secure_headers 2.2.2 → 2.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ff92ca9f6816c48cd276c4da21788c681401fded
|
|
4
|
+
data.tar.gz: e533e9fcfddaded93b6449612760c45fd4da75c8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 28d1e5956816ceea536220868c6c3df6c8cedfc190d3ad14be24a3cea8465a091668d35e77d6afb14feef5fe0504f65b71e8960e3740afa5af3e1eb7e239ac8d
|
|
7
|
+
data.tar.gz: 18f797ba06da2eb6f2ac7b269a55a642a26d143a48f9a4e58989605d9340fec40b9746e227efbadee8c93382f7cddc5202564adadb06d041eb8e0dc995559192
|
data/Gemfile
CHANGED
|
@@ -10,6 +10,6 @@ group :test do
|
|
|
10
10
|
gem 'rspec', '>= 3.1'
|
|
11
11
|
gem 'growl'
|
|
12
12
|
gem 'rb-fsevent'
|
|
13
|
-
gem 'coveralls', :platforms => [:ruby_19, :ruby_20, :ruby_21
|
|
13
|
+
gem 'coveralls', :platforms => [:ruby_19, :ruby_20, :ruby_21]
|
|
14
14
|
gem 'i18n', '< 0.7.0', :platforms => [:ruby_18]
|
|
15
15
|
end
|
data/README.md
CHANGED
|
@@ -418,9 +418,10 @@ end
|
|
|
418
418
|
## Similar libraries
|
|
419
419
|
|
|
420
420
|
* Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
|
|
421
|
+
* Node.js (hapi) [blankie](https://github.com/nlf/blankie)
|
|
421
422
|
* J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines)
|
|
422
423
|
* ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
|
|
423
|
-
* Python - [django-csp](https://github.com/mozilla/django-csp
|
|
424
|
+
* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
|
|
424
425
|
* Go - [secureheader](https://github.com/kr/secureheader)
|
|
425
426
|
|
|
426
427
|
## Authors
|
|
@@ -128,6 +128,7 @@ module SecureHeaders
|
|
|
128
128
|
|
|
129
129
|
@disable_fill_missing = !!@config.delete(:disable_fill_missing)
|
|
130
130
|
@enforce = !!@config.delete(:enforce)
|
|
131
|
+
@disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
|
|
131
132
|
@tag_report_uri = !!@config.delete(:tag_report_uri)
|
|
132
133
|
@script_hashes = @config.delete(:script_hashes) || []
|
|
133
134
|
|
|
@@ -238,10 +239,11 @@ module SecureHeaders
|
|
|
238
239
|
|
|
239
240
|
def generic_directives
|
|
240
241
|
header_value = ''
|
|
242
|
+
data_uri = @disable_img_src_data_uri ? [] : ["data:"]
|
|
241
243
|
if @config[:img_src]
|
|
242
|
-
@config[:img_src] = @config[:img_src] +
|
|
244
|
+
@config[:img_src] = @config[:img_src] + data_uri unless @config[:img_src].include?('data:')
|
|
243
245
|
else
|
|
244
|
-
@config[:img_src] = @config[:default_src] +
|
|
246
|
+
@config[:img_src] = @config[:default_src] + data_uri
|
|
245
247
|
end
|
|
246
248
|
|
|
247
249
|
DIRECTIVES.each do |directive_name|
|
|
@@ -156,6 +156,16 @@ module SecureHeaders
|
|
|
156
156
|
csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_fill_missing => true}, :request => request_for(CHROME))
|
|
157
157
|
expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
|
|
158
158
|
end
|
|
159
|
+
|
|
160
|
+
it "doesn't add a duplicate data uri if img-src specifies it already" do
|
|
161
|
+
csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self data:', :disable_fill_missing => true}, :request => request_for(CHROME))
|
|
162
|
+
expect(csp.value).to eq("default-src 'self'; img-src 'self' data:;")
|
|
163
|
+
end
|
|
164
|
+
|
|
165
|
+
it "allows the user to disable img-src data: uris auto-whitelisting" do
|
|
166
|
+
csp = ContentSecurityPolicy.new({:default_src => 'self', :img_src => 'self', :disable_img_src_data_uri => true, :disable_fill_missing => true}, :request => request_for(CHROME))
|
|
167
|
+
expect(csp.value).to eq("default-src 'self'; img-src 'self';")
|
|
168
|
+
end
|
|
159
169
|
end
|
|
160
170
|
|
|
161
171
|
it "fills in directives without values with default-src value" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-08-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -186,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
186
186
|
version: '0'
|
|
187
187
|
requirements: []
|
|
188
188
|
rubyforge_project:
|
|
189
|
-
rubygems_version: 2.
|
|
189
|
+
rubygems_version: 2.4.8
|
|
190
190
|
signing_key:
|
|
191
191
|
specification_version: 4
|
|
192
192
|
summary: Add easily configured security headers to responses including content-security-policy,
|