secure_headers 2.4.4 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +1 -0
- data/Gemfile +1 -0
- data/Guardfile +12 -0
- data/lib/secure_headers/headers/content_security_policy.rb +13 -4
- data/lib/secure_headers/headers/strict_transport_security.rb +1 -0
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -0
- data/lib/secure_headers/headers/x_download_options.rb +1 -0
- data/lib/secure_headers/headers/x_frame_options.rb +1 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -0
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +8 -1
- data/secure_headers.gemspec +1 -0
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -0
- data/spec/lib/secure_headers_spec.rb +5 -5
- metadata +7 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 36b98616c83ec1049b8f1bcc25671738da8d8bed
|
|
4
|
+
data.tar.gz: 730108ec10da36aeeb59049e88122a99987d1dcc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 854d9e8c9de09d5515dad3449726b4b2308b8a25b5dc702ed80da47fd3f94f983119531a4089877b215ee07dccfa8fec2766107891b018bcca376ec16ed95e8f
|
|
7
|
+
data.tar.gz: f0ec419ac593cdeb556dc852d6e2a3b8f5fcfe83c07b34ac8392fcb912004bbe1117ea9e473c068230a38c44c96a5e036dfde630ae5e7397203c9aed8babd741
|
data/.travis.yml
CHANGED
data/Gemfile
CHANGED
data/Guardfile
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
|
|
2
|
+
require "guard/rspec/dsl"
|
|
3
|
+
dsl = Guard::RSpec::Dsl.new(self)
|
|
4
|
+
|
|
5
|
+
# RSpec files
|
|
6
|
+
rspec = dsl.rspec
|
|
7
|
+
watch(rspec.spec_helper) { rspec.spec_dir }
|
|
8
|
+
watch(rspec.spec_support) { rspec.spec_dir }
|
|
9
|
+
watch(rspec.spec_files)
|
|
10
|
+
|
|
11
|
+
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
|
12
|
+
end
|
|
@@ -137,9 +137,18 @@ module SecureHeaders
|
|
|
137
137
|
|
|
138
138
|
# Config values can be string, array, or lamdba values
|
|
139
139
|
@config = config.inject({}) do |hash, (key, value)|
|
|
140
|
-
config_val = value.respond_to?(:call)
|
|
140
|
+
config_val = if value.respond_to?(:call)
|
|
141
|
+
warn "[DEPRECATION] secure_headers 3.x will not support procs as config values."
|
|
142
|
+
value.call(@controller)
|
|
143
|
+
else
|
|
144
|
+
value
|
|
145
|
+
end
|
|
146
|
+
|
|
141
147
|
if ALL_DIRECTIVES.include?(key.to_sym) # directives need to be normalized to arrays of strings
|
|
142
|
-
|
|
148
|
+
if config_val.is_a? String
|
|
149
|
+
warn "[DEPRECATION] A String was supplied for directive #{key}. secure_headers 3.x will require all directives to be arrays of strings."
|
|
150
|
+
config_val = config_val.split
|
|
151
|
+
end
|
|
143
152
|
if config_val.is_a?(Array)
|
|
144
153
|
config_val = config_val.map do |val|
|
|
145
154
|
translate_dir_value(val)
|
|
@@ -258,10 +267,10 @@ module SecureHeaders
|
|
|
258
267
|
|
|
259
268
|
def translate_dir_value val
|
|
260
269
|
if %w{inline eval}.include?(val)
|
|
261
|
-
warn "[DEPRECATION] using inline/eval
|
|
270
|
+
warn "[DEPRECATION] using inline/eval is not suppored in secure_headers 3.x. Instead use 'unsafe-inline'/'unsafe-eval' instead."
|
|
262
271
|
val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
|
|
263
272
|
elsif %{self none}.include?(val)
|
|
264
|
-
warn "[DEPRECATION] using self/none
|
|
273
|
+
warn "[DEPRECATION] using self/none is not suppored in secure_headers 3.x. Instead use 'self'/'none' instead."
|
|
265
274
|
"'#{val}'"
|
|
266
275
|
elsif val == 'nonce'
|
|
267
276
|
if supports_nonces?
|
|
@@ -41,6 +41,7 @@ module SecureHeaders
|
|
|
41
41
|
|
|
42
42
|
def validate_config
|
|
43
43
|
if @config.is_a? Hash
|
|
44
|
+
warn "[DEPRECATION] secure_headers 3.0 will only accept string values for StrictTransportSecurity config"
|
|
44
45
|
if !@config[:max_age]
|
|
45
46
|
raise STSBuildError.new("No max-age was supplied.")
|
|
46
47
|
elsif @config[:max_age].to_s !~ /\A\d+\z/
|
|
@@ -25,6 +25,7 @@ module SecureHeaders
|
|
|
25
25
|
when String
|
|
26
26
|
@config
|
|
27
27
|
else
|
|
28
|
+
warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XXssProtection config"
|
|
28
29
|
value = @config[:value].to_s
|
|
29
30
|
value += "; mode=#{@config[:mode]}" if @config[:mode]
|
|
30
31
|
value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
|
data/lib/secure_headers.rb
CHANGED
|
@@ -33,12 +33,18 @@ module SecureHeaders
|
|
|
33
33
|
:x_xss_protection, :csp, :x_download_options, :script_hashes,
|
|
34
34
|
:x_permitted_cross_domain_policies, :hpkp
|
|
35
35
|
|
|
36
|
-
|
|
36
|
+
# For preparation for the secure_headers 3.x change.
|
|
37
|
+
def default &block
|
|
37
38
|
instance_eval &block
|
|
38
39
|
if File.exists?(SCRIPT_HASH_CONFIG_FILE)
|
|
39
40
|
::SecureHeaders::Configuration.script_hashes = YAML.load(File.open(SCRIPT_HASH_CONFIG_FILE))
|
|
40
41
|
end
|
|
41
42
|
end
|
|
43
|
+
|
|
44
|
+
def configure &block
|
|
45
|
+
warn "[DEPRECATION] `configure` is removed in secure_headers 3.x. Instead use `default`."
|
|
46
|
+
default &block
|
|
47
|
+
end
|
|
42
48
|
end
|
|
43
49
|
end
|
|
44
50
|
|
|
@@ -206,6 +212,7 @@ module SecureHeaders
|
|
|
206
212
|
# we can't use ||= because I'm overloading false => disable, nil => default
|
|
207
213
|
# both of which trigger the conditional assignment
|
|
208
214
|
def secure_header_options_for(type, options)
|
|
215
|
+
warn "[DEPRECATION] secure_header_options_for will not be supported in secure_headers 3.x."
|
|
209
216
|
options.nil? ? ::SecureHeaders::Configuration.send(type) : options
|
|
210
217
|
end
|
|
211
218
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -20,4 +20,5 @@ Gem::Specification.new do |gem|
|
|
|
20
20
|
gem.require_paths = ["lib"]
|
|
21
21
|
gem.add_development_dependency "rake"
|
|
22
22
|
gem.add_dependency "user_agent_parser"
|
|
23
|
+
gem.post_install_message = "[DEPRECATION] Development has stopped on the 2.x line of secure_headers. It will be maintained, but new features will be added to the 3.x branch. A lot has changed in secure_headers 3.x. A migration guide can be found in the documentation: https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md."
|
|
23
24
|
end
|
|
@@ -20,7 +20,7 @@ describe SecureHeaders do
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def reset_config
|
|
23
|
-
::SecureHeaders::Configuration.
|
|
23
|
+
::SecureHeaders::Configuration.default do |config|
|
|
24
24
|
config.hpkp = nil
|
|
25
25
|
config.hsts = nil
|
|
26
26
|
config.x_frame_options = nil
|
|
@@ -139,7 +139,7 @@ describe SecureHeaders do
|
|
|
139
139
|
|
|
140
140
|
context "when disabled by configuration settings" do
|
|
141
141
|
it "does not set any headers when disabled" do
|
|
142
|
-
::SecureHeaders::Configuration.
|
|
142
|
+
::SecureHeaders::Configuration.default do |config|
|
|
143
143
|
config.hsts = false
|
|
144
144
|
config.hpkp = false
|
|
145
145
|
config.x_frame_options = false
|
|
@@ -179,7 +179,7 @@ describe SecureHeaders do
|
|
|
179
179
|
end
|
|
180
180
|
|
|
181
181
|
it "allows opting out with config" do
|
|
182
|
-
::SecureHeaders::Configuration.
|
|
182
|
+
::SecureHeaders::Configuration.default do |config|
|
|
183
183
|
config.hsts = false
|
|
184
184
|
config.csp = false
|
|
185
185
|
end
|
|
@@ -190,7 +190,7 @@ describe SecureHeaders do
|
|
|
190
190
|
end
|
|
191
191
|
|
|
192
192
|
it "produces a hash with a mix of config values, override values, and default values" do
|
|
193
|
-
::SecureHeaders::Configuration.
|
|
193
|
+
::SecureHeaders::Configuration.default do |config|
|
|
194
194
|
config.hsts = { :max_age => '123456'}
|
|
195
195
|
config.hpkp = {
|
|
196
196
|
:enforce => true,
|
|
@@ -205,7 +205,7 @@ describe SecureHeaders do
|
|
|
205
205
|
end
|
|
206
206
|
|
|
207
207
|
hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
|
|
208
|
-
::SecureHeaders::Configuration.
|
|
208
|
+
::SecureHeaders::Configuration.default do |config|
|
|
209
209
|
config.hsts = nil
|
|
210
210
|
config.hpkp = nil
|
|
211
211
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2016-01-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -50,6 +50,7 @@ files:
|
|
|
50
50
|
- ".ruby-version"
|
|
51
51
|
- ".travis.yml"
|
|
52
52
|
- Gemfile
|
|
53
|
+
- Guardfile
|
|
53
54
|
- LICENSE
|
|
54
55
|
- README.md
|
|
55
56
|
- Rakefile
|
|
@@ -170,7 +171,10 @@ homepage: https://github.com/twitter/secureheaders
|
|
|
170
171
|
licenses:
|
|
171
172
|
- Apache Public License 2.0
|
|
172
173
|
metadata: {}
|
|
173
|
-
post_install_message:
|
|
174
|
+
post_install_message: "[DEPRECATION] Development has stopped on the 2.x line of secure_headers.
|
|
175
|
+
It will be maintained, but new features will be added to the 3.x branch. A lot has
|
|
176
|
+
changed in secure_headers 3.x. A migration guide can be found in the documentation:
|
|
177
|
+
https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md."
|
|
174
178
|
rdoc_options: []
|
|
175
179
|
require_paths:
|
|
176
180
|
- lib
|