RubyGems - secure_headers - Versions diffs - 2.5.3 → 3.0.0.pre - Mend

secure_headers 2.5.3 → 3.0.0.pre

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (125) hide show

data/fixtures/rails_3_2_22/log/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22/spec/controllers/other_things_controller_spec.rb DELETED Viewed

@@ -1,83 +0,0 @@
-require 'spec_helper'
-require 'secure_headers/headers/content_security_policy/script_hash_middleware'
-describe OtherThingsController, :type => :controller do
-  include Rack::Test::Methods
-  def app
-    OtherThingsController.action(:index)
-  end
-  def request(opts = {})
-    options = opts.merge(
-      {
-        'HTTPS' => 'on',
-        'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
-      }
-    )
-    Rack::MockRequest.env_for('/', options)
-  end
-  describe "headers" do
-    before(:each) do
-      _, @env = app.call(request)
-    end
-    it "sets the X-XSS-Protection header" do
-      get '/'
-      expect(@env['X-XSS-Protection']).to eq('1; mode=block')
-    end
-    it "sets the X-Frame-Options header" do
-      get '/'
-      expect(@env['X-Frame-Options']).to eq('SAMEORIGIN')
-    end
-    it "sets the CSP header with a local reference to a nonce" do
-      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
-      _, env = middleware.call(request(@env))
-      expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
-    end
-    it "sets the required hashes to whitelist inline script" do
-      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
-      _, env = middleware.call(request(@env))
-      hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
-      hashes.each do |hash|
-        expect(env['Content-Security-Policy-Report-Only']).to include(hash)
-      end
-    end
-    it "sets the Strict-Transport-Security header" do
-      get '/'
-      expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
-    end
-    it "sets the X-Download-Options header" do
-      get '/'
-      expect(@env['X-Download-Options']).to eq('noopen')
-    end
-    it "sets the X-Content-Type-Options header" do
-      get '/'
-      expect(@env['X-Content-Type-Options']).to eq("nosniff")
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get '/'
-      expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get '/'
-        expect(@env['X-Content-Type-Options']).to eq("nosniff")
-      end
-    end
-  end
-end

data/fixtures/rails_3_2_22/spec/controllers/things_controller_spec.rb DELETED Viewed

@@ -1,54 +0,0 @@
-require 'spec_helper'
-# This controller is meant to be something that inherits config from application controller
-# all values are defaulted because no initializer is configured, and the values in app controller
-# only provide csp => false
-describe ThingsController, :type => :controller do
-  describe "headers" do
-    it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
-    end
-    it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
-    end
-    it "does not set CSP header" do
-      get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
-    end
-    #mock ssl
-    it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
-    end
-    it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq('noopen')
-    end
-    it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get :index
-      expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
-      end
-    end
-  end
-end

data/fixtures/rails_3_2_22/spec/spec_helper.rb DELETED Viewed

@@ -1,15 +0,0 @@
-require 'rubygems'
-#uncomment the following line to use spork with the debugger
-#require 'spork/ext/ruby-debug'
-# Spork.prefork do
-  # Loading more in this block will cause your tests to run faster. However,
-  # if you change any configuration or code from libraries loaded here, you'll
-  # need to restart spork for it take effect.
-# This file is copied to spec/ when you run 'rails generate rspec:install'
-  ENV["RAILS_ENV"] ||= 'test'
-  require File.expand_path("../../config/environment", __FILE__)
-  require 'rspec/rails'
-# end

data/fixtures/rails_3_2_22/vendor/assets/javascripts/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22/vendor/assets/stylesheets/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22/vendor/plugins/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/.rspec DELETED Viewed

	@@ -1 +0,0 @@
1	- --color --format progress

data/fixtures/rails_3_2_22_no_init/Gemfile DELETED Viewed

@@ -1,6 +0,0 @@
-source 'https://rubygems.org'
-gem 'test-unit'
-gem 'rails', '3.2.22'
-gem 'rspec-rails', '>= 2.0.0'
-gem 'secure_headers', :path => '../..'

data/fixtures/rails_3_2_22_no_init/README.rdoc DELETED Viewed

@@ -1,261 +0,0 @@
-== Welcome to Rails
-Rails is a web-application framework that includes everything needed to create
-database-backed web applications according to the Model-View-Control pattern.
-This pattern splits the view (also called the presentation) into "dumb"
-templates that are primarily responsible for inserting pre-built data in between
-HTML tags. The model contains the "smart" domain objects (such as Account,
-Product, Person, Post) that holds all the business logic and knows how to
-persist themselves to a database. The controller handles the incoming requests
-(such as Save New Account, Update Product, Show Post) by manipulating the model
-and directing data to the view.
-In Rails, the model is handled by what's called an object-relational mapping
-layer entitled Active Record. This layer allows you to present the data from
-database rows as objects and embellish these data objects with business logic
-methods. You can read more about Active Record in
-link:files/vendor/rails/activerecord/README.html.
-The controller and view are handled by the Action Pack, which handles both
-layers by its two parts: Action View and Action Controller. These two layers
-are bundled in a single package due to their heavy interdependence. This is
-unlike the relationship between the Active Record and Action Pack that is much
-more separate. Each of these packages can be used independently outside of
-Rails. You can read more about Action Pack in
-link:files/vendor/rails/actionpack/README.html.
-== Getting Started
-1. At the command prompt, create a new Rails application:
-       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
-2. Change directory to <tt>myapp</tt> and start the web server:
-       <tt>cd myapp; rails server</tt> (run with --help for options)
-3. Go to http://localhost:3000/ and you'll see:
-       "Welcome aboard: You're riding Ruby on Rails!"
-4. Follow the guidelines to start developing your application. You can find
-the following resources handy:
-* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
-* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
-== Debugging Rails
-Sometimes your application goes wrong. Fortunately there are a lot of tools that
-will help you debug it and get it back on the rails.
-First area to check is the application log files. Have "tail -f" commands
-running on the server.log and development.log. Rails will automatically display
-debugging and runtime information to these files. Debugging info will also be
-shown in the browser on requests from 127.0.0.1.
-You can also log your own messages directly into the log file from your code
-using the Ruby logger class from inside your controllers. Example:
-  class WeblogController < ActionController::Base
-    def destroy
-      @weblog = Weblog.find(params[:id])
-      @weblog.destroy
-      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
-    end
-  end
-The result will be a message in your log file along the lines of:
-  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
-More information on how to use the logger is at http://www.ruby-doc.org/core/
-Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
-several books available online as well:
-* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
-* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
-These two books will bring you up to speed on the Ruby language and also on
-programming in general.
-== Debugger
-Debugger support is available through the debugger command when you start your
-Mongrel or WEBrick server with --debugger. This means that you can break out of
-execution at any point in the code, investigate and change the model, and then,
-resume execution! You need to install ruby-debug to run the server in debugging
-mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
-  class WeblogController < ActionController::Base
-    def index
-      @posts = Post.all
-      debugger
-    end
-  end
-So the controller will accept the action, run the first line, then present you
-with a IRB prompt in the server window. Here you can do things like:
-  >> @posts.inspect
-  => "[#<Post:0x14a6be8
-          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
-       #<Post:0x14a6620
-          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
-  >> @posts.first.title = "hello from a debugger"
-  => "hello from a debugger"
-...and even better, you can examine how your runtime objects actually work:
-  >> f = @posts.first
-  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
-  >> f.
-  Display all 152 possibilities? (y or n)
-Finally, when you're ready to resume execution, you can enter "cont".
-== Console
-The console is a Ruby shell, which allows you to interact with your
-application's domain model. Here you'll have all parts of the application
-configured, just like it is when the application is running. You can inspect
-domain models, change values, and save to the database. Starting the script
-without arguments will launch it in the development environment.
-To start the console, run <tt>rails console</tt> from the application
-directory.
-Options:
-* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
-  made to the database.
-* Passing an environment name as an argument will load the corresponding
-  environment. Example: <tt>rails console production</tt>.
-To reload your controllers and models after launching the console run
-<tt>reload!</tt>
-More information about irb can be found at:
-link:http://www.rubycentral.org/pickaxe/irb.html
-== dbconsole
-You can go to the command line of your database directly through <tt>rails
-dbconsole</tt>. You would be connected to the database with the credentials
-defined in database.yml. Starting the script without arguments will connect you
-to the development database. Passing an argument will connect you to a different
-database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
-PostgreSQL and SQLite 3.
-== Description of Contents
-The default directory structure of a generated Ruby on Rails application:
-  |-- app
-  |   |-- assets
-  |       |-- images
-  |       |-- javascripts
-  |       `-- stylesheets
-  |   |-- controllers
-  |   |-- helpers
-  |   |-- mailers
-  |   |-- models
-  |   `-- views
-  |       `-- layouts
-  |-- config
-  |   |-- environments
-  |   |-- initializers
-  |   `-- locales
-  |-- db
-  |-- doc
-  |-- lib
-  |   `-- tasks
-  |-- log
-  |-- public
-  |-- script
-  |-- test
-  |   |-- fixtures
-  |   |-- functional
-  |   |-- integration
-  |   |-- performance
-  |   `-- unit
-  |-- tmp
-  |   |-- cache
-  |   |-- pids
-  |   |-- sessions
-  |   `-- sockets
-  `-- vendor
-      |-- assets
-          `-- stylesheets
-      `-- plugins
-app
-  Holds all the code that's specific to this particular application.
-app/assets
-  Contains subdirectories for images, stylesheets, and JavaScript files.
-app/controllers
-  Holds controllers that should be named like weblogs_controller.rb for
-  automated URL mapping. All controllers should descend from
-  ApplicationController which itself descends from ActionController::Base.
-app/models
-  Holds models that should be named like post.rb. Models descend from
-  ActiveRecord::Base by default.
-app/views
-  Holds the template files for the view that should be named like
-  weblogs/index.html.erb for the WeblogsController#index action. All views use
-  eRuby syntax by default.
-app/views/layouts
-  Holds the template files for layouts to be used with views. This models the
-  common header/footer method of wrapping views. In your views, define a layout
-  using the <tt>layout :default</tt> and create a file named default.html.erb.
-  Inside default.html.erb, call <% yield %> to render the view using this
-  layout.
-app/helpers
-  Holds view helpers that should be named like weblogs_helper.rb. These are
-  generated for you automatically when using generators for controllers.
-  Helpers can be used to wrap functionality for your views into methods.
-config
-  Configuration files for the Rails environment, the routing map, the database,
-  and other dependencies.
-db
-  Contains the database schema in schema.rb. db/migrate contains all the
-  sequence of Migrations for your schema.
-doc
-  This directory is where your application documentation will be stored when
-  generated using <tt>rake doc:app</tt>
-lib
-  Application specific libraries. Basically, any kind of custom code that
-  doesn't belong under controllers, models, or helpers. This directory is in
-  the load path.
-public
-  The directory available for the web server. Also contains the dispatchers and the
-  default HTML files. This should be set as the DOCUMENT_ROOT of your web
-  server.
-script
-  Helper scripts for automation and generation.
-test
-  Unit and functional tests along with fixtures. When using the rails generate
-  command, template test files will be generated for you and placed in this
-  directory.
-vendor
-  External libraries that the application depends on. Also includes the plugins
-  subdirectory. If the app has frozen rails, those gems also go here, under
-  vendor/rails/. This directory is in the load path.

data/fixtures/rails_3_2_22_no_init/Rakefile DELETED Viewed

@@ -1,7 +0,0 @@
-#!/usr/bin/env rake
-# Add your own tasks in files placed in lib/tasks ending in .rake,
-# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
-require File.expand_path('../config/application', __FILE__)
-Rails3212::Application.load_tasks

data/fixtures/rails_3_2_22_no_init/app/controllers/application_controller.rb DELETED Viewed

@@ -1,4 +0,0 @@
-class ApplicationController < ActionController::Base
-  protect_from_forgery
-  ensure_security_headers :csp => false
-end

data/fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb DELETED Viewed

@@ -1,20 +0,0 @@
-class OtherThingsController < ApplicationController
-  ensure_security_headers :csp => {:default_src => "'self'"}
-  def index
-  end
-  def other_action
-    render :text => 'yooooo'
-  end
-  def secure_header_options_for(header, options)
-    if params[:action] == "other_action"
-      if header == :csp
-        options.merge(:style_src => "'self'")
-      end
-    else
-      options
-    end
-  end
-end

data/fixtures/rails_3_2_22_no_init/app/controllers/things_controller.rb DELETED Viewed

@@ -1,5 +0,0 @@
-class ThingsController < ApplicationController
-  def index
-  end
-end

data/fixtures/rails_3_2_22_no_init/app/models/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/app/views/layouts/application.html.erb DELETED Viewed

@@ -1,12 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>Rails3212</title>
-  <%= stylesheet_link_tag    "application", :media => "all" %>
-</head>
-<body>
-<%= yield %>
-</body>
-</html>

data/fixtures/rails_3_2_22_no_init/app/views/other_things/index.html.erb DELETED Viewed

	@@ -1 +0,0 @@
1	- index

data/fixtures/rails_3_2_22_no_init/app/views/things/index.html.erb DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/config/application.rb DELETED Viewed

@@ -1,17 +0,0 @@
-require File.expand_path('../boot', __FILE__)
-# Pick the frameworks you want:
-require "action_controller/railtie"
-require "sprockets/railtie"
-if defined?(Bundler)
-  # If you precompile assets before deploying to production, use this line
-  Bundler.require(*Rails.groups(:assets => %w(development test)))
-  # If you want your assets lazily compiled in production, use this line
-  # Bundler.require(:default, :assets, Rails.env)
-end
-module Rails3212
-  class Application < Rails::Application
-  end
-end

data/fixtures/rails_3_2_22_no_init/config/boot.rb DELETED Viewed

@@ -1,6 +0,0 @@
-require 'rubygems'
-# Set up gems listed in the Gemfile.
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])

data/fixtures/rails_3_2_22_no_init/config/environment.rb DELETED Viewed

@@ -1,5 +0,0 @@
-# Load the rails application
-require File.expand_path('../application', __FILE__)
-# Initialize the rails application
-Rails3212::Application.initialize!

data/fixtures/rails_3_2_22_no_init/config/environments/test.rb DELETED Viewed

@@ -1,37 +0,0 @@
-Rails3212::Application.configure do
-  # Settings specified here will take precedence over those in config/application.rb
-  # The test environment is used exclusively to run your application's
-  # test suite. You never need to work with it otherwise. Remember that
-  # your test database is "scratch space" for the test suite and is wiped
-  # and recreated between test runs. Don't rely on the data there!
-  config.cache_classes = true
-  # Configure static asset server for tests with Cache-Control for performance
-  config.serve_static_assets = true
-  config.static_cache_control = "public, max-age=3600"
-  # Log error messages when you accidentally call methods on nil
-  config.whiny_nils = true
-  # Show full error reports and disable caching
-  config.consider_all_requests_local       = true
-  config.action_controller.perform_caching = false
-  # Raise exceptions instead of rendering exception templates
-  config.action_dispatch.show_exceptions = false
-  # Disable request forgery protection in test environment
-  config.action_controller.allow_forgery_protection    = false
-  # Tell Action Mailer not to deliver emails to the real world.
-  # The :test delivery method accumulates sent emails in the
-  # ActionMailer::Base.deliveries array.
-  # config.action_mailer.delivery_method = :test
-  # Raise exception on mass assignment protection for Active Record models
-  # config.active_record.mass_assignment_sanitizer = :strict
-  # Print deprecation notices to the stderr
-  config.active_support.deprecation = :stderr
-end

data/fixtures/rails_3_2_22_no_init/config/routes.rb DELETED Viewed

@@ -1,4 +0,0 @@
-Rails3212::Application.routes.draw do
-  resources :things
-  match ':controller(/:action(/:id))(.:format)'
-end

data/fixtures/rails_3_2_22_no_init/config.ru DELETED Viewed

@@ -1,4 +0,0 @@
-# This file is used by Rack-based servers to start the application.
-require ::File.expand_path('../config/environment',  __FILE__)
-run Rails3212::Application

data/fixtures/rails_3_2_22_no_init/lib/assets/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/lib/tasks/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/log/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/spec/controllers/other_things_controller_spec.rb DELETED Viewed

@@ -1,56 +0,0 @@
-require 'spec_helper'
-describe OtherThingsController, :type => :controller do
-  describe "headers" do
-    it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the CSP header" do
-      get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
-    end
-    it "sets per-action values based on secure_header_options_for" do
-      # munges :style_src => self into policy
-      get :other_action
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:; style-src 'self';")
-    end
-    #mock ssl
-    it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get :index
-      expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-      end
-    end
-  end
-end