secure_headers 3.1.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +133 -0
- data/README.md +145 -19
- data/lib/secure_headers/configuration.rb +28 -4
- data/lib/secure_headers/hash_helper.rb +10 -0
- data/lib/secure_headers/headers/cookie.rb +126 -0
- data/lib/secure_headers/headers/policy_management.rb +1 -0
- data/lib/secure_headers/middleware.rb +23 -9
- data/lib/secure_headers/railtie.rb +4 -0
- data/lib/secure_headers/utils/cookies_config.rb +94 -0
- data/lib/secure_headers/view_helper.rb +64 -0
- data/lib/secure_headers.rb +2 -0
- data/lib/tasks/tasks.rake +81 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/configuration_spec.rb +17 -1
- data/spec/lib/secure_headers/headers/cookie_spec.rb +164 -0
- data/spec/lib/secure_headers/middleware_spec.rb +48 -15
- data/spec/lib/secure_headers/view_helpers_spec.rb +125 -0
- data/spec/lib/secure_headers_spec.rb +19 -1
- data/spec/spec_helper.rb +12 -0
- data/upgrading-to-3-0.md +1 -0
- metadata +10 -2
|
@@ -21,7 +21,7 @@ module SecureHeaders
|
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
describe "#header_hash_for" do
|
|
24
|
-
it "allows you to opt out of individual headers" do
|
|
24
|
+
it "allows you to opt out of individual headers via API" do
|
|
25
25
|
Configuration.default
|
|
26
26
|
SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
|
|
27
27
|
SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
|
|
@@ -31,6 +31,23 @@ module SecureHeaders
|
|
|
31
31
|
expect(hash['X-Content-Type-Options']).to be_nil
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
+
it "Carries options over when using overrides" do
|
|
35
|
+
Configuration.default do |config|
|
|
36
|
+
config.x_download_options = OPT_OUT
|
|
37
|
+
config.x_permitted_cross_domain_policies = OPT_OUT
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
Configuration.override(:api) do |config|
|
|
41
|
+
config.x_frame_options = OPT_OUT
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
SecureHeaders.use_secure_headers_override(request, :api)
|
|
45
|
+
hash = SecureHeaders.header_hash_for(request)
|
|
46
|
+
expect(hash['X-Download-Options']).to be_nil
|
|
47
|
+
expect(hash['X-Permitted-Cross-Domain-Policies']).to be_nil
|
|
48
|
+
expect(hash['X-Frame-Options']).to be_nil
|
|
49
|
+
end
|
|
50
|
+
|
|
34
51
|
it "allows you to opt out entirely" do
|
|
35
52
|
Configuration.default
|
|
36
53
|
SecureHeaders.opt_out_of_all_protection(request)
|
|
@@ -38,6 +55,7 @@ module SecureHeaders
|
|
|
38
55
|
ALL_HEADER_CLASSES.each do |klass|
|
|
39
56
|
expect(hash[klass::CONFIG_KEY]).to be_nil
|
|
40
57
|
end
|
|
58
|
+
expect(hash.count).to eq(0)
|
|
41
59
|
end
|
|
42
60
|
|
|
43
61
|
it "allows you to override X-Frame-Options settings" do
|
data/spec/spec_helper.rb
CHANGED
|
@@ -45,3 +45,15 @@ end
|
|
|
45
45
|
def reset_config
|
|
46
46
|
SecureHeaders::Configuration.clear_configurations
|
|
47
47
|
end
|
|
48
|
+
|
|
49
|
+
def capture_warning
|
|
50
|
+
begin
|
|
51
|
+
old_stderr = $stderr
|
|
52
|
+
$stderr = StringIO.new
|
|
53
|
+
yield
|
|
54
|
+
result = $stderr.string
|
|
55
|
+
ensure
|
|
56
|
+
$stderr = old_stderr
|
|
57
|
+
end
|
|
58
|
+
result
|
|
59
|
+
end
|
data/upgrading-to-3-0.md
CHANGED
|
@@ -8,6 +8,7 @@ Changes
|
|
|
8
8
|
| Global configuration | `SecureHeaders::Configuration.configure` block | `SecureHeaders::Configuration.default` block |
|
|
9
9
|
| All headers besides HPKP and CSP | Accept hashes as config values | Must be strings (validated during configuration) |
|
|
10
10
|
| CSP directive values | Accepted space delimited strings OR arrays of strings | Must be arrays of strings |
|
|
11
|
+
| CSP Nonce values in views | `@content_security_policy_nonce` | `content_security_policy_script_nonce` or `content_security_policy_style_nonce`
|
|
11
12
|
| `self`/`none` source expressions | could be `self` / `none` / `'self'` / `'none'` | Must be `'self'` or `'none'` |
|
|
12
13
|
| `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'` |
|
|
13
14
|
| Per-action configuration | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111) | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-04-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -58,7 +58,9 @@ files:
|
|
|
58
58
|
- Rakefile
|
|
59
59
|
- lib/secure_headers.rb
|
|
60
60
|
- lib/secure_headers/configuration.rb
|
|
61
|
+
- lib/secure_headers/hash_helper.rb
|
|
61
62
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
63
|
+
- lib/secure_headers/headers/cookie.rb
|
|
62
64
|
- lib/secure_headers/headers/policy_management.rb
|
|
63
65
|
- lib/secure_headers/headers/public_key_pins.rb
|
|
64
66
|
- lib/secure_headers/headers/strict_transport_security.rb
|
|
@@ -69,10 +71,13 @@ files:
|
|
|
69
71
|
- lib/secure_headers/headers/x_xss_protection.rb
|
|
70
72
|
- lib/secure_headers/middleware.rb
|
|
71
73
|
- lib/secure_headers/railtie.rb
|
|
74
|
+
- lib/secure_headers/utils/cookies_config.rb
|
|
72
75
|
- lib/secure_headers/view_helper.rb
|
|
76
|
+
- lib/tasks/tasks.rake
|
|
73
77
|
- secure_headers.gemspec
|
|
74
78
|
- spec/lib/secure_headers/configuration_spec.rb
|
|
75
79
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
80
|
+
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
76
81
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
77
82
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
|
78
83
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
@@ -82,6 +87,7 @@ files:
|
|
|
82
87
|
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
|
83
88
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
84
89
|
- spec/lib/secure_headers/middleware_spec.rb
|
|
90
|
+
- spec/lib/secure_headers/view_helpers_spec.rb
|
|
85
91
|
- spec/lib/secure_headers_spec.rb
|
|
86
92
|
- spec/spec_helper.rb
|
|
87
93
|
- upgrading-to-3-0.md
|
|
@@ -113,6 +119,7 @@ summary: Add easily configured security headers to responses including content-s
|
|
|
113
119
|
test_files:
|
|
114
120
|
- spec/lib/secure_headers/configuration_spec.rb
|
|
115
121
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
122
|
+
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
116
123
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
117
124
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
|
118
125
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
|
@@ -122,5 +129,6 @@ test_files:
|
|
|
122
129
|
- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
|
|
123
130
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
|
124
131
|
- spec/lib/secure_headers/middleware_spec.rb
|
|
132
|
+
- spec/lib/secure_headers/view_helpers_spec.rb
|
|
125
133
|
- spec/lib/secure_headers_spec.rb
|
|
126
134
|
- spec/spec_helper.rb
|