secure_headers 3.5.0 → 3.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/.travis.yml +2 -0
- data/CHANGELOG.md +18 -0
- data/LICENSE +4 -199
- data/README.md +38 -384
- data/docs/HPKP.md +17 -0
- data/docs/cookies.md +50 -0
- data/docs/hashes.md +64 -0
- data/docs/named_overrides_and_appends.md +107 -0
- data/docs/per_action_configuration.md +105 -0
- data/docs/sinatra.md +25 -0
- data/lib/secure_headers/configuration.rb +4 -2
- data/lib/secure_headers/headers/clear_site_data.rb +51 -0
- data/lib/secure_headers/headers/content_security_policy.rb +4 -1
- data/lib/secure_headers/headers/content_security_policy_config.rb +21 -12
- data/lib/secure_headers/headers/policy_management.rb +6 -3
- data/lib/secure_headers/headers/referrer_policy.rb +4 -1
- data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
- data/lib/secure_headers/headers/x_download_options.rb +1 -1
- data/lib/secure_headers/headers/x_frame_options.rb +1 -1
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -1
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
- data/lib/secure_headers.rb +3 -1
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +103 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +17 -0
- data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +18 -0
- data/spec/lib/secure_headers_spec.rb +8 -0
- metadata +12 -3
|
@@ -107,6 +107,11 @@ module SecureHeaders
|
|
|
107
107
|
expect(firefox_transitional).not_to match(/frame-src/)
|
|
108
108
|
end
|
|
109
109
|
|
|
110
|
+
it "supports strict-dynamic" do
|
|
111
|
+
csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
|
|
112
|
+
expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
|
|
113
|
+
end
|
|
114
|
+
|
|
110
115
|
context "browser sniffing" do
|
|
111
116
|
let (:complex_opts) do
|
|
112
117
|
(ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
|
|
@@ -149,6 +154,18 @@ module SecureHeaders
|
|
|
149
154
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
|
|
150
155
|
expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
|
|
151
156
|
end
|
|
157
|
+
|
|
158
|
+
it "adds 'unsafe-inline', filters blocked-all-mixed-content, upgrade-insecure-requests, nonce sources, and hash sources for safari 10 and higher" do
|
|
159
|
+
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari10])
|
|
160
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; report-uri report-uri.com")
|
|
161
|
+
end
|
|
162
|
+
|
|
163
|
+
it "falls back to standard Firefox defaults when the useragent version is not present" do
|
|
164
|
+
ua = USER_AGENTS[:firefox].dup
|
|
165
|
+
allow(ua).to receive(:version).and_return(nil)
|
|
166
|
+
policy = ContentSecurityPolicy.new(complex_opts, ua)
|
|
167
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
168
|
+
end
|
|
152
169
|
end
|
|
153
170
|
end
|
|
154
171
|
end
|
|
@@ -18,6 +18,24 @@ module SecureHeaders
|
|
|
18
18
|
end.not_to raise_error
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
+
it "accepts 'same-origin'" do
|
|
22
|
+
expect do
|
|
23
|
+
ReferrerPolicy.validate_config!("same-origin")
|
|
24
|
+
end.not_to raise_error
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
it "accepts 'strict-origin'" do
|
|
28
|
+
expect do
|
|
29
|
+
ReferrerPolicy.validate_config!("strict-origin")
|
|
30
|
+
end.not_to raise_error
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
it "accepts 'strict-origin-when-cross-origin'" do
|
|
34
|
+
expect do
|
|
35
|
+
ReferrerPolicy.validate_config!("strict-origin-when-cross-origin")
|
|
36
|
+
end.not_to raise_error
|
|
37
|
+
end
|
|
38
|
+
|
|
21
39
|
it "accepts 'origin'" do
|
|
22
40
|
expect do
|
|
23
41
|
ReferrerPolicy.validate_config!("origin")
|
|
@@ -530,6 +530,14 @@ module SecureHeaders
|
|
|
530
530
|
end.to raise_error(XContentTypeOptionsConfigError)
|
|
531
531
|
end
|
|
532
532
|
|
|
533
|
+
it "validates your clear site data config upon configuration" do
|
|
534
|
+
expect do
|
|
535
|
+
Configuration.default do |config|
|
|
536
|
+
config.clear_site_data = 1
|
|
537
|
+
end
|
|
538
|
+
end.to raise_error(ClearSiteDataConfigError)
|
|
539
|
+
end
|
|
540
|
+
|
|
533
541
|
it "validates your x_xss config upon configuration" do
|
|
534
542
|
expect do
|
|
535
543
|
Configuration.default do |config|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.6.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2017-03-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -58,9 +58,16 @@ files:
|
|
|
58
58
|
- LICENSE
|
|
59
59
|
- README.md
|
|
60
60
|
- Rakefile
|
|
61
|
+
- docs/HPKP.md
|
|
62
|
+
- docs/cookies.md
|
|
63
|
+
- docs/hashes.md
|
|
64
|
+
- docs/named_overrides_and_appends.md
|
|
65
|
+
- docs/per_action_configuration.md
|
|
66
|
+
- docs/sinatra.md
|
|
61
67
|
- lib/secure_headers.rb
|
|
62
68
|
- lib/secure_headers/configuration.rb
|
|
63
69
|
- lib/secure_headers/hash_helper.rb
|
|
70
|
+
- lib/secure_headers/headers/clear_site_data.rb
|
|
64
71
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
65
72
|
- lib/secure_headers/headers/content_security_policy_config.rb
|
|
66
73
|
- lib/secure_headers/headers/cookie.rb
|
|
@@ -80,6 +87,7 @@ files:
|
|
|
80
87
|
- lib/tasks/tasks.rake
|
|
81
88
|
- secure_headers.gemspec
|
|
82
89
|
- spec/lib/secure_headers/configuration_spec.rb
|
|
90
|
+
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
83
91
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
84
92
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
85
93
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
@@ -116,13 +124,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
116
124
|
version: '0'
|
|
117
125
|
requirements: []
|
|
118
126
|
rubyforge_project:
|
|
119
|
-
rubygems_version: 2.
|
|
127
|
+
rubygems_version: 2.5.2
|
|
120
128
|
signing_key:
|
|
121
129
|
specification_version: 4
|
|
122
130
|
summary: Add easily configured security headers to responses including content-security-policy,
|
|
123
131
|
x-frame-options, strict-transport-security, etc.
|
|
124
132
|
test_files:
|
|
125
133
|
- spec/lib/secure_headers/configuration_spec.rb
|
|
134
|
+
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
126
135
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
127
136
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
128
137
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|