secure_headers 3.5.0 → 3.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -107,6 +107,11 @@ module SecureHeaders
107
107
  expect(firefox_transitional).not_to match(/frame-src/)
108
108
  end
109
109
 
110
+ it "supports strict-dynamic" do
111
+ csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
112
+ expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
113
+ end
114
+
110
115
  context "browser sniffing" do
111
116
  let (:complex_opts) do
112
117
  (ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
@@ -149,6 +154,18 @@ module SecureHeaders
149
154
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
150
155
  expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
151
156
  end
157
+
158
+ it "adds 'unsafe-inline', filters blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
159
+ policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
160
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
161
+ end
162
+
163
+ it "falls back to standard Firefox defaults when the useragent version is not present" do
164
+ ua = USER_AGENTS[:firefox].dup
165
+ allow(ua).to receive(:version).and_return(nil)
166
+ policy = ContentSecurityPolicy.new(complex_opts, ua)
167
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
168
+ end
152
169
  end
153
170
  end
154
171
  end
@@ -18,6 +18,24 @@ module SecureHeaders
18
18
  end.not_to raise_error
19
19
  end
20
20
 
21
+ it "accepts 'same-origin'" do
22
+ expect do
23
+ ReferrerPolicy.validate_config!("same-origin")
24
+ end.not_to raise_error
25
+ end
26
+
27
+ it "accepts 'strict-origin'" do
28
+ expect do
29
+ ReferrerPolicy.validate_config!("strict-origin")
30
+ end.not_to raise_error
31
+ end
32
+
33
+ it "accepts 'strict-origin-when-cross-origin'" do
34
+ expect do
35
+ ReferrerPolicy.validate_config!("strict-origin-when-cross-origin")
36
+ end.not_to raise_error
37
+ end
38
+
21
39
  it "accepts 'origin'" do
22
40
  expect do
23
41
  ReferrerPolicy.validate_config!("origin")
@@ -530,6 +530,14 @@ module SecureHeaders
530
530
  end.to raise_error(XContentTypeOptionsConfigError)
531
531
  end
532
532
 
533
+ it "validates your clear site data config upon configuration" do
534
+ expect do
535
+ Configuration.default do |config|
536
+ config.clear_site_data = 1
537
+ end
538
+ end.to raise_error(ClearSiteDataConfigError)
539
+ end
540
+
533
541
  it "validates your x_xss config upon configuration" do
534
542
  expect do
535
543
  Configuration.default do |config|
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.0
4
+ version: 3.6.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-10-12 00:00:00.000000000 Z
11
+ date: 2017-03-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -58,9 +58,16 @@ files:
58
58
  - LICENSE
59
59
  - README.md
60
60
  - Rakefile
61
+ - docs/HPKP.md
62
+ - docs/cookies.md
63
+ - docs/hashes.md
64
+ - docs/named_overrides_and_appends.md
65
+ - docs/per_action_configuration.md
66
+ - docs/sinatra.md
61
67
  - lib/secure_headers.rb
62
68
  - lib/secure_headers/configuration.rb
63
69
  - lib/secure_headers/hash_helper.rb
70
+ - lib/secure_headers/headers/clear_site_data.rb
64
71
  - lib/secure_headers/headers/content_security_policy.rb
65
72
  - lib/secure_headers/headers/content_security_policy_config.rb
66
73
  - lib/secure_headers/headers/cookie.rb
@@ -80,6 +87,7 @@ files:
80
87
  - lib/tasks/tasks.rake
81
88
  - secure_headers.gemspec
82
89
  - spec/lib/secure_headers/configuration_spec.rb
90
+ - spec/lib/secure_headers/headers/clear_site_data_spec.rb
83
91
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
84
92
  - spec/lib/secure_headers/headers/cookie_spec.rb
85
93
  - spec/lib/secure_headers/headers/policy_management_spec.rb
@@ -116,13 +124,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
116
124
  version: '0'
117
125
  requirements: []
118
126
  rubyforge_project:
119
- rubygems_version: 2.4.5.1
127
+ rubygems_version: 2.5.2
120
128
  signing_key:
121
129
  specification_version: 4
122
130
  summary: Add easily configured security headers to responses including content-security-policy,
123
131
  x-frame-options, strict-transport-security, etc.
124
132
  test_files:
125
133
  - spec/lib/secure_headers/configuration_spec.rb
134
+ - spec/lib/secure_headers/headers/clear_site_data_spec.rb
126
135
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
127
136
  - spec/lib/secure_headers/headers/cookie_spec.rb
128
137
  - spec/lib/secure_headers/headers/policy_management_spec.rb