secure_headers 2.2.3 → 2.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8a0931db8855224044856cad01f2226dfb325c93
|
|
4
|
+
data.tar.gz: bc3520f802677b2c7967d9e7ae928c5d6ef4d2ca
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 41b4ee3848c1261162c5a5e7f80931a1e7891a08ac0d1f49b5ebfae5ae819f0e8a5b3577499d4cd8d62eaf71d36218bb7bf97cd263d220a67a72e14c8a49dac6
|
|
7
|
+
data.tar.gz: acae6ac54a26a925e3fd74a2b24c50a00349cce8be8d9dca8d81ee1dbae68008defa925bb3a10f99996476687de0b632fca07cfc6d40bd7511dd8acc1cc7a0c1
|
data/.travis.yml
CHANGED
data/README.md
CHANGED
|
@@ -49,7 +49,7 @@ This gem makes a few assumptions about how you will use some features. For exam
|
|
|
49
49
|
config.x_permitted_cross_domain_policies = 'none'
|
|
50
50
|
config.csp = {
|
|
51
51
|
:default_src => "https: self",
|
|
52
|
-
:enforce => proc {|controller|
|
|
52
|
+
:enforce => proc {|controller| controller.current_user.enforce_csp? },
|
|
53
53
|
:frame_src => "https: http:.twimg.com http://itunes.apple.com",
|
|
54
54
|
:img_src => "https:",
|
|
55
55
|
:report_uri => '//example.com/uri-directive'
|
|
@@ -419,7 +419,7 @@ end
|
|
|
419
419
|
|
|
420
420
|
* Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
|
|
421
421
|
* Node.js (hapi) [blankie](https://github.com/nlf/blankie)
|
|
422
|
-
* J2EE Servlet >= 3.0 [
|
|
422
|
+
* J2EE Servlet >= 3.0 [headlines](https://github.com/sourceclear/headlines)
|
|
423
423
|
* ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
|
|
424
424
|
* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
|
|
425
425
|
* Go - [secureheader](https://github.com/kr/secureheader)
|
data/lib/secure_headers.rb
CHANGED
|
@@ -39,6 +39,9 @@ module SecureHeaders
|
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
def ensure_security_headers options = {}
|
|
42
|
+
if RUBY_VERSION == "1.8.7"
|
|
43
|
+
warn "[DEPRECATION] secure_headers ruby 1.8.7 support will dropped in the next release"
|
|
44
|
+
end
|
|
42
45
|
self.secure_headers_options = options
|
|
43
46
|
before_filter :prep_script_hash
|
|
44
47
|
before_filter :set_hsts_header
|
|
@@ -2,6 +2,7 @@ require 'uri'
|
|
|
2
2
|
require 'base64'
|
|
3
3
|
require 'securerandom'
|
|
4
4
|
require 'user_agent_parser'
|
|
5
|
+
require 'json'
|
|
5
6
|
|
|
6
7
|
module SecureHeaders
|
|
7
8
|
class ContentSecurityPolicyBuildError < StandardError; end
|
|
@@ -166,6 +167,21 @@ module SecureHeaders
|
|
|
166
167
|
end
|
|
167
168
|
end
|
|
168
169
|
|
|
170
|
+
def to_json
|
|
171
|
+
build_value
|
|
172
|
+
@config.to_json.gsub(/(\w+)_src/, "\\1-src")
|
|
173
|
+
end
|
|
174
|
+
|
|
175
|
+
def self.from_json(*json_configs)
|
|
176
|
+
json_configs.inject({}) do |combined_config, one_config|
|
|
177
|
+
one_config = one_config.gsub(/(\w+)-src/, "\\1_src")
|
|
178
|
+
config = JSON.parse(one_config, :symbolize_names => true)
|
|
179
|
+
combined_config.merge(config) do |_, lhs, rhs|
|
|
180
|
+
lhs | rhs
|
|
181
|
+
end
|
|
182
|
+
end
|
|
183
|
+
end
|
|
184
|
+
|
|
169
185
|
private
|
|
170
186
|
|
|
171
187
|
def add_script_hashes
|
|
@@ -56,6 +56,23 @@ module SecureHeaders
|
|
|
56
56
|
end
|
|
57
57
|
end
|
|
58
58
|
|
|
59
|
+
it "exports a policy to JSON" do
|
|
60
|
+
policy = ContentSecurityPolicy.new(default_opts)
|
|
61
|
+
expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
|
|
62
|
+
expect(policy.to_json).to eq(expected)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
it "imports JSON to build a policy" do
|
|
66
|
+
json1 = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"]})
|
|
67
|
+
json2 = %({"style-src":["'unsafe-inline'"],"img-src":["https:","data:"]})
|
|
68
|
+
json3 = %({"style-src":["https:","about:"]})
|
|
69
|
+
config = ContentSecurityPolicy.from_json(json1, json2, json3)
|
|
70
|
+
policy = ContentSecurityPolicy.new(config.merge(:disable_fill_missing => true))
|
|
71
|
+
|
|
72
|
+
expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
|
|
73
|
+
expect(policy.to_json).to eq(expected)
|
|
74
|
+
end
|
|
75
|
+
|
|
59
76
|
context "when using hash sources" do
|
|
60
77
|
it "adds hashes and unsafe-inline to the script-src" do
|
|
61
78
|
policy = ContentSecurityPolicy.new(default_opts.merge(:script_hashes => ['sha256-abc123']))
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-08-
|
|
11
|
+
date: 2015-08-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|