secure_headers 1.3.4 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (100) hide show
  1. data/.gitignore +4 -8
  2. data/.travis.yml +7 -4
  3. data/Gemfile +6 -7
  4. data/README.md +115 -79
  5. data/Rakefile +11 -116
  6. data/fixtures/rails_3_2_12/Gemfile +0 -5
  7. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  8. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  9. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  10. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  11. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -1
  12. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  13. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  14. data/fixtures/rails_3_2_12/config.ru +3 -0
  15. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +55 -18
  16. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +6 -1
  17. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -6
  18. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  19. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  20. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  21. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  22. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -48
  23. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  24. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
  25. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
  26. data/fixtures/rails_4_1_8/Gemfile +5 -0
  27. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  28. data/fixtures/rails_4_1_8/Rakefile +6 -0
  29. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  30. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  31. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  32. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  33. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  34. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  35. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  36. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  37. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  38. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  39. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  40. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  41. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  42. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  43. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  44. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  45. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  46. data/fixtures/rails_4_1_8/config.ru +4 -0
  47. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  48. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  49. data/fixtures/rails_4_1_8/log/.keep +0 -0
  50. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  51. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  52. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  53. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  54. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  55. data/lib/secure_headers/hash_helper.rb +7 -0
  56. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  57. data/lib/secure_headers/headers/content_security_policy.rb +141 -133
  58. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  59. data/lib/secure_headers/railtie.rb +13 -22
  60. data/lib/secure_headers/version.rb +1 -1
  61. data/lib/secure_headers/view_helper.rb +68 -0
  62. data/lib/secure_headers.rb +58 -16
  63. data/lib/tasks/tasks.rake +48 -0
  64. data/secure_headers.gemspec +4 -4
  65. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  66. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
  67. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +1 -1
  68. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  69. data/spec/lib/secure_headers_spec.rb +36 -61
  70. data/spec/spec_helper.rb +26 -1
  71. metadata +51 -37
  72. checksums.yaml +0 -15
  73. data/Guardfile +0 -6
  74. data/HISTORY.md +0 -162
  75. data/app/controllers/content_security_policy_controller.rb +0 -75
  76. data/config/curl-ca-bundle.crt +0 -5420
  77. data/config/routes.rb +0 -3
  78. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  79. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  80. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  81. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  82. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  83. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  84. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  85. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  86. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  87. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  88. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  89. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  90. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  91. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  92. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  93. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  94. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  95. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  96. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  97. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  98. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  99. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  100. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
@@ -1,61 +1,4 @@
1
1
  Rails3212::Application.routes.draw do
2
2
  resources :things
3
-
4
-
5
- # The priority is based upon order of creation:
6
- # first created -> highest priority.
7
-
8
- # Sample of regular route:
9
- # match 'products/:id' => 'catalog#view'
10
- # Keep in mind you can assign values other than :controller and :action
11
-
12
- # Sample of named route:
13
- # match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
14
- # This route can be invoked with purchase_url(:id => product.id)
15
-
16
- # Sample resource route (maps HTTP verbs to controller actions automatically):
17
- # resources :products
18
-
19
- # Sample resource route with options:
20
- # resources :products do
21
- # member do
22
- # get 'short'
23
- # post 'toggle'
24
- # end
25
- #
26
- # collection do
27
- # get 'sold'
28
- # end
29
- # end
30
-
31
- # Sample resource route with sub-resources:
32
- # resources :products do
33
- # resources :comments, :sales
34
- # resource :seller
35
- # end
36
-
37
- # Sample resource route with more complex sub-resources
38
- # resources :products do
39
- # resources :comments
40
- # resources :sales do
41
- # get 'recent', :on => :collection
42
- # end
43
- # end
44
-
45
- # Sample resource route within a namespace:
46
- # namespace :admin do
47
- # # Directs /admin/products/* to Admin::ProductsController
48
- # # (app/controllers/admin/products_controller.rb)
49
- # resources :products
50
- # end
51
-
52
- # You can have the root of your site routed with "root"
53
- # just remember to delete public/index.html.
54
- # root :to => 'welcome#index'
55
-
56
- # See how all your routes lay out with "rake routes"
57
-
58
- # This is a legacy wild controller route that's not recommended for RESTful applications.
59
- # Note: This route will make all actions in every controller accessible via GET requests.
60
3
  match ':controller(/:action(/:id))(.:format)'
61
4
  end
@@ -0,0 +1,5 @@
1
+ ---
2
+ app/views/layouts/application.html.erb:
3
+ - sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
4
+ app/views/other_things/index.html.erb:
5
+ - sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=
@@ -2,3 +2,6 @@
2
2
 
3
3
  require ::File.expand_path('../config/environment', __FILE__)
4
4
  run Rails3212::Application
5
+
6
+ require 'secure_headers/headers/content_security_policy/script_hash_middleware'
7
+ use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
@@ -1,45 +1,82 @@
1
1
  require 'spec_helper'
2
2
 
3
+ require 'secure_headers/headers/content_security_policy/script_hash_middleware'
4
+
3
5
  describe OtherThingsController, :type => :controller do
6
+ include Rack::Test::Methods
7
+
8
+ def app
9
+ OtherThingsController.action(:index)
10
+ end
11
+
12
+ def request(opts = {})
13
+ options = opts.merge(
14
+ {
15
+ 'HTTPS' => 'on',
16
+ 'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
17
+ }
18
+ )
19
+
20
+
21
+ Rack::MockRequest.env_for('/', options)
22
+ end
23
+
24
+
4
25
  describe "headers" do
26
+ before(:each) do
27
+ _, @env = app.call(request)
28
+ end
29
+
5
30
  it "sets the X-XSS-Protection header" do
6
- get :index
7
- expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
31
+ get '/'
32
+ expect(@env['X-XSS-Protection']).to eq('1; mode=block')
8
33
  end
9
34
 
10
35
  it "sets the X-Frame-Options header" do
11
- get :index
12
- expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
36
+ get '/'
37
+ expect(@env['X-Frame-Options']).to eq('SAMEORIGIN')
13
38
  end
14
39
 
15
40
  it "sets the CSP header with a local reference to a nonce" do
16
- get :index
17
- nonce = controller.instance_exec { @content_security_policy_nonce }
18
- expect(nonce).to match /[a-zA-Z0-9\+\/=]{44}/
19
- expect(response.headers['Content-Security-Policy-Report-Only']).to match(/default-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-[a-zA-Z0-9\+\/=]{44}' 'unsafe-inline'; report-uri somewhere;/)
41
+ middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
42
+ _, env = middleware.call(request(@env))
43
+ expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
44
+ end
45
+
46
+ it "sets the required hashes to whitelist inline script" do
47
+ middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
48
+ _, env = middleware.call(request(@env))
49
+ hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
50
+ hashes.each do |hash|
51
+ expect(env['Content-Security-Policy-Report-Only']).to include(hash)
52
+ end
20
53
  end
21
54
 
22
55
  it "sets the Strict-Transport-Security header" do
23
- request.env['HTTPS'] = 'on'
24
- get :index
25
- expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
56
+ get '/'
57
+ expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
26
58
  end
27
59
 
28
60
  it "sets the X-Download-Options header" do
29
- get :index
30
- expect(response.headers['X-Download-Options']).to eq('noopen')
61
+ get '/'
62
+ expect(@env['X-Download-Options']).to eq('noopen')
31
63
  end
32
64
 
33
65
  it "sets the X-Content-Type-Options header" do
34
- get :index
35
- expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
66
+ get '/'
67
+ expect(@env['X-Content-Type-Options']).to eq("nosniff")
68
+ end
69
+
70
+ it "sets the X-Permitted-Cross-Domain-Policies" do
71
+ get '/'
72
+ expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
36
73
  end
37
74
 
38
75
  context "using IE" do
39
76
  it "sets the X-Content-Type-Options header" do
40
- request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
41
- get :index
42
- expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
77
+ @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
78
+ get '/'
79
+ expect(@env['X-Content-Type-Options']).to eq("nosniff")
43
80
  end
44
81
  end
45
82
  end
@@ -16,7 +16,7 @@ describe ThingsController, :type => :controller do
16
16
  expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
17
17
  end
18
18
 
19
- it "sets the X-WebKit-CSP header" do
19
+ it "does not set CSP header" do
20
20
  get :index
21
21
  expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
22
22
  end
@@ -38,6 +38,11 @@ describe ThingsController, :type => :controller do
38
38
  expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
39
39
  end
40
40
 
41
+ it "sets the X-Permitted-Cross-Domain-Policies" do
42
+ get :index
43
+ expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
44
+ end
45
+
41
46
  context "using IE" do
42
47
  it "sets the X-Content-Type-Options header" do
43
48
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
@@ -3,9 +3,3 @@ source 'https://rubygems.org'
3
3
  gem 'rails', '3.2.12'
4
4
  gem 'rspec-rails', '>= 2.0.0'
5
5
  gem 'secure_headers', :path => '../..'
6
- gem 'debugger', :platform => :ruby_19
7
- gem 'ruby-debug', :platform => :ruby_18
8
- gem 'guard-rspec'
9
- gem 'rb-fsevent'
10
- gem 'growl'
11
-
@@ -1,6 +1,5 @@
1
1
  class OtherThingsController < ApplicationController
2
- ensure_security_headers :csp => {:default_src => 'self', :disable_chrome_extension => true,
3
- :disable_fill_missing => true}
2
+ ensure_security_headers :csp => {:default_src => 'self', :disable_fill_missing => true}
4
3
  def index
5
4
 
6
5
  end
@@ -1,5 +1,5 @@
1
1
  class ThingsController < ApplicationController
2
2
  def index
3
- ######## : ) <- Marge Simpson?
3
+
4
4
  end
5
5
  end
@@ -3,8 +3,6 @@
3
3
  <head>
4
4
  <title>Rails3212</title>
5
5
  <%= stylesheet_link_tag "application", :media => "all" %>
6
- <%= javascript_include_tag "application" %>
7
- <%= csrf_meta_tags %>
8
6
  </head>
9
7
  <body>
10
8
 
@@ -1,21 +0,0 @@
1
- <h1>Listing things</h1>
2
-
3
- <table>
4
- <tr>
5
- <th></th>
6
- <th></th>
7
- <th></th>
8
- </tr>
9
-
10
- <% @things.each do |thing| %>
11
- <tr>
12
- <td><%= link_to 'Show', thing %></td>
13
- <td><%= link_to 'Edit', edit_thing_path(thing) %></td>
14
- <td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
15
- </tr>
16
- <% end %>
17
- </table>
18
-
19
- <br />
20
-
21
- <%= link_to 'New Thing', new_thing_path %>
@@ -3,7 +3,6 @@ require File.expand_path('../boot', __FILE__)
3
3
  # Pick the frameworks you want:
4
4
  require "action_controller/railtie"
5
5
  require "sprockets/railtie"
6
- # require "rails/test_unit/railtie"
7
6
 
8
7
  if defined?(Bundler)
9
8
  # If you precompile assets before deploying to production, use this line
@@ -14,52 +13,5 @@ end
14
13
 
15
14
  module Rails3212
16
15
  class Application < Rails::Application
17
- # Settings in config/environments/* take precedence over those specified here.
18
- # Application configuration should go into files in config/initializers
19
- # -- all .rb files in that directory are automatically loaded.
20
-
21
- # Custom directories with classes and modules you want to be autoloadable.
22
- # config.autoload_paths += %W(#{config.root}/extras)
23
-
24
- # Only load the plugins named here, in the order given (default is alphabetical).
25
- # :all can be used as a placeholder for all plugins not explicitly named.
26
- # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
27
-
28
- # Activate observers that should always be running.
29
- # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
30
-
31
- # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
32
- # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
33
- # config.time_zone = 'Central Time (US & Canada)'
34
-
35
- # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
36
- # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
37
- # config.i18n.default_locale = :de
38
-
39
- # Configure the default encoding used in templates for Ruby 1.9.
40
- config.encoding = "utf-8"
41
-
42
- # Configure sensitive parameters which will be filtered from the log file.
43
- config.filter_parameters += [:password]
44
-
45
- # Enable escaping HTML in JSON.
46
- config.active_support.escape_html_entities_in_json = true
47
-
48
- # Use SQL instead of Active Record's schema dumper when creating the database.
49
- # This is necessary if your schema can't be completely dumped by the schema dumper,
50
- # like if you have constraints or database-specific column types
51
- # config.active_record.schema_format = :sql
52
-
53
- # Enforce whitelist mode for mass assignment.
54
- # This will create an empty whitelist of attributes available for mass-assignment for all models
55
- # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
56
- # parameters by using an attr_accessible or attr_protected declaration.
57
- # config.active_record.whitelist_attributes = true
58
-
59
- # Enable the asset pipeline
60
- config.assets.enabled = true
61
-
62
- # Version of your assets, change this if you want to expire all your assets
63
- config.assets.version = '1.0'
64
16
  end
65
17
  end
@@ -1,61 +1,4 @@
1
1
  Rails3212::Application.routes.draw do
2
2
  resources :things
3
-
4
-
5
- # The priority is based upon order of creation:
6
- # first created -> highest priority.
7
-
8
- # Sample of regular route:
9
- # match 'products/:id' => 'catalog#view'
10
- # Keep in mind you can assign values other than :controller and :action
11
-
12
- # Sample of named route:
13
- # match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
14
- # This route can be invoked with purchase_url(:id => product.id)
15
-
16
- # Sample resource route (maps HTTP verbs to controller actions automatically):
17
- # resources :products
18
-
19
- # Sample resource route with options:
20
- # resources :products do
21
- # member do
22
- # get 'short'
23
- # post 'toggle'
24
- # end
25
- #
26
- # collection do
27
- # get 'sold'
28
- # end
29
- # end
30
-
31
- # Sample resource route with sub-resources:
32
- # resources :products do
33
- # resources :comments, :sales
34
- # resource :seller
35
- # end
36
-
37
- # Sample resource route with more complex sub-resources
38
- # resources :products do
39
- # resources :comments
40
- # resources :sales do
41
- # get 'recent', :on => :collection
42
- # end
43
- # end
44
-
45
- # Sample resource route within a namespace:
46
- # namespace :admin do
47
- # # Directs /admin/products/* to Admin::ProductsController
48
- # # (app/controllers/admin/products_controller.rb)
49
- # resources :products
50
- # end
51
-
52
- # You can have the root of your site routed with "root"
53
- # just remember to delete public/index.html.
54
- # root :to => 'welcome#index'
55
-
56
- # See how all your routes lay out with "rake routes"
57
-
58
- # This is a legacy wild controller route that's not recommended for RESTful applications.
59
- # Note: This route will make all actions in every controller accessible via GET requests.
60
3
  match ':controller(/:action(/:id))(.:format)'
61
4
  end
@@ -34,6 +34,11 @@ describe OtherThingsController, :type => :controller do
34
34
  expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
35
35
  end
36
36
 
37
+ it "sets the X-Permitted-Cross-Domain-Policies" do
38
+ get :index
39
+ expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
40
+ end
41
+
37
42
  context "using IE" do
38
43
  it "sets the X-Content-Type-Options header" do
39
44
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
@@ -38,6 +38,11 @@ describe ThingsController, :type => :controller do
38
38
  expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
39
39
  end
40
40
 
41
+ it "sets the X-Permitted-Cross-Domain-Policies" do
42
+ get :index
43
+ expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
44
+ end
45
+
41
46
  context "using IE" do
42
47
  it "sets the X-Content-Type-Options header" do
43
48
  request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
@@ -0,0 +1,5 @@
1
+ source 'https://rubygems.org'
2
+
3
+ gem 'rails', '4.1.8'
4
+ gem 'rspec-rails', '>= 2.0.0'
5
+ gem 'secure_headers', :path => '../..'
@@ -0,0 +1,28 @@
1
+ == README
2
+
3
+ This README would normally document whatever steps are necessary to get the
4
+ application up and running.
5
+
6
+ Things you may want to cover:
7
+
8
+ * Ruby version
9
+
10
+ * System dependencies
11
+
12
+ * Configuration
13
+
14
+ * Database creation
15
+
16
+ * Database initialization
17
+
18
+ * How to run the test suite
19
+
20
+ * Services (job queues, cache servers, search engines, etc.)
21
+
22
+ * Deployment instructions
23
+
24
+ * ...
25
+
26
+
27
+ Please feel free to use a different markup language if you do not plan to run
28
+ <tt>rake doc:app</tt>.
@@ -0,0 +1,6 @@
1
+ # Add your own tasks in files placed in lib/tasks ending in .rake,
2
+ # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
3
+
4
+ require File.expand_path('../config/application', __FILE__)
5
+
6
+ Rails.application.load_tasks
@@ -0,0 +1,4 @@
1
+ class ApplicationController < ActionController::Base
2
+ protect_from_forgery
3
+ ensure_security_headers
4
+ end
@@ -0,0 +1,5 @@
1
+ class OtherThingsController < ApplicationController
2
+ def index
3
+
4
+ end
5
+ end
@@ -0,0 +1,5 @@
1
+ class ThingsController < ApplicationController
2
+ ensure_security_headers :csp => false
3
+ def index
4
+ end
5
+ end
File without changes
File without changes
@@ -0,0 +1,11 @@
1
+ <!DOCTYPE html>
2
+ <html>
3
+ <head>
4
+ <title>Rails418</title>
5
+ </head>
6
+ <body>
7
+
8
+ <%= yield %>
9
+ <script>console.log("oh hell yes")</script>
10
+ </body>
11
+ </html>
@@ -0,0 +1,2 @@
1
+ index
2
+ <script>console.log("oh what")</script>
@@ -0,0 +1,15 @@
1
+ require File.expand_path('../boot', __FILE__)
2
+
3
+ require "action_controller/railtie"
4
+ require "sprockets/railtie"
5
+
6
+ # Require the gems listed in Gemfile, including any gems
7
+ # you've limited to :test, :development, or :production.
8
+ Bundler.require(*Rails.groups)
9
+
10
+
11
+ module Rails418
12
+ class Application < Rails::Application
13
+
14
+ end
15
+ end
@@ -0,0 +1,4 @@
1
+ # Set up gems listed in the Gemfile.
2
+ ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
3
+
4
+ require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
@@ -0,0 +1,5 @@
1
+ # Load the Rails application.
2
+ require File.expand_path('../application', __FILE__)
3
+
4
+ # Initialize the Rails application.
5
+ Rails.application.initialize!
@@ -0,0 +1,10 @@
1
+ Rails418::Application.configure do
2
+ config.cache_classes = true
3
+ config.eager_load = false
4
+ config.serve_static_assets = true
5
+ config.static_cache_control = 'public, max-age=3600'
6
+ config.consider_all_requests_local = true
7
+ config.action_controller.perform_caching = false
8
+ config.action_dispatch.show_exceptions = false
9
+ config.action_controller.allow_forgery_protection = false
10
+ end
@@ -0,0 +1,17 @@
1
+ ::SecureHeaders::Configuration.configure do |config|
2
+ config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
3
+ config.x_frame_options = 'DENY'
4
+ config.x_content_type_options = "nosniff"
5
+ config.x_xss_protection = {:value => 0}
6
+ config.x_permitted_cross_domain_policies = 'none'
7
+ csp = {
8
+ :default_src => "self",
9
+ :script_src => "self nonce",
10
+ :disable_fill_missing => true,
11
+ :report_uri => 'somewhere',
12
+ :script_hash_middleware => true,
13
+ :enforce => false # false means warnings only
14
+ }
15
+
16
+ config.csp = csp
17
+ end
@@ -0,0 +1,4 @@
1
+ Rails.application.routes.draw do
2
+ resources :things
3
+ match ':controller(/:action(/:id))(.:format)', :via => [:get, :post]
4
+ end
@@ -0,0 +1,5 @@
1
+ ---
2
+ app/views/layouts/application.html.erb:
3
+ - sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
4
+ app/views/other_things/index.html.erb:
5
+ - sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=
@@ -0,0 +1,22 @@
1
+ # Be sure to restart your server when you modify this file.
2
+
3
+ # Your secret key is used for verifying the integrity of signed cookies.
4
+ # If you change this key, all old signed cookies will become invalid!
5
+
6
+ # Make sure the secret is at least 30 characters and all random,
7
+ # no regular words or you'll be exposed to dictionary attacks.
8
+ # You can use `rake secret` to generate a secure secret key.
9
+
10
+ # Make sure the secrets in this file are kept private
11
+ # if you're sharing your code publicly.
12
+
13
+ development:
14
+ secret_key_base: ddba38f932720d8f18257f2a05dc278963a29cf569c45aa97ff4e9fc9bbc78af5a03fcf135caad45caee66ac09f8f9913c1f5e338a61213f420eefa8dd6363d2
15
+
16
+ test:
17
+ secret_key_base: f73abd7eab84fa7af5a2fc0a9c2727c5bad47433e51aa0c9c6b0782dac176a8e7f337e1f93adc6d6fc17027e67a533040b6408e54d72dea2eec6e5b9820dbcb9
18
+
19
+ # Do not keep production secrets in the repository,
20
+ # instead read values from the environment.
21
+ production:
22
+ secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
@@ -0,0 +1,4 @@
1
+ # This file is used by Rack-based servers to start the application.
2
+
3
+ require ::File.expand_path('../config/environment', __FILE__)
4
+ run Rails.application
File without changes
File without changes
File without changes