secure_headers 1.3.4 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (100) hide show
  1. data/.gitignore +4 -8
  2. data/.travis.yml +7 -4
  3. data/Gemfile +6 -7
  4. data/README.md +115 -79
  5. data/Rakefile +11 -116
  6. data/fixtures/rails_3_2_12/Gemfile +0 -5
  7. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  8. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  9. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  10. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  11. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -1
  12. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  13. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  14. data/fixtures/rails_3_2_12/config.ru +3 -0
  15. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +55 -18
  16. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +6 -1
  17. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -6
  18. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  19. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  20. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  21. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  22. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -48
  23. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  24. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
  25. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
  26. data/fixtures/rails_4_1_8/Gemfile +5 -0
  27. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  28. data/fixtures/rails_4_1_8/Rakefile +6 -0
  29. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  30. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  31. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  32. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  33. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  34. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  35. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  36. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  37. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  38. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  39. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  40. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  41. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  42. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  43. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  44. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  45. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  46. data/fixtures/rails_4_1_8/config.ru +4 -0
  47. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  48. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  49. data/fixtures/rails_4_1_8/log/.keep +0 -0
  50. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  51. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  52. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  53. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  54. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  55. data/lib/secure_headers/hash_helper.rb +7 -0
  56. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  57. data/lib/secure_headers/headers/content_security_policy.rb +141 -133
  58. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  59. data/lib/secure_headers/railtie.rb +13 -22
  60. data/lib/secure_headers/version.rb +1 -1
  61. data/lib/secure_headers/view_helper.rb +68 -0
  62. data/lib/secure_headers.rb +58 -16
  63. data/lib/tasks/tasks.rake +48 -0
  64. data/secure_headers.gemspec +4 -4
  65. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  66. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
  67. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +1 -1
  68. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  69. data/spec/lib/secure_headers_spec.rb +36 -61
  70. data/spec/spec_helper.rb +26 -1
  71. metadata +51 -37
  72. checksums.yaml +0 -15
  73. data/Guardfile +0 -6
  74. data/HISTORY.md +0 -162
  75. data/app/controllers/content_security_policy_controller.rb +0 -75
  76. data/config/curl-ca-bundle.crt +0 -5420
  77. data/config/routes.rb +0 -3
  78. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  79. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  80. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  81. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  82. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  83. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  84. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  85. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  86. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  87. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  88. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  89. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  90. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  91. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  92. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  93. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  94. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  95. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  96. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  97. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  98. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  99. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  100. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
data/spec/spec_helper.rb CHANGED
@@ -2,10 +2,35 @@ require 'rubygems'
2
2
  require 'rspec'
3
3
 
4
4
  require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
5
- require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
5
+
6
+ if defined?(Coveralls)
7
+ Coveralls.wear!
8
+ end
9
+
6
10
  include ::SecureHeaders::StrictTransportSecurity::Constants
7
11
  include ::SecureHeaders::ContentSecurityPolicy::Constants
8
12
  include ::SecureHeaders::XFrameOptions::Constants
9
13
  include ::SecureHeaders::XXssProtection::Constants
10
14
  include ::SecureHeaders::XContentTypeOptions::Constants
11
15
  include ::SecureHeaders::XDownloadOptions::Constants
16
+ include ::SecureHeaders::XPermittedCrossDomainPolicies::Constants
17
+
18
+ USER_AGENTS = {
19
+ :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
20
+ :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
21
+ :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
22
+ :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
23
+ :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
24
+ :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
25
+ :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
26
+ :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
27
+ :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
28
+ }
29
+
30
+ def should_assign_header name, value
31
+ expect(response.headers).to receive(:[]=).with(name, value)
32
+ end
33
+
34
+ def should_not_assign_header name
35
+ expect(response.headers).not_to receive(:[]=).with(name, anything)
36
+ end
metadata CHANGED
@@ -1,18 +1,20 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.4
4
+ version: 2.0.0
5
+ prerelease:
5
6
  platform: ruby
6
7
  authors:
7
8
  - Neil Matatall
8
9
  autorequire:
9
10
  bindir: bin
10
11
  cert_chain: []
11
- date: 2014-10-13 00:00:00.000000000 Z
12
+ date: 2015-01-23 00:00:00.000000000 Z
12
13
  dependencies:
13
14
  - !ruby/object:Gem::Dependency
14
15
  name: rake
15
16
  requirement: !ruby/object:Gem::Requirement
17
+ none: false
16
18
  requirements:
17
19
  - - ! '>='
18
20
  - !ruby/object:Gem::Version
@@ -20,11 +22,12 @@ dependencies:
20
22
  type: :development
21
23
  prerelease: false
22
24
  version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
23
26
  requirements:
24
27
  - - ! '>='
25
28
  - !ruby/object:Gem::Version
26
29
  version: '0'
27
- description: Add easily configured browser headers to responses.
30
+ description: Security related headers all in one gem.
28
31
  email:
29
32
  - neil.matatall@gmail.com
30
33
  executables: []
@@ -36,14 +39,9 @@ files:
36
39
  - .ruby-version
37
40
  - .travis.yml
38
41
  - Gemfile
39
- - Guardfile
40
- - HISTORY.md
41
42
  - LICENSE
42
43
  - README.md
43
44
  - Rakefile
44
- - app/controllers/content_security_policy_controller.rb
45
- - config/curl-ca-bundle.crt
46
- - config/routes.rb
47
45
  - fixtures/rails_3_2_12/.rspec
48
46
  - fixtures/rails_3_2_12/Gemfile
49
47
  - fixtures/rails_3_2_12/README.rdoc
@@ -59,18 +57,10 @@ files:
59
57
  - fixtures/rails_3_2_12/config/application.rb
60
58
  - fixtures/rails_3_2_12/config/boot.rb
61
59
  - fixtures/rails_3_2_12/config/environment.rb
62
- - fixtures/rails_3_2_12/config/environments/development.rb
63
- - fixtures/rails_3_2_12/config/environments/production.rb
64
60
  - fixtures/rails_3_2_12/config/environments/test.rb
65
- - fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb
66
- - fixtures/rails_3_2_12/config/initializers/inflections.rb
67
- - fixtures/rails_3_2_12/config/initializers/mime_types.rb
68
- - fixtures/rails_3_2_12/config/initializers/secret_token.rb
69
61
  - fixtures/rails_3_2_12/config/initializers/secure_headers.rb
70
- - fixtures/rails_3_2_12/config/initializers/session_store.rb
71
- - fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
72
- - fixtures/rails_3_2_12/config/locales/en.yml
73
62
  - fixtures/rails_3_2_12/config/routes.rb
63
+ - fixtures/rails_3_2_12/config/script_hashes.yml
74
64
  - fixtures/rails_3_2_12/lib/assets/.gitkeep
75
65
  - fixtures/rails_3_2_12/lib/tasks/.gitkeep
76
66
  - fixtures/rails_3_2_12/log/.gitkeep
@@ -90,25 +80,12 @@ files:
90
80
  - fixtures/rails_3_2_12_no_init/app/models/.gitkeep
91
81
  - fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
92
82
  - fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
93
- - fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
94
- - fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb
95
83
  - fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb
96
- - fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb
97
- - fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb
98
84
  - fixtures/rails_3_2_12_no_init/config.ru
99
85
  - fixtures/rails_3_2_12_no_init/config/application.rb
100
86
  - fixtures/rails_3_2_12_no_init/config/boot.rb
101
87
  - fixtures/rails_3_2_12_no_init/config/environment.rb
102
- - fixtures/rails_3_2_12_no_init/config/environments/development.rb
103
- - fixtures/rails_3_2_12_no_init/config/environments/production.rb
104
88
  - fixtures/rails_3_2_12_no_init/config/environments/test.rb
105
- - fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb
106
- - fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb
107
- - fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb
108
- - fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb
109
- - fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb
110
- - fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
111
- - fixtures/rails_3_2_12_no_init/config/locales/en.yml
112
89
  - fixtures/rails_3_2_12_no_init/config/routes.rb
113
90
  - fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
114
91
  - fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
@@ -119,24 +96,59 @@ files:
119
96
  - fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
120
97
  - fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
121
98
  - fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
99
+ - fixtures/rails_4_1_8/Gemfile
100
+ - fixtures/rails_4_1_8/README.rdoc
101
+ - fixtures/rails_4_1_8/Rakefile
102
+ - fixtures/rails_4_1_8/app/controllers/application_controller.rb
103
+ - fixtures/rails_4_1_8/app/controllers/concerns/.keep
104
+ - fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
105
+ - fixtures/rails_4_1_8/app/controllers/things_controller.rb
106
+ - fixtures/rails_4_1_8/app/models/.keep
107
+ - fixtures/rails_4_1_8/app/models/concerns/.keep
108
+ - fixtures/rails_4_1_8/app/views/layouts/application.html.erb
109
+ - fixtures/rails_4_1_8/app/views/other_things/index.html.erb
110
+ - fixtures/rails_4_1_8/app/views/things/index.html.erb
111
+ - fixtures/rails_4_1_8/config.ru
112
+ - fixtures/rails_4_1_8/config/application.rb
113
+ - fixtures/rails_4_1_8/config/boot.rb
114
+ - fixtures/rails_4_1_8/config/environment.rb
115
+ - fixtures/rails_4_1_8/config/environments/test.rb
116
+ - fixtures/rails_4_1_8/config/initializers/secure_headers.rb
117
+ - fixtures/rails_4_1_8/config/routes.rb
118
+ - fixtures/rails_4_1_8/config/script_hashes.yml
119
+ - fixtures/rails_4_1_8/config/secrets.yml
120
+ - fixtures/rails_4_1_8/lib/assets/.keep
121
+ - fixtures/rails_4_1_8/lib/tasks/.keep
122
+ - fixtures/rails_4_1_8/log/.keep
123
+ - fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
124
+ - fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
125
+ - fixtures/rails_4_1_8/spec/spec_helper.rb
126
+ - fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
127
+ - fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
122
128
  - lib/secure_headers.rb
129
+ - lib/secure_headers/hash_helper.rb
123
130
  - lib/secure_headers/header.rb
124
131
  - lib/secure_headers/headers/content_security_policy.rb
132
+ - lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
125
133
  - lib/secure_headers/headers/strict_transport_security.rb
126
134
  - lib/secure_headers/headers/x_content_type_options.rb
127
135
  - lib/secure_headers/headers/x_download_options.rb
128
136
  - lib/secure_headers/headers/x_frame_options.rb
137
+ - lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
129
138
  - lib/secure_headers/headers/x_xss_protection.rb
130
139
  - lib/secure_headers/padrino.rb
131
140
  - lib/secure_headers/railtie.rb
132
141
  - lib/secure_headers/version.rb
142
+ - lib/secure_headers/view_helper.rb
143
+ - lib/tasks/tasks.rake
133
144
  - secure_headers.gemspec
134
- - spec/controllers/content_security_policy_controller_spec.rb
145
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
135
146
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
136
147
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
137
148
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
138
149
  - spec/lib/secure_headers/headers/x_download_options_spec.rb
139
150
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
151
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
140
152
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
141
153
  - spec/lib/secure_headers_spec.rb
142
154
  - spec/spec_helper.rb
@@ -144,35 +156,37 @@ files:
144
156
  homepage: https://github.com/twitter/secureheaders
145
157
  licenses:
146
158
  - Apache Public License 2.0
147
- metadata: {}
148
159
  post_install_message:
149
160
  rdoc_options: []
150
161
  require_paths:
151
162
  - lib
152
163
  required_ruby_version: !ruby/object:Gem::Requirement
164
+ none: false
153
165
  requirements:
154
166
  - - ! '>='
155
167
  - !ruby/object:Gem::Version
156
168
  version: '0'
157
169
  required_rubygems_version: !ruby/object:Gem::Requirement
170
+ none: false
158
171
  requirements:
159
172
  - - ! '>='
160
173
  - !ruby/object:Gem::Version
161
174
  version: '0'
162
175
  requirements: []
163
176
  rubyforge_project:
164
- rubygems_version: 2.1.1
177
+ rubygems_version: 1.8.23
165
178
  signing_key:
166
- specification_version: 4
167
- summary: Add easily configured browser headers to responses including content security
168
- policy, x-frame-options, strict-transport-security and more.
179
+ specification_version: 3
180
+ summary: Add easily configured security headers to responses including content-security-policy,
181
+ x-frame-options, strict-transport-security, etc.
169
182
  test_files:
170
- - spec/controllers/content_security_policy_controller_spec.rb
183
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
171
184
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
172
185
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
173
186
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
174
187
  - spec/lib/secure_headers/headers/x_download_options_spec.rb
175
188
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
189
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
176
190
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
177
191
  - spec/lib/secure_headers_spec.rb
178
192
  - spec/spec_helper.rb
checksums.yaml DELETED
@@ -1,15 +0,0 @@
1
- ---
2
- !binary "U0hBMQ==":
3
- metadata.gz: !binary |-
4
- NzcxMzdhM2IwMTAxN2IyNTc5OTg5OGY1MmJlZGFlNWJmNjBjM2MzMw==
5
- data.tar.gz: !binary |-
6
- ODNmNjA1YmY1ODEzMWIxYTU2YWYzYmY3NGFjM2Y1ZDU4MDQ0ODkwMQ==
7
- SHA512:
8
- metadata.gz: !binary |-
9
- NGEwNTVlZjBmMTcwN2QxYjI5YjVkZGJhZmJiYTJlY2M3YzEyM2JiN2Q3MzY0
10
- NzdmNWNhMDIzMmVhNzNkZWRmZTZiYmQ1OWE5MjMwYTY2MDE1NGVhMWU3Mjg4
11
- OTdmZTZiOGI0N2NhNGYzZThkMjc3ZWYxMjU5YzhiYTNjNmFmZjE=
12
- data.tar.gz: !binary |-
13
- MTI1NTNhYzExYjVmYjMwNjNjMGUzMDlmYmVmZTk1YjJiN2UwODM4MzYwNzhj
14
- Y2ZhMzYxNTNkM2Y0MWY1YTQ1ZWMyYmQ4NDA3NjJhOGViNTU0MmEwYWY4MTNm
15
- MTczMzNjOTliYWYzODFiY2RiNDZmOGQ2ZWU4ZjdiNWJhMTZlMzA=
data/Guardfile DELETED
@@ -1,6 +0,0 @@
1
- guard 'rspec' do
2
- watch(%r{^spec/.+_spec\.rb$})
3
- watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
4
- watch(%r{^app/controllers/(.+)\.rb$}) { |m| "spec/controllers/#{m[1]}_spec.rb" }
5
- watch('spec/spec_helper.rb') { "spec" }
6
- end
data/HISTORY.md DELETED
@@ -1,162 +0,0 @@
1
- 1.3.4
2
- ======
3
-
4
- * Adds X-Download-Options support
5
- * Adds support for X-XSS-Protection reporting
6
- * Defers loading of rails engine for faster boot times
7
-
8
- 1.3.3
9
- ======
10
-
11
- @agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
12
-
13
- This just adds a new 'preload' option to the HSTS settings to specify that option.
14
-
15
- 1.3.2
16
- ======
17
-
18
- Adds the ability to "tag" requests and a new config value: :app_name
19
-
20
- {
21
- :tag_report_uri => true,
22
- :enforce => true,
23
- :app_name => 'twitter',
24
- :report_uri => 'csp_reports'
25
- }
26
-
27
- Results in
28
- report-uri csp_reports?enforce=true&app_name=twitter
29
-
30
-
31
- 1.3.1
32
- ======
33
-
34
- Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
35
-
36
- 1.3.0
37
- ======
38
-
39
- - CSP nonce support was added back and is compliant.
40
- - Bugs:
41
- -- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
42
- -- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
43
-
44
- 1.2.0
45
- ======
46
- - Allow procs to be used as config values.
47
-
48
- 1.1.1
49
- ======
50
-
51
- Bug fix release.
52
- - Parsing of CSP reports was busted.
53
- - Forwarded reports did not include the original referer, ip, UA
54
-
55
- 1.1.0
56
- ======
57
-
58
- - Remove brwsr dependency (no more runtime dependencies)
59
- - Stop serving X- prefixed CSP headers
60
-
61
- This change means that all requests get all headers, even if the browser doesn't grok it.
62
-
63
- 1.0.0
64
- ======
65
-
66
- Features:
67
-
68
- - Use non-prefixed header names for Firefox >= 23, Chrome >= 25
69
- - Use csp 1.0 compliant header for firefox >= 23
70
-
71
- Bug Fix:
72
-
73
- - Stop sending CSP on safari 5.1+
74
-
75
- 0.5.0
76
- ======
77
-
78
- - X-Content-Type-Options also applied to Chrome requests
79
-
80
- 0.4.3
81
- ======
82
-
83
- - Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
84
-
85
- 0.4.2
86
- ======
87
-
88
- - Stupid bug where Fixnums couldn't be used for config values
89
- - Doc updates
90
-
91
- 0.4.1
92
- ======
93
-
94
- - Allow strings or ints in the HSTS max-age (@reedloden)
95
-
96
- 0.4.0
97
- =======
98
-
99
- - Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
100
- - Should be backwards compatible, but it is a change to the API.
101
-
102
- 0.3.0
103
- =======
104
-
105
- - Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
106
-
107
- 0.2.3
108
- =======
109
-
110
- - Fix error in report-uri logic for Firefox forwarding.
111
-
112
- 0.2.2
113
- =======
114
-
115
- - Stop applying chrome-extension: to Firefox directives.
116
-
117
- 0.2.1
118
- =======
119
-
120
- - Firefox headers will now stop overriding report_uri when only a path is supplied
121
-
122
- 0.2.0
123
- =======
124
-
125
- - 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
126
- - Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
127
-
128
- ```ruby
129
- FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
130
- CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
131
- ```
132
- - :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
133
- - Skeleton applications have been added to test isolated application configurations
134
- - Cleanup by @bemurphy
135
-
136
- 0.1.1
137
- =======
138
-
139
- Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
140
-
141
- 0.1.0
142
- =======
143
-
144
- Notes:
145
- ------
146
-
147
- - Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
148
-
149
- Features:
150
- ------
151
-
152
- - ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
153
- - Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
154
-
155
- Bug fixes, misc:
156
- ------
157
-
158
- - Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
159
- - Better support for other frameworks, including docs from @achui, @bmaland
160
- - Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
161
- - data: automatically whitelisted for img-src
162
- - Doc updates from @ming13, @theverything, @dcollazo
@@ -1,75 +0,0 @@
1
- require 'net/https'
2
- require 'openssl'
3
-
4
- class ContentSecurityPolicyController < ActionController::Base
5
- CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
6
-
7
- def scribe
8
- csp = ::SecureHeaders::Configuration.csp || {}
9
-
10
- forward_endpoint = csp[:forward_endpoint]
11
- if forward_endpoint
12
- forward_params_to(forward_endpoint)
13
- end
14
-
15
- head :ok
16
- rescue StandardError => e
17
- log_warning(forward_endpoint, e)
18
- head :bad_request
19
- end
20
-
21
- private
22
-
23
- def forward_params_to(forward_endpoint)
24
- uri = URI.parse(forward_endpoint)
25
- http = Net::HTTP.new(uri.host, uri.port)
26
- if uri.scheme == 'https'
27
- use_ssl(http)
28
- end
29
-
30
- if request.content_type == "application/csp-report"
31
- request.body.rewind
32
- params.merge!(ActiveSupport::JSON.decode(request.body.read))
33
- end
34
-
35
- ua = request.user_agent
36
- xff = forwarded_for
37
-
38
- request = Net::HTTP::Post.new(uri.to_s)
39
- request.initialize_http_header({
40
- 'User-Agent' => ua,
41
- 'X-Forwarded-For' => xff,
42
- 'Content-Type' => 'application/json',
43
- })
44
- request.body = params.to_json
45
-
46
- # fire and forget
47
- if defined?(Delayed::Job)
48
- http.delay.request(request)
49
- else
50
- http.request(request)
51
- end
52
- end
53
-
54
- def forwarded_for
55
- req_xff = request.env["HTTP_X_FORWARDED_FOR"]
56
- if req_xff && req_xff != ""
57
- "#{req_xff}, #{request.remote_ip}"
58
- else
59
- request.remote_ip
60
- end
61
- end
62
-
63
- def use_ssl request
64
- request.use_ssl = true
65
- request.ca_file = CA_FILE
66
- request.verify_mode = OpenSSL::SSL::VERIFY_PEER
67
- request.verify_depth = 9
68
- end
69
-
70
- def log_warning(forward_endpoint, e)
71
- if defined?(Rails.logger)
72
- Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
73
- end
74
- end
75
- end