RubyGems - secure_headers - Versions diffs - 2.2.1 → 2.2.2 - Mend

secure_headers 2.2.1 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (11) hide show

checksums.yaml +4 -4
data/Gemfile +1 -1
data/README.md +1 -1
data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +14 -0
data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -1
data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +1 -1
data/lib/secure_headers/version.rb +1 -1
data/lib/secure_headers.rb +10 -9
data/secure_headers.gemspec +0 -1
data/spec/spec_helper.rb +4 -1
metadata +3 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8505e6e7242a976db378e97869dd8690e49fbe54
-  data.tar.gz: 32b1d9c752c03f66987f007c41c795c7f57d8e6a
+  metadata.gz: 288faa28dbfd3d98051878c6a14de550cad278c8
+  data.tar.gz: 8a0fb29d2d522ecbfefba832c85fd3a5db5de750
 SHA512:
-  metadata.gz: 989eaa8a180a9d8f5172305eb2d0cb6df13e37a8ba49587c8d1596f8cd4864838982b127a9a26e74d441fd0236cd165b9299bf8206fa32ebfcd4d05d234b55a5
-  data.tar.gz: 7437baa6edae3a38c3f5023b8a94cc58aa563b9aed732db10767b7996eaaf53f5b2f7af6d872ad0775ce7a02e547353238d36a118bb3b6f3e734e6ed37d75dd7
+  metadata.gz: 5cd42475a992e0491c9e503f0c1a236e61ea1e17d7fd972c5178bc58aa2ff5f7e9dab92a0f008e6c61c25478f23317f5c420807db97589ae1c00a85c6c7c5555
+  data.tar.gz: 09c1c571b5c1efd70ea02206403d84b5d85498b323b255f7901f6daf8196f6c922cdae4eea2d73b8c1e74be98b3efce9db53670c477009367b55aeb4be3fa5cf

data/Gemfile CHANGED Viewed

@@ -10,6 +10,6 @@ group :test do
   gem 'rspec', '>= 3.1'
   gem 'growl'
   gem 'rb-fsevent'
-  gem 'coveralls', :platforms => [:ruby_19]
+  gem 'coveralls', :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_21]
   gem 'i18n', '< 0.7.0', :platforms => [:ruby_18]
 end

data/README.md CHANGED Viewed

@@ -49,7 +49,7 @@ This gem makes a few assumptions about how you will use some features.  For exam
   config.x_permitted_cross_domain_policies = 'none'
   config.csp = {
     :default_src => "https: self",
-    :enforce => proc {|controller| contoller.current_user.enforce_csp? }
+    :enforce => proc {|controller| contoller.current_user.enforce_csp? },
     :frame_src => "https: http:.twimg.com http://itunes.apple.com",
     :img_src => "https:",
     :report_uri => '//example.com/uri-directive'

data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb CHANGED Viewed

@@ -3,4 +3,18 @@ class OtherThingsController < ApplicationController
   def index
   end
+  def other_action
+    render :text => 'yooooo'
+  end
+  def secure_header_options_for(header, options)
+    if params[:action] == "other_action"
+      if header == :csp
+        options.merge(:style_src => 'self')
+      end
+    else
+      options
+    end
+  end
 end

data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb CHANGED Viewed

@@ -12,11 +12,17 @@ describe OtherThingsController, :type => :controller do
       expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
     end
-    it "sets the X-WebKit-CSP header" do
+    it "sets the CSP header" do
       get :index
       expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
     end
+    it "sets per-action values based on secure_header_options_for" do
+      # munges :style_src => self into policy
+      get :other_action
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:; style-src 'self';")
+    end
     #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'

data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb CHANGED Viewed

@@ -2,4 +2,4 @@ class OtherThingsController < ApplicationController
   def index
   end
-end
+end

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.2.1"
+  VERSION = "2.2.2"
 end

data/lib/secure_headers.rb CHANGED Viewed

@@ -50,12 +50,6 @@ module SecureHeaders
       before_filter :set_x_download_options_header
       before_filter :set_x_permitted_cross_domain_policies_header
     end
-    # we can't use ||= because I'm overloading false => disable, nil => default
-    # both of which trigger the conditional assignment
-    def options_for(type, options)
-      options.nil? ? ::SecureHeaders::Configuration.send(type) : options
-    end
   end
   module InstanceMethods
@@ -80,7 +74,7 @@ module SecureHeaders
       end
       config = self.class.secure_headers_options[:csp] if config.nil?
-      config = self.class.options_for :csp, config
+      config = secure_header_options_for :csp, config
       return if config == false
@@ -140,7 +134,7 @@ module SecureHeaders
     def set_hpkp_header(options=self.class.secure_headers_options[:hpkp])
       return unless request.ssl?
-      config = self.class.options_for :hpkp, options
+      config = secure_header_options_for :hpkp, options
       return if config == false || config.nil?
@@ -158,8 +152,15 @@ module SecureHeaders
     private
+    # we can't use ||= because I'm overloading false => disable, nil => default
+    # both of which trigger the conditional assignment
+    def secure_header_options_for(type, options)
+      options.nil? ? ::SecureHeaders::Configuration.send(type) : options
+    end
     def set_a_header(name, klass, options=nil)
-      options = self.class.options_for name, options
+      options = secure_header_options_for name, options
       return if options == false
       header = klass.new(options)

data/secure_headers.gemspec CHANGED Viewed

@@ -20,5 +20,4 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
   gem.add_dependency "user_agent_parser"
-  gem.post_install_message = "Warning: lambda config values will be broken until you add |controller|. e.g. :enforce => lambda { |controller| some_expression }"
 end

data/spec/spec_helper.rb CHANGED Viewed

@@ -3,8 +3,11 @@ require 'rspec'
 require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
-if defined?(Coveralls)
+begin
+  require 'coveralls'
   Coveralls.wear!
+rescue LoadError
+  # damn you 1.8.7
 end
 include ::SecureHeaders::PublicKeyPins::Constants

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.2.2
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-06-24 00:00:00.000000000 Z
+date: 2015-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -170,8 +170,7 @@ homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
 metadata: {}
-post_install_message: 'Warning: lambda config values will be broken until you add
-  |controller|. e.g. :enforce => lambda { |controller| some_expression }'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib