secure_headers 3.1.0 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +10 -0
  3. data/README.md +3 -0
  4. data/lib/secure_headers/configuration.rb +1 -0
  5. data/lib/secure_headers/headers/policy_management.rb +1 -0
  6. data/secure_headers.gemspec +1 -1
  7. data/spec/lib/secure_headers_spec.rb +1 -0
  8. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 7353ab86b76cba9baabc265f6321990163927fa0
4
- data.tar.gz: 8081e9d2a284a26191899317d1947cde24d80d9f
3
+ metadata.gz: e2df8c83dc908657d48aa5552696bade1374c288
4
+ data.tar.gz: 590bc0e2c9225ad3a330af1812babd6c129135d8
5
5
  SHA512:
6
- metadata.gz: 37fd3a8aca07d1ce46bd7cdaf89ddb057d41b94f2f41625287d9a3118d19300708fd33f9d5f029c341a9c80295848101f01558d3dfd370a7bba34c8862e710d6
7
- data.tar.gz: 0d810d24a48f53a45bec5621291475059e521d0d4f640bf1430ad6c86ecf020fea8dd8eb220e600b71c32539d7cfbc1f87567066477deebdf660d8a0161e2f8a
6
+ metadata.gz: f6b8665ddd8e15bfd9f9e5fe2d330e9e7e9cc1386813883613e295e6d114c072f8bb1713871fde12e9feb8a3df8f691b39477a9db8daeb90f49013ecf44e7b8d
7
+ data.tar.gz: 713914b24728468981c723801891e07eeee044f63d7eca97106ef0c0d0376cc0ed4a00ae49177c14d83a5ef445c1cb0b7d6e43472446042f6ee33201f99c2001
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ ## 3.1.1 Bug fix for regression
2
+
3
+ See https://github.com/twitter/secureheaders/pull/235
4
+
5
+ `idempotent_additions?` would return false when comparing `OPT_OUT` with `OPT_OUT`, causing `header_hash_for` to return a header cache with `{ nil => nil }` which cause the middleware to blow up when `{ nil => nil }` was merged into the rack header hash.
6
+
7
+ This is a regression in 3.1.0 only.
8
+
9
+ Now it returns true. I've added a test case to ensure that `header_hash_for` will never return such an element.
10
+
1
11
  ## 3.1.0 Adding secure cookie support
2
12
 
3
13
  New feature: marking all cookies as secure. Added by @jmera in https://github.com/twitter/secureheaders/pull/231. In the future, we'll probably add the ability to whitelist individual cookies that should not be marked secure. PRs welcome.
data/README.md CHANGED
@@ -15,6 +15,8 @@ The gem will automatically apply several headers that are related to security.
15
15
  - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
16
16
  - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
17
17
 
18
+ It can also mark all http cookies with the secure attribute (when configured to do so).
19
+
18
20
  `secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
19
21
 
20
22
  ## Use
@@ -29,6 +31,7 @@ All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT`
29
31
 
30
32
  ```ruby
31
33
  SecureHeaders::Configuration.default do |config|
34
+ config.secure_cookies = true # mark all cookies as "secure"
32
35
  config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
33
36
  config.x_frame_options = "DENY"
34
37
  config.x_content_type_options = "nosniff"
data/lib/secure_headers/configuration.rb CHANGED
@@ -71,6 +71,7 @@ module SecureHeaders
71
71
  ALL_HEADER_CLASSES.each do |klass|
72
72
  config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
73
73
  end
74
+ config.dynamic_csp = OPT_OUT
74
75
  end
75
76
 
76
77
  add_configuration(NOOP_CONFIGURATION, noop_config)
data/lib/secure_headers/headers/policy_management.rb CHANGED
@@ -196,6 +196,7 @@ module SecureHeaders
196
196
  # additions = { script_src: %w(google.com)} then idempotent_additions? would return
197
197
  # because google.com is already in the config.
198
198
  def idempotent_additions?(config, additions)
199
+ return true if config == OPT_OUT && additions == OPT_OUT
199
200
  return false if config == OPT_OUT
200
201
  config == combine_policies(config, additions)
201
202
  end
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.1.0"
4
+ gem.version = "3.1.1"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Security related headers all in one gem.'
data/spec/lib/secure_headers_spec.rb CHANGED
@@ -38,6 +38,7 @@ module SecureHeaders
38
38
  ALL_HEADER_CLASSES.each do |klass|
39
39
  expect(hash[klass::CONFIG_KEY]).to be_nil
40
40
  end
41
+ expect(hash.count).to eq(0)
41
42
  end
42
43
 
43
44
  it "allows you to override X-Frame-Options settings" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 3.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall