RubyGems - secure_headers - Versions diffs - 1.4.1 → 2.0.0.pre - Mend

secure_headers 1.4.1 → 2.0.0.pre

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (32) hide show

checksums.yaml +7 -0
data/.gitignore +4 -8
data/Gemfile +2 -2
data/Guardfile +8 -0
data/README.md +102 -48
data/Rakefile +0 -116
data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -1
data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -1
data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
data/fixtures/rails_3_2_12/config.ru +3 -0
data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +50 -18
data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +1 -1
data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
data/lib/secure_headers/hash_helper.rb +7 -0
data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
data/lib/secure_headers/headers/content_security_policy.rb +141 -137
data/lib/secure_headers/railtie.rb +0 -22
data/lib/secure_headers/version.rb +1 -1
data/lib/secure_headers/view_helper.rb +68 -0
data/lib/secure_headers.rb +51 -17
data/lib/tasks/tasks.rake +48 -0
data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
data/spec/lib/secure_headers_spec.rb +16 -62
data/spec/spec_helper.rb +25 -1
metadata +22 -24
data/HISTORY.md +0 -162
data/app/controllers/content_security_policy_controller.rb +0 -76
data/config/curl-ca-bundle.crt +0 -5420
data/config/routes.rb +0 -3
data/spec/controllers/content_security_policy_controller_spec.rb +0 -90

metadata CHANGED Viewed

@@ -1,30 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 1.4.1
-  prerelease:
+  version: 2.0.0.pre
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-12-08 00:00:00.000000000 Z
+date: 2014-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Add easily configured browser headers to responses.
@@ -34,18 +31,15 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .ruby-gemset
-- .ruby-version
-- .travis.yml
+- ".gitignore"
+- ".ruby-gemset"
+- ".ruby-version"
+- ".travis.yml"
 - Gemfile
-- HISTORY.md
+- Guardfile
 - LICENSE
 - README.md
 - Rakefile
-- app/controllers/content_security_policy_controller.rb
-- config/curl-ca-bundle.crt
-- config/routes.rb
 - fixtures/rails_3_2_12/.rspec
 - fixtures/rails_3_2_12/Gemfile
 - fixtures/rails_3_2_12/README.rdoc
@@ -64,6 +58,7 @@ files:
 - fixtures/rails_3_2_12/config/environments/test.rb
 - fixtures/rails_3_2_12/config/initializers/secure_headers.rb
 - fixtures/rails_3_2_12/config/routes.rb
+- fixtures/rails_3_2_12/config/script_hashes.yml
 - fixtures/rails_3_2_12/lib/assets/.gitkeep
 - fixtures/rails_3_2_12/lib/tasks/.gitkeep
 - fixtures/rails_3_2_12/log/.gitkeep
@@ -100,8 +95,10 @@ files:
 - fixtures/rails_3_2_12_no_init/vendor/assets/stylesheets/.gitkeep
 - fixtures/rails_3_2_12_no_init/vendor/plugins/.gitkeep
 - lib/secure_headers.rb
+- lib/secure_headers/hash_helper.rb
 - lib/secure_headers/header.rb
 - lib/secure_headers/headers/content_security_policy.rb
+- lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb
 - lib/secure_headers/headers/strict_transport_security.rb
 - lib/secure_headers/headers/x_content_type_options.rb
 - lib/secure_headers/headers/x_download_options.rb
@@ -110,8 +107,10 @@ files:
 - lib/secure_headers/padrino.rb
 - lib/secure_headers/railtie.rb
 - lib/secure_headers/version.rb
+- lib/secure_headers/view_helper.rb
+- lib/tasks/tasks.rake
 - secure_headers.gemspec
-- spec/controllers/content_security_policy_controller_spec.rb
+- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb
@@ -124,31 +123,30 @@ files:
 homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
+metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.23
+rubygems_version: 2.2.2
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: Add easily configured browser headers to responses including content security
   policy, x-frame-options, strict-transport-security and more.
 test_files:
-- spec/controllers/content_security_policy_controller_spec.rb
+- spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
 - spec/lib/secure_headers/headers/x_content_type_options_spec.rb

data/HISTORY.md DELETED Viewed

@@ -1,162 +0,0 @@
-1.3.4
-======
-* Adds X-Download-Options support
-* Adds support for X-XSS-Protection reporting
-* Defers loading of rails engine for faster boot times
-1.3.3
-======
-@agl just made a new option for HSTS representing confirmation that a site wants to be included in a browser's preload list (https://hstspreload.appspot.com).
-This just adds a new 'preload' option to the HSTS settings to specify that option.
-1.3.2
-======
-Adds the ability to "tag" requests and a new config value: :app_name
-{
-  :tag_report_uri => true,
-  :enforce => true,
-  :app_name => 'twitter',
-  :report_uri => 'csp_reports'
-}
-Results in
-report-uri csp_reports?enforce=true&app_name=twitter
-1.3.1
-======
-Bugfix release: same-origin detection would error out when the URL containined invalid values (like |)
-1.3.0
-======
-- CSP nonce support was added back and is compliant.
-- Bugs:
--- enforce, disable_fill_missing, and disable_chrome_extension did not accept lambdas for no good reason
--- IF a default-src was specified, and an img-src was not, and disable_fill_missing was true, the img-src value would be :data
-1.2.0
-======
-- Allow procs to be used as config values.
-1.1.1
-======
-Bug fix release.
-- Parsing of CSP reports was busted.
-- Forwarded reports did not include the original referer, ip, UA
-1.1.0
-======
-- Remove brwsr dependency (no more runtime dependencies)
-- Stop serving X- prefixed CSP headers
-This change means that all requests get all headers, even if the browser doesn't grok it.
-1.0.0
-======
-Features:
-- Use non-prefixed header names for Firefox >= 23, Chrome >= 25
-- Use csp 1.0 compliant header for firefox >= 23
-Bug Fix:
-- Stop sending CSP on safari 5.1+
-0.5.0
-======
-- X-Content-Type-Options also applied to Chrome requests
-0.4.3
-======
-- Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
-0.4.2
-======
-- Stupid bug where Fixnums couldn't be used for config values
-- Doc updates
-0.4.1
-======
-- Allow strings or ints in the HSTS max-age (@reedloden)
-0.4.0
-=======
-- Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
-- Should be backwards compatible, but it is a change to the API.
-0.3.0
-=======
-- Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
-0.2.3
-=======
-- Fix error in report-uri logic for Firefox forwarding.
-0.2.2
-=======
-- Stop applying chrome-extension: to Firefox directives.
-0.2.1
-=======
-- Firefox headers will now stop overriding report_uri when only a path is supplied
-0.2.0
-=======
-- 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
-- Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
-```ruby
-FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
-CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
-```
-- :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
-- Skeleton applications have been added to test isolated application configurations
-- Cleanup by @bemurphy
-0.1.1
-=======
-Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
-0.1.0
-=======
-Notes:
-------
-- Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26
-Features:
-------
-- ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
-- Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
-Bug fixes, misc:
-------
-- Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25
-- Better support for other frameworks, including docs from @achui, @bmaland
-- Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
-- data: automatically whitelisted for img-src
-- Doc updates from @ming13, @theverything, @dcollazo

data/app/controllers/content_security_policy_controller.rb DELETED Viewed

@@ -1,76 +0,0 @@
-require 'net/https'
-require 'openssl'
-class ContentSecurityPolicyController < ActionController::Base
-  CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
-  def scribe
-    warn "[DEPRECATION] ContentSecurityPolicyController is removed in 2.0"
-    csp = ::SecureHeaders::Configuration.csp || {}
-    forward_endpoint = csp[:forward_endpoint]
-    if forward_endpoint
-      forward_params_to(forward_endpoint)
-    end
-    head :ok
-  rescue StandardError => e
-    log_warning(forward_endpoint, e)
-    head :bad_request
-  end
-  private
-  def forward_params_to(forward_endpoint)
-    uri = URI.parse(forward_endpoint)
-    http = Net::HTTP.new(uri.host, uri.port)
-    if uri.scheme == 'https'
-      use_ssl(http)
-    end
-    if request.content_type == "application/csp-report"
-      request.body.rewind
-      params.merge!(ActiveSupport::JSON.decode(request.body.read))
-    end
-    ua = request.user_agent
-    xff = forwarded_for
-    request = Net::HTTP::Post.new(uri.to_s)
-    request.initialize_http_header({
-      'User-Agent' => ua,
-      'X-Forwarded-For' => xff,
-      'Content-Type' => 'application/json',
-    })
-    request.body = params.to_json
-    # fire and forget
-    if defined?(Delayed::Job)
-      http.delay.request(request)
-    else
-      http.request(request)
-    end
-  end
-  def forwarded_for
-    req_xff = request.env["HTTP_X_FORWARDED_FOR"]
-    if req_xff && req_xff != ""
-      "#{req_xff}, #{request.remote_ip}"
-    else
-      request.remote_ip
-    end
-  end
-  def use_ssl request
-    request.use_ssl = true
-    request.ca_file = CA_FILE
-    request.verify_mode = OpenSSL::SSL::VERIFY_PEER
-    request.verify_depth = 9
-  end
-  def log_warning(forward_endpoint, e)
-    if defined?(Rails.logger)
-      Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
-    end
-  end
-end