RubyGems - secure_headers - Versions diffs - 2.5.3 → 3.0.0.pre - Mend

secure_headers 2.5.3 → 3.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

data/fixtures/rails_3_2_22_no_init/spec/controllers/things_controller_spec.rb DELETED Viewed

@@ -1,54 +0,0 @@
-require 'spec_helper'
-# This controller is meant to be something that inherits config from application controller
-# all values are defaulted because no initializer is configured, and the values in app controller
-# only provide csp => false
-describe ThingsController, :type => :controller do
-  describe "headers" do
-    it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-WebKit-CSP header" do
-      get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
-    end
-    #mock ssl
-    it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get :index
-      expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-      end
-    end
-  end
-end

data/fixtures/rails_3_2_22_no_init/spec/spec_helper.rb DELETED Viewed

@@ -1,5 +0,0 @@
-require 'rubygems'
-ENV["RAILS_ENV"] ||= 'test'
-require File.expand_path("../../config/environment", __FILE__)
-require 'rspec/rails'

data/fixtures/rails_3_2_22_no_init/vendor/assets/javascripts/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/vendor/assets/stylesheets/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/vendor/plugins/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/Gemfile DELETED Viewed

@@ -1,5 +0,0 @@
-source 'https://rubygems.org'
-gem 'rails', '4.1.8'
-gem 'rspec-rails', '>= 2.0.0'
-gem 'secure_headers', :path => '../..'

data/fixtures/rails_4_1_8/README.rdoc DELETED Viewed

@@ -1,28 +0,0 @@
-== README
-This README would normally document whatever steps are necessary to get the
-application up and running.
-Things you may want to cover:
-* Ruby version
-* System dependencies
-* Configuration
-* Database creation
-* Database initialization
-* How to run the test suite
-* Services (job queues, cache servers, search engines, etc.)
-* Deployment instructions
-* ...
-Please feel free to use a different markup language if you do not plan to run
-<tt>rake doc:app</tt>.

data/fixtures/rails_4_1_8/Rakefile DELETED Viewed

@@ -1,6 +0,0 @@
-# Add your own tasks in files placed in lib/tasks ending in .rake,
-# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
-require File.expand_path('../config/application', __FILE__)
-Rails.application.load_tasks

data/fixtures/rails_4_1_8/app/controllers/application_controller.rb DELETED Viewed

@@ -1,4 +0,0 @@
-class ApplicationController < ActionController::Base
-  protect_from_forgery
-  ensure_security_headers
-end

data/fixtures/rails_4_1_8/app/controllers/concerns/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb DELETED Viewed

@@ -1,5 +0,0 @@
-class OtherThingsController < ApplicationController
-  def index
-  end
-end

data/fixtures/rails_4_1_8/app/controllers/things_controller.rb DELETED Viewed

@@ -1,5 +0,0 @@
-class ThingsController < ApplicationController
-  ensure_security_headers :csp => false
-  def index
-  end
-end

data/fixtures/rails_4_1_8/app/models/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/app/models/concerns/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb DELETED Viewed

@@ -1,11 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>Rails418</title>
-</head>
-<body>
-<%= yield %>
-<script>console.log("oh hell yes")</script>
-</body>
-</html>

data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb DELETED Viewed

	@@ -1,2 +0,0 @@
1	- index
2	- <script>console.log("oh what")</script>

data/fixtures/rails_4_1_8/app/views/things/index.html.erb DELETED Viewed

	@@ -1 +0,0 @@
1	- things

data/fixtures/rails_4_1_8/config/application.rb DELETED Viewed

@@ -1,15 +0,0 @@
-require File.expand_path('../boot', __FILE__)
-require "action_controller/railtie"
-require "sprockets/railtie"
-# Require the gems listed in Gemfile, including any gems
-# you've limited to :test, :development, or :production.
-Bundler.require(*Rails.groups)
-module Rails418
-  class Application < Rails::Application
-  end
-end

data/fixtures/rails_4_1_8/config/boot.rb DELETED Viewed

@@ -1,4 +0,0 @@
-# Set up gems listed in the Gemfile.
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
-require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/fixtures/rails_4_1_8/config/environment.rb DELETED Viewed

@@ -1,5 +0,0 @@
-# Load the Rails application.
-require File.expand_path('../application', __FILE__)
-# Initialize the Rails application.
-Rails.application.initialize!

data/fixtures/rails_4_1_8/config/environments/test.rb DELETED Viewed

@@ -1,10 +0,0 @@
-Rails418::Application.configure do
-  config.cache_classes = true
-  config.eager_load = false
-  config.serve_static_assets  = true
-  config.static_cache_control = 'public, max-age=3600'
-  config.consider_all_requests_local       = true
-  config.action_controller.perform_caching = false
-  config.action_dispatch.show_exceptions = false
-  config.action_controller.allow_forgery_protection = false
-end

data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb DELETED Viewed

@@ -1,16 +0,0 @@
-::SecureHeaders::Configuration.configure do |config|
-  config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
-  config.x_frame_options = 'DENY'
-  config.x_content_type_options = "nosniff"
-  config.x_xss_protection = {:value => 0}
-  config.x_permitted_cross_domain_policies = 'none'
-  csp = {
-    :default_src => "'self'",
-    :script_src => "'self' nonce",
-    :report_uri => 'somewhere',
-    :script_hash_middleware => true,
-    :enforce => false # false means warnings only
-  }
-  config.csp = csp
-end

data/fixtures/rails_4_1_8/config/routes.rb DELETED Viewed

@@ -1,4 +0,0 @@
-Rails.application.routes.draw do
-  resources :things
-  match ':controller(/:action(/:id))(.:format)', :via => [:get, :post]
-end

data/fixtures/rails_4_1_8/config/script_hashes.yml DELETED Viewed

@@ -1,5 +0,0 @@
----
-app/views/layouts/application.html.erb:
-- sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
-app/views/other_things/index.html.erb:
-- sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=

data/fixtures/rails_4_1_8/config/secrets.yml DELETED Viewed

@@ -1,22 +0,0 @@
-# Be sure to restart your server when you modify this file.
-# Your secret key is used for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-# You can use `rake secret` to generate a secure secret key.
-# Make sure the secrets in this file are kept private
-# if you're sharing your code publicly.
-development:
-  secret_key_base: ddba38f932720d8f18257f2a05dc278963a29cf569c45aa97ff4e9fc9bbc78af5a03fcf135caad45caee66ac09f8f9913c1f5e338a61213f420eefa8dd6363d2
-test:
-  secret_key_base: f73abd7eab84fa7af5a2fc0a9c2727c5bad47433e51aa0c9c6b0782dac176a8e7f337e1f93adc6d6fc17027e67a533040b6408e54d72dea2eec6e5b9820dbcb9
-# Do not keep production secrets in the repository,
-# instead read values from the environment.
-production:
-  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

data/fixtures/rails_4_1_8/config.ru DELETED Viewed

@@ -1,4 +0,0 @@
-# This file is used by Rack-based servers to start the application.
-require ::File.expand_path('../config/environment',  __FILE__)
-run Rails.application

data/fixtures/rails_4_1_8/lib/assets/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/lib/tasks/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/log/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb DELETED Viewed

@@ -1,83 +0,0 @@
-require 'spec_helper'
-require 'secure_headers/headers/content_security_policy/script_hash_middleware'
-describe OtherThingsController, :type => :controller do
-  include Rack::Test::Methods
-  def app
-    OtherThingsController.action(:index)
-  end
-  def request(opts = {})
-    options = opts.merge(
-      {
-        'HTTPS' => 'on',
-        'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
-      }
-    )
-    Rack::MockRequest.env_for('/', options)
-  end
-  describe "headers" do
-    before(:each) do
-      _, @env = app.call(request)
-    end
-    it "sets the X-XSS-Protection header" do
-      get '/'
-      expect(@env['X-XSS-Protection']).to eq('0')
-    end
-    it "sets the X-Frame-Options header" do
-      get '/'
-      expect(@env['X-Frame-Options']).to eq('DENY')
-    end
-    it "sets the CSP header with a local reference to a nonce" do
-      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
-      _, env = middleware.call(request(@env))
-      expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
-    end
-    it "sets the required hashes to whitelist inline script" do
-      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
-      _, env = middleware.call(request(@env))
-      hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
-      hashes.each do |hash|
-        expect(env['Content-Security-Policy-Report-Only']).to include(hash)
-      end
-    end
-    it "sets the Strict-Transport-Security header" do
-      get '/'
-      expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
-    end
-    it "sets the X-Download-Options header" do
-      get '/'
-      expect(@env['X-Download-Options']).to eq('noopen')
-    end
-    it "sets the X-Content-Type-Options header" do
-      get '/'
-      expect(@env['X-Content-Type-Options']).to eq("nosniff")
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get '/'
-      expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get '/'
-        expect(@env['X-Content-Type-Options']).to eq("nosniff")
-      end
-    end
-  end
-end

data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb DELETED Viewed

@@ -1,59 +0,0 @@
-# config.action_dispatch.default_headers defaults to:
-# {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff"}
-# so we want to set our specs to expect something else to ensure secureheaders is taking precedence
-require 'spec_helper'
-# This controller is meant to be something that inherits config from application controller
-# all values are defaulted because no initializer is configured, and the values in app controller
-# only provide csp => false
-describe ThingsController, :type => :controller do
-  describe "headers" do
-    it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq('0')
-    end
-    it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq('DENY')
-    end
-    it "does not set CSP header" do
-      get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
-    end
-    #mock ssl
-    it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
-    end
-    it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq('noopen')
-    end
-    it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get :index
-      expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
-      end
-    end
-  end
-end

data/fixtures/rails_4_1_8/spec/spec_helper.rb DELETED Viewed

@@ -1,15 +0,0 @@
-require 'rubygems'
-#uncomment the following line to use spork with the debugger
-#require 'spork/ext/ruby-debug'
-# Spork.prefork do
-  # Loading more in this block will cause your tests to run faster. However,
-  # if you change any configuration or code from libraries loaded here, you'll
-  # need to restart spork for it take effect.
-# This file is copied to spec/ when you run 'rails generate rspec:install'
-  ENV["RAILS_ENV"] ||= 'test'
-  require File.expand_path("../../config/environment", __FILE__)
-  require 'rspec/rails'
-# end

data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep DELETED Viewed

File without changes

data/lib/secure_headers/controller_extension.rb DELETED Viewed

@@ -1,158 +0,0 @@
-module SecureHeaders
-  module ControllerExtension
-    class << self
-      def append_features(base)
-        base.module_eval do
-          extend ClassMethods
-          include InstanceMethods
-        end
-      end
-    end
-    module ClassMethods
-      attr_writer :secure_headers_options
-      def secure_headers_options
-        if @secure_headers_options
-          @secure_headers_options
-        elsif superclass.respond_to?(:secure_headers_options) # stop at application_controller
-          superclass.secure_headers_options
-        else
-          {}
-        end
-      end
-      def ensure_security_headers options = {}
-        if RUBY_VERSION == "1.8.7"
-          warn "[DEPRECATION] secure_headers ruby 1.8.7 support will dropped in the next release"
-        end
-        self.secure_headers_options = options
-        hook = respond_to?(:before_action) ? :before_action : :before_filter
-        ::SecureHeaders::ALL_FILTER_METHODS.each do |method|
-          send(hook, method)
-        end
-      end
-    end
-    module InstanceMethods
-      def set_security_headers(options = self.class.secure_headers_options)
-        set_csp_header(request, options[:csp])
-        set_hsts_header(options[:hsts])
-        set_hpkp_header(options[:hpkp])
-        set_x_frame_options_header(options[:x_frame_options])
-        set_x_xss_protection_header(options[:x_xss_protection])
-        set_x_content_type_options_header(options[:x_content_type_options])
-        set_x_download_options_header(options[:x_download_options])
-        set_x_permitted_cross_domain_policies_header(options[:x_permitted_cross_domain_policies])
-      end
-      # set_csp_header - uses the request accessor and SecureHeader::Configuration settings
-      # set_csp_header(+Rack::Request+) - uses the parameter and and SecureHeader::Configuration settings
-      # set_csp_header(+Hash+) - uses the request accessor and options from parameters
-      # set_csp_header(+Rack::Request+, +Hash+)
-      def set_csp_header(req = nil, config=nil)
-        if req.is_a?(Hash) || req.is_a?(FalseClass)
-          config = req
-        end
-        config = self.class.secure_headers_options[:csp] if config.nil?
-        config = secure_header_options_for :csp, config
-        return if config == false
-        if config && config[:script_hash_middleware]
-          ContentSecurityPolicy.add_to_env(request, self, config)
-        else
-          csp_header = ContentSecurityPolicy.new(config, :request => request, :controller => self)
-          set_header(csp_header)
-        end
-      end
-      def prep_script_hash
-        if ::SecureHeaders::Configuration.script_hashes
-          @script_hashes = ::SecureHeaders::Configuration.script_hashes.dup
-          ActiveSupport::Notifications.subscribe("render_partial.action_view") do |event_name, start_at, end_at, id, payload|
-            save_hash_for_later payload
-          end
-          ActiveSupport::Notifications.subscribe("render_template.action_view") do |event_name, start_at, end_at, id, payload|
-            save_hash_for_later payload
-          end
-        end
-      end
-      def save_hash_for_later payload
-        matching_hashes = @script_hashes[payload[:identifier].gsub(Rails.root.to_s + "/", "")] || []
-        if payload[:layout]
-          # We're assuming an html.erb layout for now. Will need to handle mustache too, just not sure of the best way to do this
-          layout_hashes = @script_hashes[File.join("app", "views", payload[:layout]) + '.html.erb']
-          matching_hashes << layout_hashes if layout_hashes
-        end
-        if matching_hashes.any?
-          request.env[HASHES_ENV_KEY] = ((request.env[HASHES_ENV_KEY] || []) << matching_hashes).flatten
-        end
-      end
-      def set_x_frame_options_header(options=self.class.secure_headers_options[:x_frame_options])
-        set_a_header(:x_frame_options, XFrameOptions, options)
-      end
-      def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
-        set_a_header(:x_content_type_options, XContentTypeOptions, options)
-      end
-      def set_x_xss_protection_header(options=self.class.secure_headers_options[:x_xss_protection])
-        set_a_header(:x_xss_protection, XXssProtection, options)
-      end
-      def set_hsts_header(options=self.class.secure_headers_options[:hsts])
-        return unless request.ssl?
-        set_a_header(:hsts, StrictTransportSecurity, options)
-      end
-      def set_hpkp_header(options=self.class.secure_headers_options[:hpkp])
-        return unless request.ssl?
-        config = secure_header_options_for :hpkp, options
-        return if config == false || config.nil?
-        hpkp_header = PublicKeyPins.new(config)
-        set_header(hpkp_header)
-      end
-      def set_x_download_options_header(options=self.class.secure_headers_options[:x_download_options])
-        set_a_header(:x_download_options, XDownloadOptions, options)
-      end
-      def set_x_permitted_cross_domain_policies_header(options=self.class.secure_headers_options[:x_permitted_cross_domain_policies])
-        set_a_header(:x_permitted_cross_domain_policies, XPermittedCrossDomainPolicies, options)
-      end
-      private
-      # we can't use ||= because I'm overloading false => disable, nil => default
-      # both of which trigger the conditional assignment
-      def secure_header_options_for(type, options)
-        options.nil? ? ::SecureHeaders::Configuration.send(type) : options
-      end
-      def set_a_header(name, klass, options=nil)
-        options = secure_header_options_for(name, options)
-        return if options == false
-        set_header(SecureHeaders::get_a_header(klass, options))
-      end
-      def set_header(name_or_header, value=nil)
-        if name_or_header.is_a?(Header)
-          header = name_or_header
-          response.headers[header.name] = header.value
-        else
-          response.headers[name_or_header] = value
-        end
-      end
-    end
-  end
-end

data/lib/secure_headers/hash_helper.rb DELETED Viewed

@@ -1,7 +0,0 @@
-module SecureHeaders
-  module HashHelper
-    def hash_source(inline_script, digest = :SHA256)
-      [digest.to_s.downcase, "-", [[Digest.const_get(digest).hexdigest(inline_script)].pack("H*")].pack("m").chomp].join
-    end
-  end
-end

data/lib/secure_headers/header.rb DELETED Viewed

@@ -1,5 +0,0 @@
-module SecureHeaders
-  class Header
-  end
-end

data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb DELETED Viewed

@@ -1,22 +0,0 @@
-module SecureHeaders
-  class ContentSecurityPolicy
-    class ScriptHashMiddleware
-      def initialize(app)
-        @app = app
-      end
-      def call(env)
-        status, headers, response = @app.call(env)
-        metadata = env[ContentSecurityPolicy::ENV_KEY]
-        if !metadata.nil?
-          config, options = metadata.values_at(:config, :options)
-          config.merge!(:script_hashes => env[HASHES_ENV_KEY])
-          csp_header = ContentSecurityPolicy.new(config, options)
-          headers[csp_header.name] = csp_header.value
-        end
-        [status, headers, response]
-      end
-    end
-  end
-end

data/lib/secure_headers/version.rb DELETED Viewed

@@ -1,3 +0,0 @@
-module SecureHeaders
-  VERSION = "2.5.3"
-end