secure_headers 2.2.3 → 2.2.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8a0931db8855224044856cad01f2226dfb325c93
|
|
4
|
+
data.tar.gz: bc3520f802677b2c7967d9e7ae928c5d6ef4d2ca
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 41b4ee3848c1261162c5a5e7f80931a1e7891a08ac0d1f49b5ebfae5ae819f0e8a5b3577499d4cd8d62eaf71d36218bb7bf97cd263d220a67a72e14c8a49dac6
|
|
7
|
+
data.tar.gz: acae6ac54a26a925e3fd74a2b24c50a00349cce8be8d9dca8d81ee1dbae68008defa925bb3a10f99996476687de0b632fca07cfc6d40bd7511dd8acc1cc7a0c1
|
data/.travis.yml
CHANGED
data/README.md
CHANGED
|
@@ -49,7 +49,7 @@ This gem makes a few assumptions about how you will use some features. For exam
|
|
|
49
49
|
config.x_permitted_cross_domain_policies = 'none'
|
|
50
50
|
config.csp = {
|
|
51
51
|
:default_src => "https: self",
|
|
52
|
-
:enforce => proc {|controller|
|
|
52
|
+
:enforce => proc {|controller| controller.current_user.enforce_csp? },
|
|
53
53
|
:frame_src => "https: http:.twimg.com http://itunes.apple.com",
|
|
54
54
|
:img_src => "https:",
|
|
55
55
|
:report_uri => '//example.com/uri-directive'
|
|
@@ -419,7 +419,7 @@ end
|
|
|
419
419
|
|
|
420
420
|
* Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
|
|
421
421
|
* Node.js (hapi) [blankie](https://github.com/nlf/blankie)
|
|
422
|
-
* J2EE Servlet >= 3.0 [
|
|
422
|
+
* J2EE Servlet >= 3.0 [headlines](https://github.com/sourceclear/headlines)
|
|
423
423
|
* ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
|
|
424
424
|
* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
|
|
425
425
|
* Go - [secureheader](https://github.com/kr/secureheader)
|
data/lib/secure_headers.rb
CHANGED
|
@@ -39,6 +39,9 @@ module SecureHeaders
|
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
def ensure_security_headers options = {}
|
|
42
|
+
if RUBY_VERSION == "1.8.7"
|
|
43
|
+
warn "[DEPRECATION] secure_headers ruby 1.8.7 support will dropped in the next release"
|
|
44
|
+
end
|
|
42
45
|
self.secure_headers_options = options
|
|
43
46
|
before_filter :prep_script_hash
|
|
44
47
|
before_filter :set_hsts_header
|
|
@@ -2,6 +2,7 @@ require 'uri'
|
|
|
2
2
|
require 'base64'
|
|
3
3
|
require 'securerandom'
|
|
4
4
|
require 'user_agent_parser'
|
|
5
|
+
require 'json'
|
|
5
6
|
|
|
6
7
|
module SecureHeaders
|
|
7
8
|
class ContentSecurityPolicyBuildError < StandardError; end
|
|
@@ -166,6 +167,21 @@ module SecureHeaders
|
|
|
166
167
|
end
|
|
167
168
|
end
|
|
168
169
|
|
|
170
|
+
def to_json
|
|
171
|
+
build_value
|
|
172
|
+
@config.to_json.gsub(/(\w+)_src/, "\\1-src")
|
|
173
|
+
end
|
|
174
|
+
|
|
175
|
+
def self.from_json(*json_configs)
|
|
176
|
+
json_configs.inject({}) do |combined_config, one_config|
|
|
177
|
+
one_config = one_config.gsub(/(\w+)-src/, "\\1_src")
|
|
178
|
+
config = JSON.parse(one_config, :symbolize_names => true)
|
|
179
|
+
combined_config.merge(config) do |_, lhs, rhs|
|
|
180
|
+
lhs | rhs
|
|
181
|
+
end
|
|
182
|
+
end
|
|
183
|
+
end
|
|
184
|
+
|
|
169
185
|
private
|
|
170
186
|
|
|
171
187
|
def add_script_hashes
|
|
@@ -56,6 +56,23 @@ module SecureHeaders
|
|
|
56
56
|
end
|
|
57
57
|
end
|
|
58
58
|
|
|
59
|
+
it "exports a policy to JSON" do
|
|
60
|
+
policy = ContentSecurityPolicy.new(default_opts)
|
|
61
|
+
expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
|
|
62
|
+
expect(policy.to_json).to eq(expected)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
it "imports JSON to build a policy" do
|
|
66
|
+
json1 = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"]})
|
|
67
|
+
json2 = %({"style-src":["'unsafe-inline'"],"img-src":["https:","data:"]})
|
|
68
|
+
json3 = %({"style-src":["https:","about:"]})
|
|
69
|
+
config = ContentSecurityPolicy.from_json(json1, json2, json3)
|
|
70
|
+
policy = ContentSecurityPolicy.new(config.merge(:disable_fill_missing => true))
|
|
71
|
+
|
|
72
|
+
expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
|
|
73
|
+
expect(policy.to_json).to eq(expected)
|
|
74
|
+
end
|
|
75
|
+
|
|
59
76
|
context "when using hash sources" do
|
|
60
77
|
it "adds hashes and unsafe-inline to the script-src" do
|
|
61
78
|
policy = ContentSecurityPolicy.new(default_opts.merge(:script_hashes => ['sha256-abc123']))
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-08-
|
|
11
|
+
date: 2015-08-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|