secure_headers 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -21,7 +21,7 @@ module SecureHeaders
21
21
  end
22
22
 
23
23
  describe "#header_hash_for" do
24
- it "allows you to opt out of individual headers" do
24
+ it "allows you to opt out of individual headers via API" do
25
25
  Configuration.default
26
26
  SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
27
27
  SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
@@ -31,6 +31,23 @@ module SecureHeaders
31
31
  expect(hash['X-Content-Type-Options']).to be_nil
32
32
  end
33
33
 
34
+ it "Carries options over when using overrides" do
35
+ Configuration.default do |config|
36
+ config.x_download_options = OPT_OUT
37
+ config.x_permitted_cross_domain_policies = OPT_OUT
38
+ end
39
+
40
+ Configuration.override(:api) do |config|
41
+ config.x_frame_options = OPT_OUT
42
+ end
43
+
44
+ SecureHeaders.use_secure_headers_override(request, :api)
45
+ hash = SecureHeaders.header_hash_for(request)
46
+ expect(hash['X-Download-Options']).to be_nil
47
+ expect(hash['X-Permitted-Cross-Domain-Policies']).to be_nil
48
+ expect(hash['X-Frame-Options']).to be_nil
49
+ end
50
+
34
51
  it "allows you to opt out entirely" do
35
52
  Configuration.default
36
53
  SecureHeaders.opt_out_of_all_protection(request)
@@ -38,6 +55,7 @@ module SecureHeaders
38
55
  ALL_HEADER_CLASSES.each do |klass|
39
56
  expect(hash[klass::CONFIG_KEY]).to be_nil
40
57
  end
58
+ expect(hash.count).to eq(0)
41
59
  end
42
60
 
43
61
  it "allows you to override X-Frame-Options settings" do
data/spec/spec_helper.rb CHANGED
@@ -45,3 +45,15 @@ end
45
45
  def reset_config
46
46
  SecureHeaders::Configuration.clear_configurations
47
47
  end
48
+
49
+ def capture_warning
50
+ begin
51
+ old_stderr = $stderr
52
+ $stderr = StringIO.new
53
+ yield
54
+ result = $stderr.string
55
+ ensure
56
+ $stderr = old_stderr
57
+ end
58
+ result
59
+ end
data/upgrading-to-3-0.md CHANGED
@@ -8,6 +8,7 @@ Changes
8
8
  | Global configuration | `SecureHeaders::Configuration.configure` block | `SecureHeaders::Configuration.default` block |
9
9
  | All headers besides HPKP and CSP | Accept hashes as config values | Must be strings (validated during configuration) |
10
10
  | CSP directive values | Accepted space delimited strings OR arrays of strings | Must be arrays of strings |
11
+ | CSP Nonce values in views | `@content_security_policy_nonce` | `content_security_policy_script_nonce` or `content_security_policy_style_nonce`
11
12
  | `self`/`none` source expressions | could be `self` / `none` / `'self'` / `'none'` | Must be `'self'` or `'none'` |
12
13
  | `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'` |
13
14
  | Per-action configuration | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111) | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 3.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-03-28 00:00:00.000000000 Z
11
+ date: 2016-04-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -58,7 +58,9 @@ files:
58
58
  - Rakefile
59
59
  - lib/secure_headers.rb
60
60
  - lib/secure_headers/configuration.rb
61
+ - lib/secure_headers/hash_helper.rb
61
62
  - lib/secure_headers/headers/content_security_policy.rb
63
+ - lib/secure_headers/headers/cookie.rb
62
64
  - lib/secure_headers/headers/policy_management.rb
63
65
  - lib/secure_headers/headers/public_key_pins.rb
64
66
  - lib/secure_headers/headers/strict_transport_security.rb
@@ -69,10 +71,13 @@ files:
69
71
  - lib/secure_headers/headers/x_xss_protection.rb
70
72
  - lib/secure_headers/middleware.rb
71
73
  - lib/secure_headers/railtie.rb
74
+ - lib/secure_headers/utils/cookies_config.rb
72
75
  - lib/secure_headers/view_helper.rb
76
+ - lib/tasks/tasks.rake
73
77
  - secure_headers.gemspec
74
78
  - spec/lib/secure_headers/configuration_spec.rb
75
79
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
80
+ - spec/lib/secure_headers/headers/cookie_spec.rb
76
81
  - spec/lib/secure_headers/headers/policy_management_spec.rb
77
82
  - spec/lib/secure_headers/headers/public_key_pins_spec.rb
78
83
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
@@ -82,6 +87,7 @@ files:
82
87
  - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
83
88
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
84
89
  - spec/lib/secure_headers/middleware_spec.rb
90
+ - spec/lib/secure_headers/view_helpers_spec.rb
85
91
  - spec/lib/secure_headers_spec.rb
86
92
  - spec/spec_helper.rb
87
93
  - upgrading-to-3-0.md
@@ -113,6 +119,7 @@ summary: Add easily configured security headers to responses including content-s
113
119
  test_files:
114
120
  - spec/lib/secure_headers/configuration_spec.rb
115
121
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
122
+ - spec/lib/secure_headers/headers/cookie_spec.rb
116
123
  - spec/lib/secure_headers/headers/policy_management_spec.rb
117
124
  - spec/lib/secure_headers/headers/public_key_pins_spec.rb
118
125
  - spec/lib/secure_headers/headers/strict_transport_security_spec.rb
@@ -122,5 +129,6 @@ test_files:
122
129
  - spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
123
130
  - spec/lib/secure_headers/headers/x_xss_protection_spec.rb
124
131
  - spec/lib/secure_headers/middleware_spec.rb
132
+ - spec/lib/secure_headers/view_helpers_spec.rb
125
133
  - spec/lib/secure_headers_spec.rb
126
134
  - spec/spec_helper.rb