secure_headers 3.3.0 → 3.3.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: c3acd5dfb3fc3a7c4037ef42b72765a4f1b34ede
4
- data.tar.gz: 98f0ce842bac69bf7c5f4d3d4cc19e4281ebe00e
3
+ metadata.gz: 81af1b59ac5a5a838557fb48a3b605c5202bcd8f
4
+ data.tar.gz: 5b5ecdf10eea6b5a8e224e6b1606c554105775c6
5
5
  SHA512:
6
- metadata.gz: 75d3b9033b09f0ac40675e8e8706185d9c0ca465a38f857228bf56857f5f44ba1eab5559b9c9f64f34ee398226ccd9dda5e26923f5325dcadd7be8ff0a957314
7
- data.tar.gz: f6ffb2babf72009e60a4d4663ee6e933db8f8acb7159021e66a07168e1c6743df621309fb63e884f3257217d28951b196b2a192739860ce459f4fbabbab35622
6
+ metadata.gz: e3c87eb56ae112ae7048592fe082a70cf215603133b5f1385f57b5dbe080ab74c61eb4b093d3dc911a4f837e8d57a16a88a420a49195311ecd375d838ad4edd2
7
+ data.tar.gz: 2708e94fffbaa40e649c30925142fd16d8e79236f4cefdbcb64b58a4e08941100961f891d23754798d08c681309341717fd49597df281d601e3e3edf1b09a524
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.3.1 bugfix for boolean CSP directives
2
+
3
+ [@stefansundin](https://github.com/twitter/secureheaders/pull/253) noticed that supplying `false` to "boolean" CSP directives (e.g. `upgrade-insecure-requests` and `block-all-mixed-content`) would still include the value.
4
+
1
5
  ## 3.3.0 referrer-policy support
2
6
 
3
7
  While not officially part of the spec and not implemented anywhere, support for the experimental [`referrer-policy` header](https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header) was [preemptively added](https://github.com/twitter/secureheaders/pull/249).
data/README.md CHANGED
@@ -48,7 +48,7 @@ SecureHeaders::Configuration.default do |config|
48
48
  config.referrer_policy = "origin-when-cross-origin"
49
49
  config.csp = {
50
50
  # "meta" values. these will shaped the header, but the values are not included in the header.
51
- report_only: true, # default: false
51
+ report_only: true, # default: false
52
52
  preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
53
53
 
54
54
  # directive values: these values will directly translate into source directives
@@ -66,7 +66,7 @@ SecureHeaders::Configuration.default do |config|
66
66
  form_action: %w('self' github.com),
67
67
  frame_ancestors: %w('none'),
68
68
  plugin_types: %w(application/x-shockwave-flash),
69
- block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
69
+ block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
70
70
  upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
71
71
  report_uri: %w(https://report-uri.io/example-csp)
72
72
  }
@@ -85,7 +85,7 @@ end
85
85
 
86
86
  ### rails 2
87
87
 
88
- For rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. For rails 2 applications, an explicit statement is required to use the middleware component.
88
+ For rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. For rails 2 or non-rails applications, an explicit statement is required to use the middleware component.
89
89
 
90
90
  ```ruby
91
91
  use SecureHeaders::Middleware
@@ -137,7 +137,7 @@ class MyController < ApplicationController
137
137
  end
138
138
  ```
139
139
 
140
- By default, a noop configuration is provided. No headers will be set when this default override is used.
140
+ By default, a no-op configuration is provided. No headers will be set when this default override is used.
141
141
 
142
142
  ```ruby
143
143
  class MyController < ApplicationController
@@ -163,12 +163,12 @@ You can override the settings for a given action by producing a temporary overri
163
163
  class MyController < ApplicationController
164
164
  def index
165
165
  # Append value to the source list, override 'none' values
166
- # Produces: default-src 'self'; script-src 'self' s3.amazaonaws.com; object-src 'self' youtube.com
167
- append_content_security_policy_directives(script_src: %w(s3.amazaonaws.com), object_src: %w('self' youtube.com))
166
+ # Produces: default-src 'self'; script-src 'self' s3.amazonaws.com; object-src 'self' www.youtube.com
167
+ append_content_security_policy_directives(script_src: %w(s3.amazonaws.com), object_src: %w('self' www.youtube.com))
168
168
 
169
169
  # Overrides the previously set source list, override 'none' values
170
- # Produces: default-src 'self'; script-src s3.amazaonaws.com; object-src 'self'
171
- override_content_security_policy_directives(script_src: %w(s3.amazaonaws.com), object_src: %w('self'))
170
+ # Produces: default-src 'self'; script-src s3.amazonaws.com; object-src 'self'
171
+ override_content_security_policy_directives(script_src: %w(s3.amazonaws.com), object_src: %w('self'))
172
172
 
173
173
  # Global settings default to "sameorigin"
174
174
  override_x_frame_options("DENY")
@@ -207,7 +207,7 @@ You can use a view helper to automatically add nonces to script tags:
207
207
 
208
208
  ```erb
209
209
  <%= nonced_javascript_tag do %>
210
- console.log("hai");
210
+ console.log("nonced!");
211
211
  <% end %>
212
212
 
213
213
  <%= nonced_style_tag do %>
@@ -324,14 +324,14 @@ Be aware that pinning error reporting is governed by the same rules as everythin
324
324
 
325
325
  ```ruby
326
326
  config.hpkp = {
327
- max_age: 60.days.to_i, # max_age is a required parameter
327
+ max_age: 60.days.to_i, # max_age is a required parameter
328
328
  include_subdomains: true, # whether or not to apply pins to subdomains
329
329
  # Per the spec, SHA256 hashes are the only currently supported format.
330
330
  pins: [
331
331
  {sha256: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'},
332
332
  {sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
333
333
  ],
334
- report_only: true, # defaults to false (report-only mode)
334
+ report_only: true, # defaults to false (report-only mode)
335
335
  report_uri: 'https://report-uri.io/example-hpkp'
336
336
  }
337
337
  ```
@@ -53,7 +53,7 @@ module SecureHeaders
53
53
  directives.map do |directive_name|
54
54
  case DIRECTIVE_VALUE_TYPES[directive_name]
55
55
  when :boolean
56
- symbol_to_hyphen_case(directive_name)
56
+ symbol_to_hyphen_case(directive_name) if @config[directive_name]
57
57
  when :string
58
58
  [symbol_to_hyphen_case(directive_name), @config[directive_name]].join(" ")
59
59
  else
data/lib/tasks/tasks.rake CHANGED
@@ -54,6 +54,7 @@ namespace :secure_headers do
54
54
  hashes
55
55
  end
56
56
 
57
+ desc "Generate #{SecureHeaders::Configuration::HASH_CONFIG_FILE}"
57
58
  task :generate_hashes do |t, args|
58
59
  script_hashes = {
59
60
  "scripts" => {},
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.3.0"
4
+ gem.version = "3.3.1"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Security related headers all in one gem.'
@@ -71,6 +71,16 @@ module SecureHeaders
71
71
  expect(csp.value).to eq("default-src example.org")
72
72
  end
73
73
 
74
+ it "does add a boolean directive if the value is true" do
75
+ csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: true)
76
+ expect(csp.value).to eq("default-src example.org; block-all-mixed-content; upgrade-insecure-requests")
77
+ end
78
+
79
+ it "does not add a boolean directive if the value is false" do
80
+ csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: false)
81
+ expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
82
+ end
83
+
74
84
  it "deduplicates any source expressions" do
75
85
  csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
76
86
  expect(csp.value).to eq("default-src example.org")
data/upgrading-to-3-0.md CHANGED
@@ -13,6 +13,7 @@ Changes
13
13
  | `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'` |
14
14
  | Per-action configuration | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111) | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
15
15
  | CSP/HPKP use `report_only` config that defaults to false | `enforce: false` | `report_only: false` |
16
+ | schemes in source expressions | Schemes were not stripped | Schemes are stripped by default to discourage mixed content. Setting `preserve_schemes: true` will revert to previous behavior |
16
17
 
17
18
  Migrating to 3.x from <= 2.x
18
19
  ==
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.0
4
+ version: 3.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-04-29 00:00:00.000000000 Z
11
+ date: 2016-05-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake