secure_headers 2.2.2 → 2.2.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +1 -1
  3. data/README.md +2 -1
  4. data/lib/secure_headers/headers/content_security_policy.rb +4 -2
  5. data/lib/secure_headers/version.rb +1 -1
  6. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +10 -0
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 288faa28dbfd3d98051878c6a14de550cad278c8
4
- data.tar.gz: 8a0fb29d2d522ecbfefba832c85fd3a5db5de750
3
+ metadata.gz: ff92ca9f6816c48cd276c4da21788c681401fded
4
+ data.tar.gz: e533e9fcfddaded93b6449612760c45fd4da75c8
5
5
  SHA512:
6
- metadata.gz: 5cd42475a992e0491c9e503f0c1a236e61ea1e17d7fd972c5178bc58aa2ff5f7e9dab92a0f008e6c61c25478f23317f5c420807db97589ae1c00a85c6c7c5555
7
- data.tar.gz: 09c1c571b5c1efd70ea02206403d84b5d85498b323b255f7901f6daf8196f6c922cdae4eea2d73b8c1e74be98b3efce9db53670c477009367b55aeb4be3fa5cf
6
+ metadata.gz: 28d1e5956816ceea536220868c6c3df6c8cedfc190d3ad14be24a3cea8465a091668d35e77d6afb14feef5fe0504f65b71e8960e3740afa5af3e1eb7e239ac8d
7
+ data.tar.gz: 18f797ba06da2eb6f2ac7b269a55a642a26d143a48f9a4e58989605d9340fec40b9746e227efbadee8c93382f7cddc5202564adadb06d041eb8e0dc995559192
data/Gemfile CHANGED
@@ -10,6 +10,6 @@ group :test do
10
10
  gem 'rspec', '>= 3.1'
11
11
  gem 'growl'
12
12
  gem 'rb-fsevent'
13
- gem 'coveralls', :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_21]
13
+ gem 'coveralls', :platforms => [:ruby_19, :ruby_20, :ruby_21]
14
14
  gem 'i18n', '< 0.7.0', :platforms => [:ruby_18]
15
15
  end
data/README.md CHANGED
@@ -418,9 +418,10 @@ end
418
418
  ## Similar libraries
419
419
 
420
420
  * Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
421
+ * Node.js (hapi) [blankie](https://github.com/nlf/blankie)
421
422
  * J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines)
422
423
  * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
423
- * Python - [django-csp](https://github.com/mozilla/django-csp/) + [commonware](https://github.com/jsocol/commonware/)
424
+ * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
424
425
  * Go - [secureheader](https://github.com/kr/secureheader)
425
426
 
426
427
  ## Authors
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -128,6 +128,7 @@ module SecureHeaders
128
128
 
129
129
  @disable_fill_missing = !!@config.delete(:disable_fill_missing)
130
130
  @enforce = !!@config.delete(:enforce)
131
+ @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
131
132
  @tag_report_uri = !!@config.delete(:tag_report_uri)
132
133
  @script_hashes = @config.delete(:script_hashes) || []
133
134
 
@@ -238,10 +239,11 @@ module SecureHeaders
238
239
 
239
240
  def generic_directives
240
241
  header_value = ''
242
+ data_uri = @disable_img_src_data_uri ? [] : ["data:"]
241
243
  if @config[:img_src]
242
- @config[:img_src] = @config[:img_src] + ['data:'] unless @config[:img_src].include?('data:')
244
+ @config[:img_src] = @config[:img_src] + data_uri unless @config[:img_src].include?('data:')
243
245
  else
244
- @config[:img_src] = @config[:default_src] + ['data:']
246
+ @config[:img_src] = @config[:default_src] + data_uri
245
247
  end
246
248
 
247
249
  DIRECTIVES.each do |directive_name|
data/lib/secure_headers/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "2.2.2"
2
+ VERSION = "2.2.3"
3
3
  end
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -156,6 +156,16 @@ module SecureHeaders
156
156
  csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_fill_missing => true}, :request => request_for(CHROME))
157
157
  expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
158
158
  end
159
+
160
+ it "doesn't add a duplicate data uri if img-src specifies it already" do
161
+ csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self data:', :disable_fill_missing => true}, :request => request_for(CHROME))
162
+ expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
163
+ end
164
+
165
+ it "allows the user to disable img-src data: uris auto-whitelisting" do
166
+ csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_img_src_data_uri => true, :disable_fill_missing => true}, :request => request_for(CHROME))
167
+ expect(csp.value).to eq("default-src 'self'; img-src 'self';")
168
+ end
159
169
  end
160
170
 
161
171
  it "fills in directives without values with default-src value" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.2
4
+ version: 2.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-07-02 00:00:00.000000000 Z
11
+ date: 2015-08-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -186,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
186
186
  version: '0'
187
187
  requirements: []
188
188
  rubyforge_project:
189
- rubygems_version: 2.2.3
189
+ rubygems_version: 2.4.8
190
190
  signing_key:
191
191
  specification_version: 4
192
192
  summary: Add easily configured security headers to responses including content-security-policy,