secure_headers 1.4.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (66) hide show
  1. data/.gitignore +4 -8
  2. data/.travis.yml +7 -1
  3. data/Gemfile +4 -4
  4. data/README.md +115 -79
  5. data/Rakefile +11 -116
  6. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -1
  7. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  8. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +2 -1
  9. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  10. data/fixtures/rails_3_2_12/config.ru +3 -0
  11. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +55 -18
  12. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +6 -1
  13. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  14. data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
  15. data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
  16. data/fixtures/rails_4_1_8/Gemfile +5 -0
  17. data/fixtures/rails_4_1_8/README.rdoc +28 -0
  18. data/fixtures/rails_4_1_8/Rakefile +6 -0
  19. data/fixtures/rails_4_1_8/app/controllers/application_controller.rb +4 -0
  20. data/fixtures/rails_4_1_8/app/controllers/concerns/.keep +0 -0
  21. data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +5 -0
  22. data/fixtures/rails_4_1_8/app/controllers/things_controller.rb +5 -0
  23. data/fixtures/rails_4_1_8/app/models/.keep +0 -0
  24. data/fixtures/rails_4_1_8/app/models/concerns/.keep +0 -0
  25. data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb +11 -0
  26. data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb +2 -0
  27. data/fixtures/rails_4_1_8/app/views/things/index.html.erb +1 -0
  28. data/fixtures/rails_4_1_8/config/application.rb +15 -0
  29. data/fixtures/rails_4_1_8/config/boot.rb +4 -0
  30. data/fixtures/rails_4_1_8/config/environment.rb +5 -0
  31. data/fixtures/rails_4_1_8/config/environments/test.rb +10 -0
  32. data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb +17 -0
  33. data/fixtures/rails_4_1_8/config/routes.rb +4 -0
  34. data/fixtures/rails_4_1_8/config/script_hashes.yml +5 -0
  35. data/fixtures/rails_4_1_8/config/secrets.yml +22 -0
  36. data/fixtures/rails_4_1_8/config.ru +4 -0
  37. data/fixtures/rails_4_1_8/lib/assets/.keep +0 -0
  38. data/fixtures/rails_4_1_8/lib/tasks/.keep +0 -0
  39. data/fixtures/rails_4_1_8/log/.keep +0 -0
  40. data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +83 -0
  41. data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb +59 -0
  42. data/fixtures/rails_4_1_8/spec/spec_helper.rb +15 -0
  43. data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep +0 -0
  44. data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep +0 -0
  45. data/lib/secure_headers/hash_helper.rb +7 -0
  46. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  47. data/lib/secure_headers/headers/content_security_policy.rb +141 -135
  48. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +40 -0
  49. data/lib/secure_headers/railtie.rb +13 -22
  50. data/lib/secure_headers/version.rb +1 -1
  51. data/lib/secure_headers/view_helper.rb +68 -0
  52. data/lib/secure_headers.rb +59 -17
  53. data/lib/tasks/tasks.rake +48 -0
  54. data/secure_headers.gemspec +4 -4
  55. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  56. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
  57. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +1 -1
  58. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +64 -0
  59. data/spec/lib/secure_headers_spec.rb +36 -61
  60. data/spec/spec_helper.rb +26 -1
  61. metadata +44 -11
  62. data/HISTORY.md +0 -162
  63. data/app/controllers/content_security_policy_controller.rb +0 -76
  64. data/config/curl-ca-bundle.crt +0 -5420
  65. data/config/routes.rb +0 -3
  66. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
@@ -18,26 +18,7 @@ describe SecureHeaders do
18
18
  allow(subject).to receive(:request).and_return(request)
19
19
  end
20
20
 
21
- ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection].map{|header| [header, false]}]
22
- USER_AGENTS = {
23
- :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
24
- :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
25
- :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
26
- :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
27
- :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
28
- :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
29
- :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
30
- :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
31
- :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
32
- }
33
-
34
- def should_assign_header name, value
35
- expect(response.headers).to receive(:[]=).with(name, value)
36
- end
37
-
38
- def should_not_assign_header name
39
- expect(response.headers).not_to receive(:[]=).with(name, anything)
40
- end
21
+ ALL_HEADERS = Hash[[:hsts, :csp, :x_frame_options, :x_content_type_options, :x_xss_protection, :x_permitted_cross_domain_policies].map{|header| [header, false]}]
41
22
 
42
23
  def stub_user_agent val
43
24
  allow(request).to receive_message_chain(:env, :[]).and_return(val)
@@ -55,6 +36,7 @@ describe SecureHeaders do
55
36
  config.x_xss_protection = nil
56
37
  config.csp = nil
57
38
  config.x_download_options = nil
39
+ config.x_permitted_cross_domain_policies = nil
58
40
  end
59
41
  end
60
42
 
@@ -65,14 +47,7 @@ describe SecureHeaders do
65
47
  subject.set_x_content_type_options_header
66
48
  subject.set_x_xss_protection_header
67
49
  subject.set_x_download_options_header
68
- end
69
-
70
- describe "#ensure_security_headers" do
71
- it "sets a before filter" do
72
- options = {}
73
- expect(DummyClass).to receive(:before_filter).exactly(6).times
74
- DummyClass.ensure_security_headers(options)
75
- end
50
+ subject.set_x_permitted_cross_domain_policies_header
76
51
  end
77
52
 
78
53
  describe "#set_header" do
@@ -88,13 +63,10 @@ describe SecureHeaders do
88
63
  end
89
64
 
90
65
  describe "#set_security_headers" do
91
- before(:each) do
92
- allow(SecureHeaders::ContentSecurityPolicy).to receive(:new).and_return(double.as_null_object)
93
- end
94
66
  USER_AGENTS.each do |name, useragent|
95
67
  it "sets all default headers for #{name} (smoke test)" do
96
68
  stub_user_agent(useragent)
97
- number_of_headers = 6
69
+ number_of_headers = 7
98
70
  expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
99
71
  subject.set_csp_header
100
72
  subject.set_x_frame_options_header
@@ -102,6 +74,7 @@ describe SecureHeaders do
102
74
  subject.set_x_xss_protection_header
103
75
  subject.set_x_content_type_options_header
104
76
  subject.set_x_download_options_header
77
+ subject.set_x_permitted_cross_domain_policies_header
105
78
  end
106
79
  end
107
80
 
@@ -126,6 +99,11 @@ describe SecureHeaders do
126
99
  subject.set_x_frame_options_header(false)
127
100
  end
128
101
 
102
+ it "does not set the X-Permitted-Cross-Domain-Policies header if disabled" do
103
+ should_not_assign_header(XPCDP_HEADER_NAME)
104
+ subject.set_x_permitted_cross_domain_policies_header(false)
105
+ end
106
+
129
107
  it "does not set the HSTS header if disabled" do
130
108
  should_not_assign_header(HSTS_HEADER_NAME)
131
109
  subject.set_hsts_header(false)
@@ -139,8 +117,19 @@ describe SecureHeaders do
139
117
 
140
118
  it "does not set the CSP header if disabled" do
141
119
  stub_user_agent(USER_AGENTS[:chrome])
142
- should_not_assign_header(STANDARD_HEADER_NAME)
143
- subject.set_csp_header(options_for(:csp).merge(:csp => false))
120
+ should_not_assign_header(HEADER_NAME)
121
+ subject.set_csp_header(false)
122
+ end
123
+
124
+ it "saves the options to the env when using script hashes" do
125
+ opts = {
126
+ :default_src => 'self',
127
+ :script_hash_middleware => true
128
+ }
129
+ stub_user_agent(USER_AGENTS[:chrome])
130
+
131
+ expect(SecureHeaders::ContentSecurityPolicy).to receive(:add_to_env)
132
+ subject.set_csp_header(opts)
144
133
  end
145
134
 
146
135
  context "when disabled by configuration settings" do
@@ -152,6 +141,7 @@ describe SecureHeaders do
152
141
  config.x_xss_protection = false
153
142
  config.csp = false
154
143
  config.x_download_options = false
144
+ config.x_permitted_cross_domain_policies = false
155
145
  end
156
146
  expect(subject).not_to receive(:set_header)
157
147
  set_security_headers(subject)
@@ -247,7 +237,7 @@ describe SecureHeaders do
247
237
  context "when using Firefox" do
248
238
  it "sets CSP headers" do
249
239
  stub_user_agent(USER_AGENTS[:firefox])
250
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
240
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
251
241
  subject.set_csp_header
252
242
  end
253
243
  end
@@ -255,7 +245,7 @@ describe SecureHeaders do
255
245
  context "when using Chrome" do
256
246
  it "sets default CSP header" do
257
247
  stub_user_agent(USER_AGENTS[:chrome])
258
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
248
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
259
249
  subject.set_csp_header
260
250
  end
261
251
  end
@@ -263,36 +253,21 @@ describe SecureHeaders do
263
253
  context "when using a browser besides chrome/firefox" do
264
254
  it "sets the CSP header" do
265
255
  stub_user_agent(USER_AGENTS[:opera])
266
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
256
+ should_assign_header(HEADER_NAME + "-Report-Only", DEFAULT_CSP_HEADER)
267
257
  subject.set_csp_header
268
258
  end
269
259
  end
260
+ end
270
261
 
271
- context "when using the experimental key" do
272
- before(:each) do
273
- stub_user_agent(USER_AGENTS[:chrome])
274
- @opts = {
275
- :enforce => true,
276
- :default_src => 'self',
277
- :script_src => 'https://mycdn.example.com',
278
- :experimental => {
279
- :script_src => 'self',
280
- }
281
- }
282
- end
283
-
284
- it "does not set the header in enforce mode if experimental is supplied, but enforce is disabled" do
285
- opts = @opts.merge(:enforce => false)
286
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
287
- should_not_assign_header(STANDARD_HEADER_NAME)
288
- subject.set_csp_header(opts)
289
- end
262
+ describe "#set_x_permitted_cross_domain_policies_header" do
263
+ it "sets the X-Permitted-Cross-Domain-Policies header" do
264
+ should_assign_header(XPCDP_HEADER_NAME, SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
265
+ subject.set_x_permitted_cross_domain_policies_header
266
+ end
290
267
 
291
- it "sets a header in enforce mode as well as report-only mode" do
292
- should_assign_header(STANDARD_HEADER_NAME, anything)
293
- should_assign_header(STANDARD_HEADER_NAME + "-Report-Only", anything)
294
- subject.set_csp_header(@opts)
295
- end
268
+ it "allows a custom X-Permitted-Cross-Domain-Policies header" do
269
+ should_assign_header(XPCDP_HEADER_NAME, "master-only")
270
+ subject.set_x_permitted_cross_domain_policies_header(:value => 'master-only')
296
271
  end
297
272
  end
298
273
  end
data/spec/spec_helper.rb CHANGED
@@ -2,10 +2,35 @@ require 'rubygems'
2
2
  require 'rspec'
3
3
 
4
4
  require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
5
- require File.join(File.dirname(__FILE__), '..', 'app', 'controllers', 'content_security_policy_controller')
5
+
6
+ if defined?(Coveralls)
7
+ Coveralls.wear!
8
+ end
9
+
6
10
  include ::SecureHeaders::StrictTransportSecurity::Constants
7
11
  include ::SecureHeaders::ContentSecurityPolicy::Constants
8
12
  include ::SecureHeaders::XFrameOptions::Constants
9
13
  include ::SecureHeaders::XXssProtection::Constants
10
14
  include ::SecureHeaders::XContentTypeOptions::Constants
11
15
  include ::SecureHeaders::XDownloadOptions::Constants
16
+ include ::SecureHeaders::XPermittedCrossDomainPolicies::Constants
17
+
18
+ USER_AGENTS = {
19
+ :firefox => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1',
20
+ :chrome => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
21
+ :ie => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
22
+ :opera => 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
23
+ :ios5 => "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
24
+ :ios6 => "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
25
+ :safari5 => "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
26
+ :safari5_1 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10",
27
+ :safari6 => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/536.30.1 (KHTML like Gecko) Version/6.0.5 Safari/536.30.1"
28
+ }
29
+
30
+ def should_assign_header name, value
31
+ expect(response.headers).to receive(:[]=).with(name, value)
32
+ end
33
+
34
+ def should_not_assign_header name
35
+ expect(response.headers).not_to receive(:[]=).with(name, anything)
36
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.0
4
+ version: 2.0.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2014-12-06 00:00:00.000000000 Z
12
+ date: 2015-01-23 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rake
@@ -27,7 +27,7 @@ dependencies:
27
27
  - - ! '>='
28
28
  - !ruby/object:Gem::Version
29
29
  version: '0'
30
- description: Add easily configured browser headers to responses.
30
+ description: Security related headers all in one gem.
31
31
  email:
32
32
  - neil.matatall@gmail.com
33
33
  executables: []
@@ -39,13 +39,9 @@ files:
39
39
  - .ruby-version
40
40
  - .travis.yml
41
41
  - Gemfile
42
- - HISTORY.md
43
42
  - LICENSE
44
43
  - README.md
45
44
  - Rakefile
46
- - app/controllers/content_security_policy_controller.rb
47
- - config/curl-ca-bundle.crt
48
- - config/routes.rb
49
45
  - fixtures/rails_3_2_12/.rspec
50
46
  - fixtures/rails_3_2_12/Gemfile
51
47
  - fixtures/rails_3_2_12/README.rdoc
@@ -64,6 +60,7 @@ files:
64
60
  - fixtures/rails_3_2_12/config/environments/test.rb
65
61
  - fixtures/rails_3_2_12/config/initializers/secure_headers.rb
66
62
  - fixtures/rails_3_2_12/config/routes.rb
63
+ - fixtures/rails_3_2_12/config/script_hashes.yml
67
64
  - fixtures/rails_3_2_12/lib/assets/.gitkeep
68
65
  - fixtures/rails_3_2_12/lib/tasks/.gitkeep
69
66
  - fixtures/rails_3_2_12/log/.gitkeep
@@ -99,24 +96,59 @@ files:
99
96
  - fixtures/rails_3_2_12_no_init/vendor/assets/javascripts/.gitkeep
100
97
  - fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
101
98
  - fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
99
+ - fixtures/rails_4_1_8/Gemfile
100
+ - fixtures/rails_4_1_8/README.rdoc
101
+ - fixtures/rails_4_1_8/Rakefile
102
+ - fixtures/rails_4_1_8/app/controllers/application_controller.rb
103
+ - fixtures/rails_4_1_8/app/controllers/concerns/.keep
104
+ - fixtures/rails_4_1_8/app/controllers/other_things_controller.rb
105
+ - fixtures/rails_4_1_8/app/controllers/things_controller.rb
106
+ - fixtures/rails_4_1_8/app/models/.keep
107
+ - fixtures/rails_4_1_8/app/models/concerns/.keep
108
+ - fixtures/rails_4_1_8/app/views/layouts/application.html.erb
109
+ - fixtures/rails_4_1_8/app/views/other_things/index.html.erb
110
+ - fixtures/rails_4_1_8/app/views/things/index.html.erb
111
+ - fixtures/rails_4_1_8/config.ru
112
+ - fixtures/rails_4_1_8/config/application.rb
113
+ - fixtures/rails_4_1_8/config/boot.rb
114
+ - fixtures/rails_4_1_8/config/environment.rb
115
+ - fixtures/rails_4_1_8/config/environments/test.rb
116
+ - fixtures/rails_4_1_8/config/initializers/secure_headers.rb
117
+ - fixtures/rails_4_1_8/config/routes.rb
118
+ - fixtures/rails_4_1_8/config/script_hashes.yml
119
+ - fixtures/rails_4_1_8/config/secrets.yml
120
+ - fixtures/rails_4_1_8/lib/assets/.keep
121
+ - fixtures/rails_4_1_8/lib/tasks/.keep
122
+ - fixtures/rails_4_1_8/log/.keep
123
+ - fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb
124
+ - fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb
125
+ - fixtures/rails_4_1_8/spec/spec_helper.rb
126
+ - fixtures/rails_4_1_8/vendor/assets/javascripts/.keep
127
+ - fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep
102
128
  - lib/secure_headers.rb
129
+ - lib/secure_headers/hash_helper.rb
103
130
  - lib/secure_headers/header.rb
104
131
  - lib/secure_headers/headers/content_security_policy.rb
132
+ - lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
105
133
  - lib/secure_headers/headers/strict_transport_security.rb
106
134
  - lib/secure_headers/headers/x_content_type_options.rb
107
135
  - lib/secure_headers/headers/x_download_options.rb
108
136
  - lib/secure_headers/headers/x_frame_options.rb
137
+ - lib/secure_headers/headers/x_permitted_cross_domain_policies.rb
109
138
  - lib/secure_headers/headers/x_xss_protection.rb
110
139
  - lib/secure_headers/padrino.rb
111
140
  - lib/secure_headers/railtie.rb
112
141
  - lib/secure_headers/version.rb
142
+ - lib/secure_headers/view_helper.rb
143
+ - lib/tasks/tasks.rake
113
144
  - secure_headers.gemspec
114
- - spec/controllers/content_security_policy_controller_spec.rb
145
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
115
146
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
116
147
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
117
148
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
118
149
  - spec/lib/secure_headers/headers/x_download_options_spec.rb
119
150
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
151
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
120
152
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
121
153
  - spec/lib/secure_headers_spec.rb
122
154
  - spec/spec_helper.rb
@@ -145,15 +177,16 @@ rubyforge_project:
145
177
  rubygems_version: 1.8.23
146
178
  signing_key:
147
179
  specification_version: 3
148
- summary: Add easily configured browser headers to responses including content security
149
- policy, x-frame-options, strict-transport-security and more.
180
+ summary: Add easily configured security headers to responses including content-security-policy,
181
+ x-frame-options, strict-transport-security, etc.
150
182
  test_files:
151
- - spec/controllers/content_security_policy_controller_spec.rb
183
+ - spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
152
184
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
153
185
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
154
186
  - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
155
187
  - spec/lib/secure_headers/headers/x_download_options_spec.rb
156
188
  - spec/lib/secure_headers/headers/x_frame_options_spec.rb
189
+ - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
157
190
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
158
191
  - spec/lib/secure_headers_spec.rb
159
192
  - spec/spec_helper.rb
data/HISTORY.md DELETED
@@ -1,162 +0,0 @@
1
- 1.3.4
2
- ======
3
-
4
- * Adds X-Download-Options support
5
- * Adds support for X-XSS-Protection reporting
6
- * Defers loading of rails engine for faster boot times
7
-
8
- 1.3.3
9
- ======
10
-
11
- @agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
12
-
13
- This just adds a new 'preload' option to the HSTS settings to specify that option.
14
-
15
- 1.3.2
16
- ======
17
-
18
- Adds the ability to "tag" requests and a new config value: :app_name
19
-
20
- {
21
- :tag_report_uri => true,
22
- :enforce => true,
23
- :app_name => 'twitter',
24
- :report_uri => 'csp_reports'
25
- }
26
-
27
- Results in
28
- report-uri csp_reports?enforce=true&app_name=twitter
29
-
30
-
31
- 1.3.1
32
- ======
33
-
34
- Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
35
-
36
- 1.3.0
37
- ======
38
-
39
- - CSP nonce support was added back and is compliant.
40
- - Bugs:
41
- -- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
42
- -- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
43
-
44
- 1.2.0
45
- ======
46
- - Allow procs to be used as config values.
47
-
48
- 1.1.1
49
- ======
50
-
51
- Bug fix release.
52
- - Parsing of CSP reports was busted.
53
- - Forwarded reports did not include the original referer, ip, UA
54
-
55
- 1.1.0
56
- ======
57
-
58
- - Remove brwsr dependency (no more runtime dependencies)
59
- - Stop serving X- prefixed CSP headers
60
-
61
- This change means that all requests get all headers, even if the browser doesn't grok it.
62
-
63
- 1.0.0
64
- ======
65
-
66
- Features:
67
-
68
- - Use non-prefixed header names for Firefox >= 23, Chrome >= 25
69
- - Use csp 1.0 compliant header for firefox >= 23
70
-
71
- Bug Fix:
72
-
73
- - Stop sending CSP on safari 5.1+
74
-
75
- 0.5.0
76
- ======
77
-
78
- - X-Content-Type-Options also applied to Chrome requests
79
-
80
- 0.4.3
81
- ======
82
-
83
- - Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
84
-
85
- 0.4.2
86
- ======
87
-
88
- - Stupid bug where Fixnums couldn't be used for config values
89
- - Doc updates
90
-
91
- 0.4.1
92
- ======
93
-
94
- - Allow strings or ints in the HSTS max-age (@reedloden)
95
-
96
- 0.4.0
97
- =======
98
-
99
- - Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
100
- - Should be backwards compatible, but it is a change to the API.
101
-
102
- 0.3.0
103
- =======
104
-
105
- - Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
106
-
107
- 0.2.3
108
- =======
109
-
110
- - Fix error in report-uri logic for Firefox forwarding.
111
-
112
- 0.2.2
113
- =======
114
-
115
- - Stop applying chrome-extension: to Firefox directives.
116
-
117
- 0.2.1
118
- =======
119
-
120
- - Firefox headers will now stop overriding report_uri when only a path is supplied
121
-
122
- 0.2.0
123
- =======
124
-
125
- - 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
126
- - Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
127
-
128
- ```ruby
129
- FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
130
- CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
131
- ```
132
- - :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
133
- - Skeleton applications have been added to test isolated application configurations
134
- - Cleanup by @bemurphy
135
-
136
- 0.1.1
137
- =======
138
-
139
- Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
140
-
141
- 0.1.0
142
- =======
143
-
144
- Notes:
145
- ------
146
-
147
- - Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
148
-
149
- Features:
150
- ------
151
-
152
- - ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
153
- - Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
154
-
155
- Bug fixes, misc:
156
- ------
157
-
158
- - Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
159
- - Better support for other frameworks, including docs from @achui, @bmaland
160
- - Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
161
- - data: automatically whitelisted for img-src
162
- - Doc updates from @ming13, @theverything, @dcollazo
@@ -1,76 +0,0 @@
1
- require 'net/https'
2
- require 'openssl'
3
-
4
- class ContentSecurityPolicyController < ActionController::Base
5
- CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
6
-
7
- def scribe
8
- warn "[DEPRECATION] ContentSecurityPolicyController is removed in 2.0"
9
- csp = ::SecureHeaders::Configuration.csp || {}
10
-
11
- forward_endpoint = csp[:forward_endpoint]
12
- if forward_endpoint
13
- forward_params_to(forward_endpoint)
14
- end
15
-
16
- head :ok
17
- rescue StandardError => e
18
- log_warning(forward_endpoint, e)
19
- head :bad_request
20
- end
21
-
22
- private
23
-
24
- def forward_params_to(forward_endpoint)
25
- uri = URI.parse(forward_endpoint)
26
- http = Net::HTTP.new(uri.host, uri.port)
27
- if uri.scheme == 'https'
28
- use_ssl(http)
29
- end
30
-
31
- if request.content_type == "application/csp-report"
32
- request.body.rewind
33
- params.merge!(ActiveSupport::JSON.decode(request.body.read))
34
- end
35
-
36
- ua = request.user_agent
37
- xff = forwarded_for
38
-
39
- request = Net::HTTP::Post.new(uri.to_s)
40
- request.initialize_http_header({
41
- 'User-Agent' => ua,
42
- 'X-Forwarded-For' => xff,
43
- 'Content-Type' => 'application/json',
44
- })
45
- request.body = params.to_json
46
-
47
- # fire and forget
48
- if defined?(Delayed::Job)
49
- http.delay.request(request)
50
- else
51
- http.request(request)
52
- end
53
- end
54
-
55
- def forwarded_for
56
- req_xff = request.env["HTTP_X_FORWARDED_FOR"]
57
- if req_xff && req_xff != ""
58
- "#{req_xff}, #{request.remote_ip}"
59
- else
60
- request.remote_ip
61
- end
62
- end
63
-
64
- def use_ssl request
65
- request.use_ssl = true
66
- request.ca_file = CA_FILE
67
- request.verify_mode = OpenSSL::SSL::VERIFY_PEER
68
- request.verify_depth = 9
69
- end
70
-
71
- def log_warning(forward_endpoint, e)
72
- if defined?(Rails.logger)
73
- Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
74
- end
75
- end
76
- end