0 -57
- data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
- data/fixtures/rails_3_2_12/config.ru +3 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +50 -18
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -6
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
- data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
- data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
- data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -48
- data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
- data/lib/secure_headers/hash_helper.rb +7 -0
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
- data/lib/secure_headers/headers/content_security_policy.rb +141 -133
- data/lib/secure_headers/railtie.rb +0 -22
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers/view_helper.rb +68 -0
- data/lib/secure_headers.rb +50 -16
- data/lib/tasks/tasks.rake +48 -0
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
- data/spec/lib/secure_headers_spec.rb +16 -62
- data/spec/spec_helper.rb +25 -1
- metadata +19 -40
- data/HISTORY.md +0 -162
- data/app/controllers/content_security_policy_controller.rb +0 -75
- data/config/curl-ca-bundle.crt +0 -5420
- data/config/routes.rb +0 -3
- data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
- data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
- data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
- data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
- data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
- data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
- data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
- data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
- data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
- data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
metadata
CHANGED
|
@@ -1,27 +1,27 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0.pre
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-11-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
|
16
16
|
requirements:
|
|
17
|
-
- -
|
|
17
|
+
- - ">="
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
19
|
version: '0'
|
|
20
20
|
type: :development
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
|
-
- -
|
|
24
|
+
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0'
|
|
27
27
|
description: Add easily configured browser headers to responses.
|
|
@@ -31,19 +31,15 @@ executables: []
|
|
|
31
31
|
extensions: []
|
|
32
32
|
extra_rdoc_files: []
|
|
33
33
|
files:
|
|
34
|
-
- .gitignore
|
|
35
|
-
- .ruby-gemset
|
|
36
|
-
- .ruby-version
|
|
37
|
-
- .travis.yml
|
|
34
|
+
- ".gitignore"
|
|
35
|
+
- ".ruby-gemset"
|
|
36
|
+
- ".ruby-version"
|
|
37
|
+
- ".travis.yml"
|
|
38
38
|
- Gemfile
|
|
39
39
|
- Guardfile
|
|
40
|
-
- HISTORY.md
|
|
41
40
|
- LICENSE
|
|
42
41
|
- README.md
|
|
43
42
|
- Rakefile
|
|
44
|
-
- app/controllers/content_security_policy_controller.rb
|
|
45
|
-
- config/curl-ca-bundle.crt
|
|
46
|
-
- config/routes.rb
|
|
47
43
|
- fixtures/rails_3_2_12/.rspec
|
|
48
44
|
- fixtures/rails_3_2_12/Gemfile
|
|
49
45
|
- fixtures/rails_3_2_12/README.rdoc
|
|
@@ -59,18 +55,10 @@ files:
|
|
|
59
55
|
- fixtures/rails_3_2_12/config/application.rb
|
|
60
56
|
- fixtures/rails_3_2_12/config/boot.rb
|
|
61
57
|
- fixtures/rails_3_2_12/config/environment.rb
|
|
62
|
-
- fixtures/rails_3_2_12/config/environments/development.rb
|
|
63
|
-
- fixtures/rails_3_2_12/config/environments/production.rb
|
|
64
58
|
- fixtures/rails_3_2_12/config/environments/test.rb
|
|
65
|
-
- fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
|
|
66
|
-
- fixtures/rails_3_2_12/config/initializers/inflections.rb
|
|
67
|
-
- fixtures/rails_3_2_12/config/initializers/mime_types.rb
|
|
68
|
-
- fixtures/rails_3_2_12/config/initializers/secret_token.rb
|
|
69
59
|
- fixtures/rails_3_2_12/config/initializers/secure_headers.rb
|
|
70
|
-
- fixtures/rails_3_2_12/config/initializers/session_store.rb
|
|
71
|
-
- fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
|
|
72
|
-
- fixtures/rails_3_2_12/config/locales/en.yml
|
|
73
60
|
- fixtures/rails_3_2_12/config/routes.rb
|
|
61
|
+
- fixtures/rails_3_2_12/config/script_hashes.yml
|
|
74
62
|
- fixtures/rails_3_2_12/lib/assets/.gitkeep
|
|
75
63
|
- fixtures/rails_3_2_12/lib/tasks/.gitkeep
|
|
76
64
|
- fixtures/rails_3_2_12/log/.gitkeep
|
|
@@ -90,25 +78,12 @@ files:
|
|
|
90
78
|
- fixtures/rails_3_2_12_no_init/app/models/.gitkeep
|
|
91
79
|
- fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
|
|
92
80
|
- fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
|
|
93
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
|
|
94
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
|
|
95
81
|
- fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
|
|
96
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
|
|
97
|
-
- fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
|
|
98
82
|
- fixtures/rails_3_2_12_no_init/config.ru
|
|
99
83
|
- fixtures/rails_3_2_12_no_init/config/application.rb
|
|
100
84
|
- fixtures/rails_3_2_12_no_init/config/boot.rb
|
|
101
85
|
- fixtures/rails_3_2_12_no_init/config/environment.rb
|
|
102
|
-
- fixtures/rails_3_2_12_no_init/config/environments/development.rb
|
|
103
|
-
- fixtures/rails_3_2_12_no_init/config/environments/production.rb
|
|
104
86
|
- fixtures/rails_3_2_12_no_init/config/environments/test.rb
|
|
105
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
|
|
106
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
|
|
107
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
|
|
108
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
|
|
109
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
|
|
110
|
-
- fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
|
|
111
|
-
- fixtures/rails_3_2_12_no_init/config/locales/en.yml
|
|
112
87
|
- fixtures/rails_3_2_12_no_init/config/routes.rb
|
|
113
88
|
- fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
|
|
114
89
|
- fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
|
|
@@ -120,8 +95,10 @@ files:
|
|
|
120
95
|
- fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
|
|
121
96
|
- fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
|
|
122
97
|
- lib/secure_headers.rb
|
|
98
|
+
- lib/secure_headers/hash_helper.rb
|
|
123
99
|
- lib/secure_headers/header.rb
|
|
124
100
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
101
|
+
- lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
|
|
125
102
|
- lib/secure_headers/headers/strict_transport_security.rb
|
|
126
103
|
- lib/secure_headers/headers/x_content_type_options.rb
|
|
127
104
|
- lib/secure_headers/headers/x_download_options.rb
|
|
@@ -130,8 +107,10 @@ files:
|
|
|
130
107
|
- lib/secure_headers/padrino.rb
|
|
131
108
|
- lib/secure_headers/railtie.rb
|
|
132
109
|
- lib/secure_headers/version.rb
|
|
110
|
+
- lib/secure_headers/view_helper.rb
|
|
111
|
+
- lib/tasks/tasks.rake
|
|
133
112
|
- secure_headers.gemspec
|
|
134
|
-
- spec/
|
|
113
|
+
- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
|
|
135
114
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
136
115
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
137
116
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
|
@@ -151,23 +130,23 @@ require_paths:
|
|
|
151
130
|
- lib
|
|
152
131
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
153
132
|
requirements:
|
|
154
|
-
- -
|
|
133
|
+
- - ">="
|
|
155
134
|
- !ruby/object:Gem::Version
|
|
156
135
|
version: '0'
|
|
157
136
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
158
137
|
requirements:
|
|
159
|
-
- -
|
|
138
|
+
- - ">"
|
|
160
139
|
- !ruby/object:Gem::Version
|
|
161
|
-
version:
|
|
140
|
+
version: 1.3.1
|
|
162
141
|
requirements: []
|
|
163
142
|
rubyforge_project:
|
|
164
|
-
rubygems_version: 2.
|
|
143
|
+
rubygems_version: 2.2.2
|
|
165
144
|
signing_key:
|
|
166
145
|
specification_version: 4
|
|
167
146
|
summary: Add easily configured browser headers to responses including content security
|
|
168
147
|
policy, x-frame-options, strict-transport-security and more.
|
|
169
148
|
test_files:
|
|
170
|
-
- spec/
|
|
149
|
+
- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
|
|
171
150
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
172
151
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
173
152
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
data/HISTORY.md
DELETED
|
@@ -1,162 +0,0 @@
|
|
|
1
|
-
1.3.4
|
|
2
|
-
======
|
|
3
|
-
|
|
4
|
-
* Adds X-Download-Options support
|
|
5
|
-
* Adds support for X-XSS-Protection reporting
|
|
6
|
-
* Defers loading of rails engine for faster boot times
|
|
7
|
-
|
|
8
|
-
1.3.3
|
|
9
|
-
======
|
|
10
|
-
|
|
11
|
-
@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
|
|
12
|
-
|
|
13
|
-
This just adds a new 'preload' option to the HSTS settings to specify that option.
|
|
14
|
-
|
|
15
|
-
1.3.2
|
|
16
|
-
======
|
|
17
|
-
|
|
18
|
-
Adds the ability to "tag" requests and a new config value: :app_name
|
|
19
|
-
|
|
20
|
-
{
|
|
21
|
-
:tag_report_uri => true,
|
|
22
|
-
:enforce => true,
|
|
23
|
-
:app_name => 'twitter',
|
|
24
|
-
:report_uri => 'csp_reports'
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
Results in
|
|
28
|
-
report-uri csp_reports?enforce=true&app_name=twitter
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
1.3.1
|
|
32
|
-
======
|
|
33
|
-
|
|
34
|
-
Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
|
|
35
|
-
|
|
36
|
-
1.3.0
|
|
37
|
-
======
|
|
38
|
-
|
|
39
|
-
- CSP nonce support was added back and is compliant.
|
|
40
|
-
- Bugs:
|
|
41
|
-
-- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
|
|
42
|
-
-- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
|
|
43
|
-
|
|
44
|
-
1.2.0
|
|
45
|
-
======
|
|
46
|
-
- Allow procs to be used as config values.
|
|
47
|
-
|
|
48
|
-
1.1.1
|
|
49
|
-
======
|
|
50
|
-
|
|
51
|
-
Bug fix release.
|
|
52
|
-
- Parsing of CSP reports was busted.
|
|
53
|
-
- Forwarded reports did not include the original referer, ip, UA
|
|
54
|
-
|
|
55
|
-
1.1.0
|
|
56
|
-
======
|
|
57
|
-
|
|
58
|
-
- Remove brwsr dependency (no more runtime dependencies)
|
|
59
|
-
- Stop serving X- prefixed CSP headers
|
|
60
|
-
|
|
61
|
-
This change means that all requests get all headers, even if the browser doesn't grok it.
|
|
62
|
-
|
|
63
|
-
1.0.0
|
|
64
|
-
======
|
|
65
|
-
|
|
66
|
-
Features:
|
|
67
|
-
|
|
68
|
-
- Use non-prefixed header names for Firefox >= 23, Chrome >= 25
|
|
69
|
-
- Use csp 1.0 compliant header for firefox >= 23
|
|
70
|
-
|
|
71
|
-
Bug Fix:
|
|
72
|
-
|
|
73
|
-
- Stop sending CSP on safari 5.1+
|
|
74
|
-
|
|
75
|
-
0.5.0
|
|
76
|
-
======
|
|
77
|
-
|
|
78
|
-
- X-Content-Type-Options also applied to Chrome requests
|
|
79
|
-
|
|
80
|
-
0.4.3
|
|
81
|
-
======
|
|
82
|
-
|
|
83
|
-
- Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
|
|
84
|
-
|
|
85
|
-
0.4.2
|
|
86
|
-
======
|
|
87
|
-
|
|
88
|
-
- Stupid bug where Fixnums couldn't be used for config values
|
|
89
|
-
- Doc updates
|
|
90
|
-
|
|
91
|
-
0.4.1
|
|
92
|
-
======
|
|
93
|
-
|
|
94
|
-
- Allow strings or ints in the HSTS max-age (@reedloden)
|
|
95
|
-
|
|
96
|
-
0.4.0
|
|
97
|
-
=======
|
|
98
|
-
|
|
99
|
-
- Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
|
|
100
|
-
- Should be backwards compatible, but it is a change to the API.
|
|
101
|
-
|
|
102
|
-
0.3.0
|
|
103
|
-
=======
|
|
104
|
-
|
|
105
|
-
- Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
|
|
106
|
-
|
|
107
|
-
0.2.3
|
|
108
|
-
=======
|
|
109
|
-
|
|
110
|
-
- Fix error in report-uri logic for Firefox forwarding.
|
|
111
|
-
|
|
112
|
-
0.2.2
|
|
113
|
-
=======
|
|
114
|
-
|
|
115
|
-
- Stop applying chrome-extension: to Firefox directives.
|
|
116
|
-
|
|
117
|
-
0.2.1
|
|
118
|
-
=======
|
|
119
|
-
|
|
120
|
-
- Firefox headers will now stop overriding report_uri when only a path is supplied
|
|
121
|
-
|
|
122
|
-
0.2.0
|
|
123
|
-
=======
|
|
124
|
-
|
|
125
|
-
- 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
|
|
126
|
-
- Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
|
|
127
|
-
|
|
128
|
-
```ruby
|
|
129
|
-
FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
|
|
130
|
-
CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
|
|
131
|
-
```
|
|
132
|
-
- :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
|
|
133
|
-
- Skeleton applications have been added to test isolated application configurations
|
|
134
|
-
- Cleanup by @bemurphy
|
|
135
|
-
|
|
136
|
-
0.1.1
|
|
137
|
-
=======
|
|
138
|
-
|
|
139
|
-
Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
|
|
140
|
-
|
|
141
|
-
0.1.0
|
|
142
|
-
=======
|
|
143
|
-
|
|
144
|
-
Notes:
|
|
145
|
-
------
|
|
146
|
-
|
|
147
|
-
- Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
|
|
148
|
-
|
|
149
|
-
Features:
|
|
150
|
-
------
|
|
151
|
-
|
|
152
|
-
- ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
|
|
153
|
-
- Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
|
|
154
|
-
|
|
155
|
-
Bug fixes, misc:
|
|
156
|
-
------
|
|
157
|
-
|
|
158
|
-
- Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
|
|
159
|
-
- Better support for other frameworks, including docs from @achui, @bmaland
|
|
160
|
-
- Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
|
|
161
|
-
- data: automatically whitelisted for img-src
|
|
162
|
-
- Doc updates from @ming13, @theverything, @dcollazo
|
|
@@ -1,75 +0,0 @@
|
|
|
1
|
-
require 'net/https'
|
|
2
|
-
require 'openssl'
|
|
3
|
-
|
|
4
|
-
class ContentSecurityPolicyController < ActionController::Base
|
|
5
|
-
CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
|
|
6
|
-
|
|
7
|
-
def scribe
|
|
8
|
-
csp = ::SecureHeaders::Configuration.csp || {}
|
|
9
|
-
|
|
10
|
-
forward_endpoint = csp[:forward_endpoint]
|
|
11
|
-
if forward_endpoint
|
|
12
|
-
forward_params_to(forward_endpoint)
|
|
13
|
-
end
|
|
14
|
-
|
|
15
|
-
head :ok
|
|
16
|
-
rescue StandardError => e
|
|
17
|
-
log_warning(forward_endpoint, e)
|
|
18
|
-
head :bad_request
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
private
|
|
22
|
-
|
|
23
|
-
def forward_params_to(forward_endpoint)
|
|
24
|
-
uri = URI.parse(forward_endpoint)
|
|
25
|
-
http = Net::HTTP.new(uri.host, uri.port)
|
|
26
|
-
if uri.scheme == 'https'
|
|
27
|
-
use_ssl(http)
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
if request.content_type == "application/csp-report"
|
|
31
|
-
request.body.rewind
|
|
32
|
-
params.merge!(ActiveSupport::JSON.decode(request.body.read))
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
ua = request.user_agent
|
|
36
|
-
xff = forwarded_for
|
|
37
|
-
|
|
38
|
-
request = Net::HTTP::Post.new(uri.to_s)
|
|
39
|
-
request.initialize_http_header({
|
|
40
|
-
'User-Agent' => ua,
|
|
41
|
-
'X-Forwarded-For' => xff,
|
|
42
|
-
'Content-Type' => 'application/json',
|
|
43
|
-
})
|
|
44
|
-
request.body = params.to_json
|
|
45
|
-
|
|
46
|
-
# fire and forget
|
|
47
|
-
if defined?(Delayed::Job)
|
|
48
|
-
http.delay.request(request)
|
|
49
|
-
else
|
|
50
|
-
http.request(request)
|
|
51
|
-
end
|
|
52
|
-
end
|
|
53
|
-
|
|
54
|
-
def forwarded_for
|
|
55
|
-
req_xff = request.env["HTTP_X_FORWARDED_FOR"]
|
|
56
|
-
if req_xff && req_xff != ""
|
|
57
|
-
"#{req_xff}, #{request.remote_ip}"
|
|
58
|
-
else
|
|
59
|
-
request.remote_ip
|
|
60
|
-
end
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
def use_ssl request
|
|
64
|
-
request.use_ssl = true
|
|
65
|
-
request.ca_file = CA_FILE
|
|
66
|
-
request.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
67
|
-
request.verify_depth = 9
|
|
68
|
-
end
|
|
69
|
-
|
|
70
|
-
def log_warning(forward_endpoint, e)
|
|
71
|
-
if defined?(Rails.logger)
|
|
72
|
-
Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
|
|
73
|
-
end
|
|
74
|
-
end
|
|
75
|
-
end
|