secure_headers 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +3 -2
  3. data/lib/secure_headers/headers/content_security_policy.rb +1 -1
  4. data/lib/secure_headers/version.rb +1 -1
  5. data/secure_headers.gemspec +1 -0
  6. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +19 -5
  7. metadata +4 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 16e634b2502cd5ee9d87fac9a9d2c6af9bc48fda
4
- data.tar.gz: 1416e09703db75cdf25379a1273477f346080c72
3
+ metadata.gz: 8e454769ab715d2e94e5451190e7ef8679810ec0
4
+ data.tar.gz: 9f0fd48b03bd3e8f5a60b85894492a4a9aee08a0
5
5
  SHA512:
6
- metadata.gz: d1483f86c255f59593766bf3312d0085df5b59281c2daf426c16bf930c92c06ae17c17e07984be696b1719336e89ea7000e19948713b310354c749200e2debd6
7
- data.tar.gz: eaf23b06c98757048b1516d87e429a23b5c70606db476f90eb042250bbd863bd1fddfdbcf12a6fce51e077a0ee3e6332cedcc041514de6a0ce55295d77a4bd65
6
+ metadata.gz: 9ace533baba91512c2d8b15f12ed188d93feda9b20f7e682caaa740d413b1428e9c39deb2c2fbba4aec6462093f54126de9ca8cc5268d5b8d98851c82876fa6d
7
+ data.tar.gz: 9b5e12226b456e4983eb31cd75f48ccadf34d80d125ff0fb67ee84afe56f3ca3a682890213e20e2c24e2c715073c0284b4ab8fc3fc86ad722c7ae6d08c0bb207
data/README.md CHANGED
@@ -8,7 +8,7 @@ The gem will automatically apply several headers that are related to security.
8
8
  - X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
9
9
  - X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
10
10
  - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
11
- - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorites. [Public Key Pinnning Specification](https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21)
11
+ - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorites. [Public Key Pinnning Specification](https://tools.ietf.org/html/rfc7469)
12
12
 
13
13
  ## Usage
14
14
 
@@ -49,6 +49,7 @@ This gem makes a few assumptions about how you will use some features. For exam
49
49
  config.x_permitted_cross_domain_policies = 'none'
50
50
  config.csp = {
51
51
  :default_src => "https: self",
52
+ :enforce => proc {|controller| contoller.current_user.enforce_csp? }
52
53
  :frame_src => "https: http:.twimg.com http://itunes.apple.com",
53
54
  :img_src => "https:",
54
55
  :report_uri => '//example.com/uri-directive'
@@ -418,7 +419,7 @@ end
418
419
 
419
420
  * Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
420
421
  * J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines)
421
- * ASP.NET - [NWebsec](http://nwebsec.codeplex.com/)
422
+ * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
422
423
  * Python - [django-csp](https://github.com/mozilla/django-csp/) + [commonware](https://github.com/jsocol/commonware/)
423
424
  * Go - [secureheader](https://github.com/kr/secureheader)
424
425
 
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -106,7 +106,7 @@ module SecureHeaders
106
106
 
107
107
  # Config values can be string, array, or lamdba values
108
108
  @config = config.inject({}) do |hash, (key, value)|
109
- config_val = value.respond_to?(:call) ? value.call : value
109
+ config_val = value.respond_to?(:call) ? value.call(@controller) : value
110
110
 
111
111
  if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
112
112
  config_val = config_val.split if config_val.is_a? String
data/lib/secure_headers/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "2.1.0"
2
+ VERSION = "2.2.0"
3
3
  end
data/secure_headers.gemspec CHANGED
@@ -19,4 +19,5 @@ Gem::Specification.new do |gem|
19
19
  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
20
20
  gem.require_paths = ["lib"]
21
21
  gem.add_development_dependency "rake"
22
+ gem.post_install_message = "Warning: lambda config values will be broken until you add |controller|. e.g. :enforce => lambda { |controller| some_expression }"
22
23
  end
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -76,7 +76,7 @@ module SecureHeaders
76
76
  end
77
77
 
78
78
  it "adds a @enforce and @app_name variables to the report uri" do
79
- opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => lambda { 'twitter' })
79
+ opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => proc { 'twitter' })
80
80
  csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
81
81
  expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
82
82
  end
@@ -90,7 +90,7 @@ module SecureHeaders
90
90
  it "accepts procs for report-uris" do
91
91
  opts = {
92
92
  :default_src => 'self',
93
- :report_uri => lambda { "http://lambda/result" }
93
+ :report_uri => proc { "http://lambda/result" }
94
94
  }
95
95
 
96
96
  csp = ContentSecurityPolicy.new(opts)
@@ -99,15 +99,29 @@ module SecureHeaders
99
99
 
100
100
  it "accepts procs for other fields" do
101
101
  opts = {
102
- :default_src => lambda { "http://lambda/result" },
103
- :enforce => lambda { true },
104
- :disable_fill_missing => lambda { true }
102
+ :default_src => proc { "http://lambda/result" },
103
+ :enforce => proc { true },
104
+ :disable_fill_missing => proc { true }
105
105
  }
106
106
 
107
107
  csp = ContentSecurityPolicy.new(opts)
108
108
  expect(csp.value).to eq("default-src http://lambda/result; img-src http://lambda/result data:;")
109
109
  expect(csp.name).to match("Content-Security-Policy")
110
110
  end
111
+
112
+ it "passes a reference to the controller to the proc" do
113
+ controller = double
114
+ user = double(:beta_testing? => true)
115
+
116
+ allow(controller).to receive(:current_user).and_return(user)
117
+ opts = {
118
+ :disable_fill_missing => true,
119
+ :default_src => "self",
120
+ :enforce => lambda { |c| c.current_user.beta_testing? }
121
+ }
122
+ csp = ContentSecurityPolicy.new(opts, :controller => controller)
123
+ expect(csp.name).to match("Content-Security-Policy")
124
+ end
111
125
  end
112
126
  end
113
127
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 2.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-05-07 00:00:00.000000000 Z
11
+ date: 2015-06-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -156,7 +156,8 @@ homepage: https://github.com/twitter/secureheaders
156
156
  licenses:
157
157
  - Apache Public License 2.0
158
158
  metadata: {}
159
- post_install_message:
159
+ post_install_message: 'Warning: lambda config values will be broken until you add
160
+ |controller|. e.g. :enforce => lambda { |controller| some_expression }'
160
161
  rdoc_options: []
161
162
  require_paths:
162
163
  - lib