secure_headers 3.0.1 → 3.0.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 38f8848bc8ed124b3cf8a37194bb521f780a35f9
|
4
|
+
data.tar.gz: 62c0b9f67c175c1492ef29a5be347f19a37f84e4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ff5d974553272fbe6aba27b4d1f2b005c7d6a6493475bc94ce73535b2fbd19b87d9cb6ddf17a03d814ce59b9f3170511cc531d8b1e8d83bdb8bf6d3bed4a6cfe
|
7
|
+
data.tar.gz: d254d604fdb85af4727d25c2229d7b8f7bbc950e947a75e71c1b94ca1b79cbbcea96549ec29ee832ac63ea94eed779de2e85e12b3a9fcce09bc58193d948ffe9
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
## 3.0.2
|
2
|
+
|
3
|
+
Bug fix for handling CSP configs that supply a frozen hash. If a directive value is `nil`, then appending to a config with a frozen hash would cause an error since we're trying to modify a frozen hash. See https://github.com/twitter/secureheaders/pull/223.
|
4
|
+
|
1
5
|
## 3.0.1
|
2
6
|
|
3
7
|
Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (and Opera). See [the spec](https://www.w3.org/TR/upgrade-insecure-requests/) for details.
|
@@ -210,6 +210,8 @@ module SecureHeaders
|
|
210
210
|
raise ContentSecurityPolicyConfigError.new("Attempted to override an opt-out CSP config.")
|
211
211
|
end
|
212
212
|
|
213
|
+
original = original.dup if original.frozen?
|
214
|
+
|
213
215
|
# in case we would be appending to an empty directive, fill it with the default-src value
|
214
216
|
additions.keys.each do |directive|
|
215
217
|
unless original[directive] || !source_list?(directive)
|
data/secure_headers.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "secure_headers"
|
4
|
-
gem.version = "3.0.
|
4
|
+
gem.version = "3.0.2"
|
5
5
|
gem.authors = ["Neil Matatall"]
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
@@ -117,6 +117,17 @@ module SecureHeaders
|
|
117
117
|
expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
|
118
118
|
end
|
119
119
|
|
120
|
+
it "combines directives where the original value is nil and the hash is frozen" do
|
121
|
+
Configuration.default do |config|
|
122
|
+
config.csp = {
|
123
|
+
default_src: %w('self'),
|
124
|
+
report_only: false
|
125
|
+
}.freeze
|
126
|
+
end
|
127
|
+
combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: %w(https://report-uri.io/asdf))
|
128
|
+
expect(combined_config[:report_uri]).to_not be_nil
|
129
|
+
end
|
130
|
+
|
120
131
|
it "overrides the report_only flag" do
|
121
132
|
Configuration.default do |config|
|
122
133
|
config.csp = {
|
data/upgrading-to-3-0.md
CHANGED
@@ -20,6 +20,7 @@ Migrating to 3.x from <= 2.x
|
|
20
20
|
1. Convert all instances of `self`/`none`/`eval`/`inline` to the corresponding values in the above table.
|
21
21
|
1. Convert all CSP space-delimited directives to an array of strings.
|
22
22
|
1. Convert all `enforce: true|false` to `report_only: true|false`.
|
23
|
+
1. Remove `ensure_security_headers` from controllers (3.x uses a middleware instead).
|
23
24
|
|
24
25
|
Everything is terrible, why should I upgrade?
|
25
26
|
==
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.
|
4
|
+
version: 3.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-02-
|
11
|
+
date: 2016-02-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|