secure_headers 3.6.0 → 3.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rspec +1 -0
- data/.ruby-version +1 -1
- data/.travis.yml +2 -0
- data/CHANGELOG.md +34 -1
- data/CODE_OF_CONDUCT.md +46 -0
- data/CONTRIBUTING.md +41 -0
- data/LICENSE +4 -199
- data/README.md +12 -3
- data/docs/hashes.md +1 -1
- data/lib/secure_headers/configuration.rb +25 -5
- data/lib/secure_headers/headers/clear_site_data.rb +12 -9
- data/lib/secure_headers/headers/content_security_policy.rb +2 -2
- data/lib/secure_headers/headers/content_security_policy_config.rb +45 -12
- data/lib/secure_headers/headers/expect_certificate_transparency.rb +70 -0
- data/lib/secure_headers/headers/policy_management.rb +22 -22
- data/lib/secure_headers/headers/public_key_pins.rb +1 -1
- data/lib/secure_headers/headers/referrer_policy.rb +1 -1
- data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
- data/lib/secure_headers/headers/x_download_options.rb +1 -1
- data/lib/secure_headers/headers/x_frame_options.rb +1 -1
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -1
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
- data/lib/secure_headers/view_helper.rb +2 -2
- data/lib/secure_headers.rb +5 -2
- data/secure_headers.gemspec +2 -2
- data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +9 -26
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -8
- data/spec/lib/secure_headers/headers/expect_certificate_spec.rb +42 -0
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
- data/spec/lib/secure_headers/view_helpers_spec.rb +0 -1
- data/spec/lib/secure_headers_spec.rb +31 -4
- data/spec/spec_helper.rb +1 -0
- metadata +9 -4
|
@@ -105,7 +105,7 @@ module SecureHeaders
|
|
|
105
105
|
end
|
|
106
106
|
|
|
107
107
|
it "produces a UA-specific CSP when overriding (and busting the cache)" do
|
|
108
|
-
|
|
108
|
+
Configuration.default do |config|
|
|
109
109
|
config.csp = {
|
|
110
110
|
default_src: %w('self'),
|
|
111
111
|
child_src: %w('self')
|
|
@@ -173,6 +173,33 @@ module SecureHeaders
|
|
|
173
173
|
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
|
|
174
174
|
end
|
|
175
175
|
|
|
176
|
+
it "appends child-src to frame-src" do
|
|
177
|
+
Configuration.default do |config|
|
|
178
|
+
config.csp = {
|
|
179
|
+
default_src: %w('self'),
|
|
180
|
+
frame_src: %w(frame_src.com)
|
|
181
|
+
}
|
|
182
|
+
end
|
|
183
|
+
|
|
184
|
+
SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
|
|
185
|
+
hash = SecureHeaders.header_hash_for(chrome_request)
|
|
186
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
|
|
187
|
+
end
|
|
188
|
+
|
|
189
|
+
it "appends frame-src to child-src" do
|
|
190
|
+
Configuration.default do |config|
|
|
191
|
+
config.csp = {
|
|
192
|
+
default_src: %w('self'),
|
|
193
|
+
child_src: %w(child_src.com)
|
|
194
|
+
}
|
|
195
|
+
end
|
|
196
|
+
|
|
197
|
+
safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
|
|
198
|
+
SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
|
|
199
|
+
hash = SecureHeaders.header_hash_for(safari_request)
|
|
200
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
|
|
201
|
+
end
|
|
202
|
+
|
|
176
203
|
it "supports named appends" do
|
|
177
204
|
Configuration.default do |config|
|
|
178
205
|
config.csp = {
|
|
@@ -204,7 +231,7 @@ module SecureHeaders
|
|
|
204
231
|
|
|
205
232
|
SecureHeaders.content_security_policy_script_nonce(request) # should add the value to the header
|
|
206
233
|
hash = SecureHeaders.header_hash_for(chrome_request)
|
|
207
|
-
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match
|
|
234
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/)
|
|
208
235
|
end
|
|
209
236
|
|
|
210
237
|
it "appends a hash to a missing script-src value" do
|
|
@@ -216,7 +243,7 @@ module SecureHeaders
|
|
|
216
243
|
|
|
217
244
|
SecureHeaders.append_content_security_policy_directives(request, script_src: %w('sha256-abc123'))
|
|
218
245
|
hash = SecureHeaders.header_hash_for(chrome_request)
|
|
219
|
-
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match
|
|
246
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/)
|
|
220
247
|
end
|
|
221
248
|
|
|
222
249
|
it "overrides individual directives" do
|
|
@@ -252,7 +279,7 @@ module SecureHeaders
|
|
|
252
279
|
end
|
|
253
280
|
|
|
254
281
|
safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
|
|
255
|
-
|
|
282
|
+
SecureHeaders.content_security_policy_script_nonce(safari_request)
|
|
256
283
|
hash = SecureHeaders.header_hash_for(safari_request)
|
|
257
284
|
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
|
|
258
285
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -34,6 +34,7 @@ def expect_default_values(hash)
|
|
|
34
34
|
expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
|
|
35
35
|
expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
|
|
36
36
|
expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
|
|
37
|
+
expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
|
|
37
38
|
end
|
|
38
39
|
|
|
39
40
|
module SecureHeaders
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-08-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -38,7 +38,7 @@ dependencies:
|
|
|
38
38
|
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
|
-
description:
|
|
41
|
+
description: Manages application of security headers with many safe defaults.
|
|
42
42
|
email:
|
|
43
43
|
- neil.matatall@gmail.com
|
|
44
44
|
executables: []
|
|
@@ -53,6 +53,8 @@ files:
|
|
|
53
53
|
- ".ruby-version"
|
|
54
54
|
- ".travis.yml"
|
|
55
55
|
- CHANGELOG.md
|
|
56
|
+
- CODE_OF_CONDUCT.md
|
|
57
|
+
- CONTRIBUTING.md
|
|
56
58
|
- Gemfile
|
|
57
59
|
- Guardfile
|
|
58
60
|
- LICENSE
|
|
@@ -71,6 +73,7 @@ files:
|
|
|
71
73
|
- lib/secure_headers/headers/content_security_policy.rb
|
|
72
74
|
- lib/secure_headers/headers/content_security_policy_config.rb
|
|
73
75
|
- lib/secure_headers/headers/cookie.rb
|
|
76
|
+
- lib/secure_headers/headers/expect_certificate_transparency.rb
|
|
74
77
|
- lib/secure_headers/headers/policy_management.rb
|
|
75
78
|
- lib/secure_headers/headers/public_key_pins.rb
|
|
76
79
|
- lib/secure_headers/headers/referrer_policy.rb
|
|
@@ -90,6 +93,7 @@ files:
|
|
|
90
93
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
91
94
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
92
95
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
96
|
+
- spec/lib/secure_headers/headers/expect_certificate_spec.rb
|
|
93
97
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
94
98
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
|
95
99
|
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|
|
@@ -124,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
124
128
|
version: '0'
|
|
125
129
|
requirements: []
|
|
126
130
|
rubyforge_project:
|
|
127
|
-
rubygems_version: 2.
|
|
131
|
+
rubygems_version: 2.5.2
|
|
128
132
|
signing_key:
|
|
129
133
|
specification_version: 4
|
|
130
134
|
summary: Add easily configured security headers to responses including content-security-policy,
|
|
@@ -134,6 +138,7 @@ test_files:
|
|
|
134
138
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|
|
135
139
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
|
136
140
|
- spec/lib/secure_headers/headers/cookie_spec.rb
|
|
141
|
+
- spec/lib/secure_headers/headers/expect_certificate_spec.rb
|
|
137
142
|
- spec/lib/secure_headers/headers/policy_management_spec.rb
|
|
138
143
|
- spec/lib/secure_headers/headers/public_key_pins_spec.rb
|
|
139
144
|
- spec/lib/secure_headers/headers/referrer_policy_spec.rb
|