RubyGems - secure_headers - Versions diffs - 3.0.0 → 3.0.1 - Mend

secure_headers 3.0.0 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/README.md +4 -3
data/lib/secure_headers/headers/content_security_policy.rb +25 -22
data/lib/secure_headers/railtie.rb +2 -2
data/secure_headers.gemspec +1 -1
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +20 -7
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ed9f86aeaa22e01fb8d842a43ff1607cb8083b6a
-  data.tar.gz: b71a52f6790c7a0f78053695038cb925e2c4895a
+  metadata.gz: 208059fe9a87ae245d5e89de656e6e5065a7b146
+  data.tar.gz: 61befbceb8d4fd119abf6a3913829f15a328054c
 SHA512:
-  metadata.gz: 699085b909d21178a40e9f109687b3d9dd6dd21bb7250d81a33aca7b682627ad79f0c59941647b82f0492f2d25aae513ad825826d38760c579518b7c2d8ee508
-  data.tar.gz: 89d8d3c867306921bff9a7f5a09f2708a54eecdce5a57a83cd8c505253afbd46ae67d489beef5cb8f5eba678235110ae50e69f9e82c1391dd53c125ede53cb73
+  metadata.gz: 828c2b59608e98e470e8a1b1bf11f272897d7db47443c79057f37775d7fa866679bc2d77da4a8b8a88d3135732fa01bc2b1d2f0a8b29afb07dc6c450cc0fd436
+  data.tar.gz: 2caac270328075254de8940840dce7b2573302c534f3533ec6566765a66a4a3546f9d52be972945cf28c8dad3ca6d7fb7d2044af4bc28f0b646041841017627f

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## 3.0.1
+Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (and Opera). See [the spec](https://www.w3.org/TR/upgrade-insecure-requests/) for details.
 ## 3.0.0
 secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.

data/README.md CHANGED Viewed

@@ -56,6 +56,7 @@ SecureHeaders::Configuration.default do |config|
     frame_ancestors: %w('none'),
     plugin_types: %w(application/x-shockwave-flash),
     block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
+    upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
     report_uri: %w(https://example.com/uri-directive)
   }
   config.hpkp = {
@@ -130,7 +131,7 @@ By default, a noop configuration is provided. No headers will be set when this d
 ```ruby
 class MyController < ApplicationController
   def index
-    SecureHeaders::opt_out_of_all_protection(request)
+    SecureHeaders.opt_out_of_all_protection(request)
   end
 end
 ```
@@ -191,7 +192,7 @@ Code  | Result
 #### Nonce
-script/style-nonce can be used to whitelist inline content. To do this, call the SecureHeaders::content_security_policy_nonce then set the nonce attributes on the various tags.
+script/style-nonce can be used to whitelist inline content. To do this, call the `SecureHeaders.content_security_policy_nonce` then set the nonce attributes on the various tags.
 Setting a nonce will also set 'unsafe-inline' for browsers that don't support nonces for backwards compatibility. 'unsafe-inline' is ignored if a nonce is present in a directive in compliant browsers.
@@ -280,7 +281,7 @@ class Donkey < Sinatra::Application
   set :root, APP_ROOT
   get '/' do
-    SecureHeaders.override_x_frame_options(SecureHeaders::OPT_OUT)
+    SecureHeaders.override_x_frame_options(request, SecureHeaders::OPT_OUT)
     haml :index
   end
 end

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -77,8 +77,10 @@ module SecureHeaders
     # All the directives that are not currently in a formal spec, but have
     # been implemented somewhere.
     BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
+    UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
     DIRECTIVES_DRAFT = [
-      BLOCK_ALL_MIXED_CONTENT
+      BLOCK_ALL_MIXED_CONTENT,
+      UPGRADE_INSECURE_REQUESTS
     ].freeze
     SAFARI_DIRECTIVES = DIRECTIVES_1_0
@@ -90,7 +92,7 @@ module SecureHeaders
     ].freeze
     FIREFOX_DIRECTIVES = (
-      DIRECTIVES_2_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
+      DIRECTIVES_2_0 + DIRECTIVES_DRAFT - FIREFOX_UNSUPPORTED_DIRECTIVES
     ).freeze
     CHROME_DIRECTIVES = (
@@ -114,25 +116,26 @@ module SecureHeaders
     OTHER = "Other".freeze
     DIRECTIVE_VALUE_TYPES = {
-      BASE_URI                => :source_list,
-      BLOCK_ALL_MIXED_CONTENT => :boolean,
-      CHILD_SRC               => :source_list,
-      CONNECT_SRC             => :source_list,
-      DEFAULT_SRC             => :source_list,
-      FONT_SRC                => :source_list,
-      FORM_ACTION             => :source_list,
-      FRAME_ANCESTORS         => :source_list,
-      FRAME_SRC               => :source_list,
-      IMG_SRC                 => :source_list,
-      MANIFEST_SRC            => :source_list,
-      MEDIA_SRC               => :source_list,
-      OBJECT_SRC              => :source_list,
-      PLUGIN_TYPES            => :source_list,
-      REFLECTED_XSS           => :string,
-      REPORT_URI              => :source_list,
-      SANDBOX                 => :string,
-      SCRIPT_SRC              => :source_list,
-      STYLE_SRC               => :source_list
+      BASE_URI                  => :source_list,
+      BLOCK_ALL_MIXED_CONTENT   => :boolean,
+      CHILD_SRC                 => :source_list,
+      CONNECT_SRC               => :source_list,
+      DEFAULT_SRC               => :source_list,
+      FONT_SRC                  => :source_list,
+      FORM_ACTION               => :source_list,
+      FRAME_ANCESTORS           => :source_list,
+      FRAME_SRC                 => :source_list,
+      IMG_SRC                   => :source_list,
+      MANIFEST_SRC              => :source_list,
+      MEDIA_SRC                 => :source_list,
+      OBJECT_SRC                => :source_list,
+      PLUGIN_TYPES              => :source_list,
+      REFLECTED_XSS             => :string,
+      REPORT_URI                => :source_list,
+      SANDBOX                   => :string,
+      SCRIPT_SRC                => :source_list,
+      STYLE_SRC                 => :source_list,
+      UPGRADE_INSECURE_REQUESTS => :boolean
     }.freeze
     CONFIG_KEY = :csp
@@ -196,7 +199,7 @@ module SecureHeaders
       #
       # raises an error if the original config is OPT_OUT
       #
-      # 1. for non-source-list values (report_only, block_all_mixed_content),
+      # 1. for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),
       # additions will overwrite the original value.
       # 2. if a value in additions does not exist in the original config, the
       # default-src value is included to match original behavior.

data/lib/secure_headers/railtie.rb CHANGED Viewed

@@ -3,11 +3,11 @@ if defined?(Rails::Railtie)
   module SecureHeaders
     class Railtie < Rails::Railtie
       isolate_namespace SecureHeaders if defined? isolate_namespace # rails 3.0
-      conflicting_headers = ['X-Frame-Options', 'X-XSS-Protection', 'X-Content-Type-Options',
+      conflicting_headers = ['X-Frame-Options', 'X-XSS-Protection',
                              'X-Permitted-Cross-Domain-Policies', 'X-Download-Options',
                              'X-Content-Type-Options', 'Strict-Transport-Security',
                              'Content-Security-Policy', 'Content-Security-Policy-Report-Only',
-                             'X-Permitted-Cross-Domain-Policies', 'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
+                             'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
       initializer "secure_headers.middleware" do
         Rails.application.config.middleware.use SecureHeaders::Middleware

data/secure_headers.gemspec CHANGED Viewed

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.0.0"
+  gem.version       = "3.0.1"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -46,6 +46,7 @@ module SecureHeaders
           frame_ancestors: %w('none'),
           plugin_types: %w(application/x-shockwave-flash),
           block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
+          upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
           report_uri: %w(https://example.com/uri-directive)
         }
@@ -76,6 +77,12 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
+      it "requires :upgrade_insecure_requests to be a boolean value" do
+        expect do
+          CSP.validate_config!(default_opts.merge(upgrade_insecure_requests: "steve"))
+        end.to raise_error(ContentSecurityPolicyConfigError)
+      end
       it "requires all source lists to be an array of strings" do
         expect do
           CSP.validate_config!(default_src: "steve")
@@ -214,27 +221,33 @@ module SecureHeaders
       context "browser sniffing" do
         let (:complex_opts) do
-          ContentSecurityPolicy::ALL_DIRECTIVES.each_with_object({}) { |directive, hash| hash[directive] = %w('self') }
-            .merge(block_all_mixed_content: true, reflected_xss: "block")
-            .merge(script_src: %w('self'), script_nonce: 123456)
+          ContentSecurityPolicy::ALL_DIRECTIVES.each_with_object({}) do |directive, hash|
+            hash[directive] = %w('self')
+          end.merge({
+            block_all_mixed_content: true,
+            upgrade_insecure_requests: true,
+            reflected_xss: "block",
+            script_src: %w('self'),
+            script_nonce: 123456
+          })
         end
         it "does not filter any directives for Chrome" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
-          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
         it "does not filter any directives for Opera" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
-          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
         it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
-          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; report-uri 'self'")
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'nonce-123456'; style-src 'self'; upgrade-insecure-requests; report-uri 'self'")
         end
-        it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
+        it "adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for safari" do
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
           expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'; report-uri 'self'")
         end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.0.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-02-18 00:00:00.000000000 Z
+date: 2016-02-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake