RubyGems - secure_headers - Versions diffs - 2.5.3 → 3.0.0.pre - Mend

secure_headers 2.5.3 → 3.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

data/fixtures/rails_3_2_22/log/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22/spec/controllers/other_things_controller_spec.rb DELETED Viewed

@@ -1,83 +0,0 @@
-require 'spec_helper'
-require 'secure_headers/headers/content_security_policy/script_hash_middleware'
-describe OtherThingsController, :type => :controller do
-  include Rack::Test::Methods
-  def app
-    OtherThingsController.action(:index)
-  end
-  def request(opts = {})
-    options = opts.merge(
-      {
-        'HTTPS' => 'on',
-        'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
-      }
-    )
-    Rack::MockRequest.env_for('/', options)
-  end
-  describe "headers" do
-    before(:each) do
-      _, @env = app.call(request)
-    end
-    it "sets the X-XSS-Protection header" do
-      get '/'
-      expect(@env['X-XSS-Protection']).to eq('1; mode=block')
-    end
-    it "sets the X-Frame-Options header" do
-      get '/'
-      expect(@env['X-Frame-Options']).to eq('SAMEORIGIN')
-    end
-    it "sets the CSP header with a local reference to a nonce" do
-      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
-      _, env = middleware.call(request(@env))
-      expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
-    end
-    it "sets the required hashes to whitelist inline script" do
-      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
-      _, env = middleware.call(request(@env))
-      hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
-      hashes.each do |hash|
-        expect(env['Content-Security-Policy-Report-Only']).to include(hash)
-      end
-    end
-    it "sets the Strict-Transport-Security header" do
-      get '/'
-      expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
-    end
-    it "sets the X-Download-Options header" do
-      get '/'
-      expect(@env['X-Download-Options']).to eq('noopen')
-    end
-    it "sets the X-Content-Type-Options header" do
-      get '/'
-      expect(@env['X-Content-Type-Options']).to eq("nosniff")
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get '/'
-      expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get '/'
-        expect(@env['X-Content-Type-Options']).to eq("nosniff")
-      end
-    end
-  end
-end

data/fixtures/rails_3_2_22/spec/controllers/things_controller_spec.rb DELETED Viewed

@@ -1,54 +0,0 @@
-require 'spec_helper'
-# This controller is meant to be something that inherits config from application controller
-# all values are defaulted because no initializer is configured, and the values in app controller
-# only provide csp => false
-describe ThingsController, :type => :controller do
-  describe "headers" do
-    it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
-    end
-    it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
-    end
-    it "does not set CSP header" do
-      get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
-    end
-    #mock ssl
-    it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
-    end
-    it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq('noopen')
-    end
-    it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get :index
-      expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
-      end
-    end
-  end
-end

data/fixtures/rails_3_2_22/spec/spec_helper.rb DELETED Viewed

@@ -1,15 +0,0 @@
-require 'rubygems'
-#uncomment the following line to use spork with the debugger
-#require 'spork/ext/ruby-debug'
-# Spork.prefork do
-  # Loading more in this block will cause your tests to run faster. However,
-  # if you change any configuration or code from libraries loaded here, you'll
-  # need to restart spork for it take effect.
-# This file is copied to spec/ when you run 'rails generate rspec:install'
-  ENV["RAILS_ENV"] ||= 'test'
-  require File.expand_path("../../config/environment", __FILE__)
-  require 'rspec/rails'
-# end

data/fixtures/rails_3_2_22/vendor/assets/javascripts/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22/vendor/assets/stylesheets/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22/vendor/plugins/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/.rspec DELETED Viewed

	@@ -1 +0,0 @@
1	- --color --format progress

data/fixtures/rails_3_2_22_no_init/Gemfile DELETED Viewed

@@ -1,6 +0,0 @@
-source 'https://rubygems.org'
-gem 'test-unit'
-gem 'rails', '3.2.22'
-gem 'rspec-rails', '>= 2.0.0'
-gem 'secure_headers', :path => '../..'

data/fixtures/rails_3_2_22_no_init/README.rdoc DELETED Viewed

@@ -1,261 +0,0 @@
-== Welcome to Rails
-Rails is a web-application framework that includes everything needed to create
-database-backed web applications according to the Model-View-Control pattern.
-This pattern splits the view (also called the presentation) into "dumb"
-templates that are primarily responsible for inserting pre-built data in between
-HTML tags. The model contains the "smart" domain objects (such as Account,
-Product, Person, Post) that holds all the business logic and knows how to
-persist themselves to a database. The controller handles the incoming requests
-(such as Save New Account, Update Product, Show Post) by manipulating the model
-and directing data to the view.
-In Rails, the model is handled by what's called an object-relational mapping
-layer entitled Active Record. This layer allows you to present the data from
-database rows as objects and embellish these data objects with business logic
-methods. You can read more about Active Record in
-link:files/vendor/rails/activerecord/README.html.
-The controller and view are handled by the Action Pack, which handles both
-layers by its two parts: Action View and Action Controller. These two layers
-are bundled in a single package due to their heavy interdependence. This is
-unlike the relationship between the Active Record and Action Pack that is much
-more separate. Each of these packages can be used independently outside of
-Rails. You can read more about Action Pack in
-link:files/vendor/rails/actionpack/README.html.
-== Getting Started
-1. At the command prompt, create a new Rails application:
-       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
-2. Change directory to <tt>myapp</tt> and start the web server:
-       <tt>cd myapp; rails server</tt> (run with --help for options)
-3. Go to http://localhost:3000/ and you'll see:
-       "Welcome aboard: You're riding Ruby on Rails!"
-4. Follow the guidelines to start developing your application. You can find
-the following resources handy:
-* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
-* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
-== Debugging Rails
-Sometimes your application goes wrong. Fortunately there are a lot of tools that
-will help you debug it and get it back on the rails.
-First area to check is the application log files. Have "tail -f" commands
-running on the server.log and development.log. Rails will automatically display
-debugging and runtime information to these files. Debugging info will also be
-shown in the browser on requests from 127.0.0.1.
-You can also log your own messages directly into the log file from your code
-using the Ruby logger class from inside your controllers. Example:
-  class WeblogController < ActionController::Base
-    def destroy
-      @weblog = Weblog.find(params[:id])
-      @weblog.destroy
-      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
-    end
-  end
-The result will be a message in your log file along the lines of:
-  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
-More information on how to use the logger is at http://www.ruby-doc.org/core/
-Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
-several books available online as well:
-* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
-* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
-These two books will bring you up to speed on the Ruby language and also on
-programming in general.
-== Debugger
-Debugger support is available through the debugger command when you start your
-Mongrel or WEBrick server with --debugger. This means that you can break out of
-execution at any point in the code, investigate and change the model, and then,
-resume execution! You need to install ruby-debug to run the server in debugging
-mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
-  class WeblogController < ActionController::Base
-    def index
-      @posts = Post.all
-      debugger
-    end
-  end
-So the controller will accept the action, run the first line, then present you
-with a IRB prompt in the server window. Here you can do things like:
-  >> @posts.inspect
-  => "[#<Post:0x14a6be8
-          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
-       #<Post:0x14a6620
-          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
-  >> @posts.first.title = "hello from a debugger"
-  => "hello from a debugger"
-...and even better, you can examine how your runtime objects actually work:
-  >> f = @posts.first
-  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
-  >> f.
-  Display all 152 possibilities? (y or n)
-Finally, when you're ready to resume execution, you can enter "cont".
-== Console
-The console is a Ruby shell, which allows you to interact with your
-application's domain model. Here you'll have all parts of the application
-configured, just like it is when the application is running. You can inspect
-domain models, change values, and save to the database. Starting the script
-without arguments will launch it in the development environment.
-To start the console, run <tt>rails console</tt> from the application
-directory.
-Options:
-* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
-  made to the database.
-* Passing an environment name as an argument will load the corresponding
-  environment. Example: <tt>rails console production</tt>.
-To reload your controllers and models after launching the console run
-<tt>reload!</tt>
-More information about irb can be found at:
-link:http://www.rubycentral.org/pickaxe/irb.html
-== dbconsole
-You can go to the command line of your database directly through <tt>rails
-dbconsole</tt>. You would be connected to the database with the credentials
-defined in database.yml. Starting the script without arguments will connect you
-to the development database. Passing an argument will connect you to a different
-database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
-PostgreSQL and SQLite 3.
-== Description of Contents
-The default directory structure of a generated Ruby on Rails application:
-  |-- app
-  |   |-- assets
-  |       |-- images
-  |       |-- javascripts
-  |       `-- stylesheets
-  |   |-- controllers
-  |   |-- helpers
-  |   |-- mailers
-  |   |-- models
-  |   `-- views
-  |       `-- layouts
-  |-- config
-  |   |-- environments
-  |   |-- initializers
-  |   `-- locales
-  |-- db
-  |-- doc
-  |-- lib
-  |   `-- tasks
-  |-- log
-  |-- public
-  |-- script
-  |-- test
-  |   |-- fixtures
-  |   |-- functional
-  |   |-- integration
-  |   |-- performance
-  |   `-- unit
-  |-- tmp
-  |   |-- cache
-  |   |-- pids
-  |   |-- sessions
-  |   `-- sockets
-  `-- vendor
-      |-- assets
-          `-- stylesheets
-      `-- plugins
-app
-  Holds all the code that's specific to this particular application.
-app/assets
-  Contains subdirectories for images, stylesheets, and JavaScript files.
-app/controllers
-  Holds controllers that should be named like weblogs_controller.rb for
-  automated URL mapping. All controllers should descend from
-  ApplicationController which itself descends from ActionController::Base.
-app/models
-  Holds models that should be named like post.rb. Models descend from
-  ActiveRecord::Base by default.
-app/views
-  Holds the template files for the view that should be named like
-  weblogs/index.html.erb for the WeblogsController#index action. All views use
-  eRuby syntax by default.
-app/views/layouts
-  Holds the template files for layouts to be used with views. This models the
-  common header/footer method of wrapping views. In your views, define a layout
-  using the <tt>layout :default</tt> and create a file named default.html.erb.
-  Inside default.html.erb, call <% yield %> to render the view using this
-  layout.
-app/helpers
-  Holds view helpers that should be named like weblogs_helper.rb. These are
-  generated for you automatically when using generators for controllers.
-  Helpers can be used to wrap functionality for your views into methods.
-config
-  Configuration files for the Rails environment, the routing map, the database,
-  and other dependencies.
-db
-  Contains the database schema in schema.rb. db/migrate contains all the
-  sequence of Migrations for your schema.
-doc
-  This directory is where your application documentation will be stored when
-  generated using <tt>rake doc:app</tt>
-lib
-  Application specific libraries. Basically, any kind of custom code that
-  doesn't belong under controllers, models, or helpers. This directory is in
-  the load path.
-public
-  The directory available for the web server. Also contains the dispatchers and the
-  default HTML files. This should be set as the DOCUMENT_ROOT of your web
-  server.
-script
-  Helper scripts for automation and generation.
-test
-  Unit and functional tests along with fixtures. When using the rails generate
-  command, template test files will be generated for you and placed in this
-  directory.
-vendor
-  External libraries that the application depends on. Also includes the plugins
-  subdirectory. If the app has frozen rails, those gems also go here, under
-  vendor/rails/. This directory is in the load path.

data/fixtures/rails_3_2_22_no_init/Rakefile DELETED Viewed

@@ -1,7 +0,0 @@
-#!/usr/bin/env rake
-# Add your own tasks in files placed in lib/tasks ending in .rake,
-# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
-require File.expand_path('../config/application', __FILE__)
-Rails3212::Application.load_tasks

data/fixtures/rails_3_2_22_no_init/app/controllers/application_controller.rb DELETED Viewed

@@ -1,4 +0,0 @@
-class ApplicationController < ActionController::Base
-  protect_from_forgery
-  ensure_security_headers :csp => false
-end

data/fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb DELETED Viewed

@@ -1,20 +0,0 @@
-class OtherThingsController < ApplicationController
-  ensure_security_headers :csp => {:default_src => "'self'"}
-  def index
-  end
-  def other_action
-    render :text => 'yooooo'
-  end
-  def secure_header_options_for(header, options)
-    if params[:action] == "other_action"
-      if header == :csp
-        options.merge(:style_src => "'self'")
-      end
-    else
-      options
-    end
-  end
-end

data/fixtures/rails_3_2_22_no_init/app/controllers/things_controller.rb DELETED Viewed

@@ -1,5 +0,0 @@
-class ThingsController < ApplicationController
-  def index
-  end
-end

data/fixtures/rails_3_2_22_no_init/app/models/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/app/views/layouts/application.html.erb DELETED Viewed

@@ -1,12 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>Rails3212</title>
-  <%= stylesheet_link_tag    "application", :media => "all" %>
-</head>
-<body>
-<%= yield %>
-</body>
-</html>

data/fixtures/rails_3_2_22_no_init/app/views/other_things/index.html.erb DELETED Viewed

	@@ -1 +0,0 @@
1	- index

data/fixtures/rails_3_2_22_no_init/app/views/things/index.html.erb DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/config/application.rb DELETED Viewed

@@ -1,17 +0,0 @@
-require File.expand_path('../boot', __FILE__)
-# Pick the frameworks you want:
-require "action_controller/railtie"
-require "sprockets/railtie"
-if defined?(Bundler)
-  # If you precompile assets before deploying to production, use this line
-  Bundler.require(*Rails.groups(:assets => %w(development test)))
-  # If you want your assets lazily compiled in production, use this line
-  # Bundler.require(:default, :assets, Rails.env)
-end
-module Rails3212
-  class Application < Rails::Application
-  end
-end

data/fixtures/rails_3_2_22_no_init/config/boot.rb DELETED Viewed

@@ -1,6 +0,0 @@
-require 'rubygems'
-# Set up gems listed in the Gemfile.
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])

data/fixtures/rails_3_2_22_no_init/config/environment.rb DELETED Viewed

@@ -1,5 +0,0 @@
-# Load the rails application
-require File.expand_path('../application', __FILE__)
-# Initialize the rails application
-Rails3212::Application.initialize!

data/fixtures/rails_3_2_22_no_init/config/environments/test.rb DELETED Viewed

@@ -1,37 +0,0 @@
-Rails3212::Application.configure do
-  # Settings specified here will take precedence over those in config/application.rb
-  # The test environment is used exclusively to run your application's
-  # test suite. You never need to work with it otherwise. Remember that
-  # your test database is "scratch space" for the test suite and is wiped
-  # and recreated between test runs. Don't rely on the data there!
-  config.cache_classes = true
-  # Configure static asset server for tests with Cache-Control for performance
-  config.serve_static_assets = true
-  config.static_cache_control = "public, max-age=3600"
-  # Log error messages when you accidentally call methods on nil
-  config.whiny_nils = true
-  # Show full error reports and disable caching
-  config.consider_all_requests_local       = true
-  config.action_controller.perform_caching = false
-  # Raise exceptions instead of rendering exception templates
-  config.action_dispatch.show_exceptions = false
-  # Disable request forgery protection in test environment
-  config.action_controller.allow_forgery_protection    = false
-  # Tell Action Mailer not to deliver emails to the real world.
-  # The :test delivery method accumulates sent emails in the
-  # ActionMailer::Base.deliveries array.
-  # config.action_mailer.delivery_method = :test
-  # Raise exception on mass assignment protection for Active Record models
-  # config.active_record.mass_assignment_sanitizer = :strict
-  # Print deprecation notices to the stderr
-  config.active_support.deprecation = :stderr
-end

data/fixtures/rails_3_2_22_no_init/config/routes.rb DELETED Viewed

@@ -1,4 +0,0 @@
-Rails3212::Application.routes.draw do
-  resources :things
-  match ':controller(/:action(/:id))(.:format)'
-end

data/fixtures/rails_3_2_22_no_init/config.ru DELETED Viewed

@@ -1,4 +0,0 @@
-# This file is used by Rack-based servers to start the application.
-require ::File.expand_path('../config/environment',  __FILE__)
-run Rails3212::Application

data/fixtures/rails_3_2_22_no_init/lib/assets/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/lib/tasks/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/log/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/spec/controllers/other_things_controller_spec.rb DELETED Viewed

@@ -1,56 +0,0 @@
-require 'spec_helper'
-describe OtherThingsController, :type => :controller do
-  describe "headers" do
-    it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the CSP header" do
-      get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
-    end
-    it "sets per-action values based on secure_header_options_for" do
-      # munges :style_src => self into policy
-      get :other_action
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:; style-src 'self';")
-    end
-    #mock ssl
-    it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get :index
-      expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-      end
-    end
-  end
-end