secure_headers 3.6.0 → 3.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. checksums.yaml +4 -4
  2. data/.rspec +1 -0
  3. data/.ruby-version +1 -1
  4. data/.travis.yml +2 -0
  5. data/CHANGELOG.md +34 -1
  6. data/CODE_OF_CONDUCT.md +46 -0
  7. data/CONTRIBUTING.md +41 -0
  8. data/LICENSE +4 -199
  9. data/README.md +12 -3
  10. data/docs/hashes.md +1 -1
  11. data/lib/secure_headers/configuration.rb +25 -5
  12. data/lib/secure_headers/headers/clear_site_data.rb +12 -9
  13. data/lib/secure_headers/headers/content_security_policy.rb +2 -2
  14. data/lib/secure_headers/headers/content_security_policy_config.rb +45 -12
  15. data/lib/secure_headers/headers/expect_certificate_transparency.rb +70 -0
  16. data/lib/secure_headers/headers/policy_management.rb +22 -22
  17. data/lib/secure_headers/headers/public_key_pins.rb +1 -1
  18. data/lib/secure_headers/headers/referrer_policy.rb +1 -1
  19. data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
  20. data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
  21. data/lib/secure_headers/headers/x_download_options.rb +1 -1
  22. data/lib/secure_headers/headers/x_frame_options.rb +1 -1
  23. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -1
  24. data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
  25. data/lib/secure_headers/view_helper.rb +2 -2
  26. data/lib/secure_headers.rb +5 -2
  27. data/secure_headers.gemspec +2 -2
  28. data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +9 -26
  29. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -8
  30. data/spec/lib/secure_headers/headers/expect_certificate_spec.rb +42 -0
  31. data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
  32. data/spec/lib/secure_headers/view_helpers_spec.rb +0 -1
  33. data/spec/lib/secure_headers_spec.rb +31 -4
  34. data/spec/spec_helper.rb +1 -0
  35. metadata +9 -4
@@ -105,7 +105,7 @@ module SecureHeaders
105
105
  end
106
106
 
107
107
  it "produces a UA-specific CSP when overriding (and busting the cache)" do
108
- config = Configuration.default do |config|
108
+ Configuration.default do |config|
109
109
  config.csp = {
110
110
  default_src: %w('self'),
111
111
  child_src: %w('self')
@@ -173,6 +173,33 @@ module SecureHeaders
173
173
  expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
174
174
  end
175
175
 
176
+ it "appends child-src to frame-src" do
177
+ Configuration.default do |config|
178
+ config.csp = {
179
+ default_src: %w('self'),
180
+ frame_src: %w(frame_src.com)
181
+ }
182
+ end
183
+
184
+ SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
185
+ hash = SecureHeaders.header_hash_for(chrome_request)
186
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
187
+ end
188
+
189
+ it "appends frame-src to child-src" do
190
+ Configuration.default do |config|
191
+ config.csp = {
192
+ default_src: %w('self'),
193
+ child_src: %w(child_src.com)
194
+ }
195
+ end
196
+
197
+ safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
198
+ SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
199
+ hash = SecureHeaders.header_hash_for(safari_request)
200
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
201
+ end
202
+
176
203
  it "supports named appends" do
177
204
  Configuration.default do |config|
178
205
  config.csp = {
@@ -204,7 +231,7 @@ module SecureHeaders
204
231
 
205
232
  SecureHeaders.content_security_policy_script_nonce(request) # should add the value to the header
206
233
  hash = SecureHeaders.header_hash_for(chrome_request)
207
- expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/
234
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/)
208
235
  end
209
236
 
210
237
  it "appends a hash to a missing script-src value" do
@@ -216,7 +243,7 @@ module SecureHeaders
216
243
 
217
244
  SecureHeaders.append_content_security_policy_directives(request, script_src: %w('sha256-abc123'))
218
245
  hash = SecureHeaders.header_hash_for(chrome_request)
219
- expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/
246
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/)
220
247
  end
221
248
 
222
249
  it "overrides individual directives" do
@@ -252,7 +279,7 @@ module SecureHeaders
252
279
  end
253
280
 
254
281
  safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
255
- nonce = SecureHeaders.content_security_policy_script_nonce(safari_request)
282
+ SecureHeaders.content_security_policy_script_nonce(safari_request)
256
283
  hash = SecureHeaders.header_hash_for(safari_request)
257
284
  expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
258
285
  end
data/spec/spec_helper.rb CHANGED
@@ -34,6 +34,7 @@ def expect_default_values(hash)
34
34
  expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
35
35
  expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
36
36
  expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
37
+ expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
37
38
  end
38
39
 
39
40
  module SecureHeaders
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.6.0
4
+ version: 3.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-01-05 00:00:00.000000000 Z
11
+ date: 2017-08-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -38,7 +38,7 @@ dependencies:
38
38
  - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: '0'
41
- description: Security related headers all in one gem.
41
+ description: Manages application of security headers with many safe defaults.
42
42
  email:
43
43
  - neil.matatall@gmail.com
44
44
  executables: []
@@ -53,6 +53,8 @@ files:
53
53
  - ".ruby-version"
54
54
  - ".travis.yml"
55
55
  - CHANGELOG.md
56
+ - CODE_OF_CONDUCT.md
57
+ - CONTRIBUTING.md
56
58
  - Gemfile
57
59
  - Guardfile
58
60
  - LICENSE
@@ -71,6 +73,7 @@ files:
71
73
  - lib/secure_headers/headers/content_security_policy.rb
72
74
  - lib/secure_headers/headers/content_security_policy_config.rb
73
75
  - lib/secure_headers/headers/cookie.rb
76
+ - lib/secure_headers/headers/expect_certificate_transparency.rb
74
77
  - lib/secure_headers/headers/policy_management.rb
75
78
  - lib/secure_headers/headers/public_key_pins.rb
76
79
  - lib/secure_headers/headers/referrer_policy.rb
@@ -90,6 +93,7 @@ files:
90
93
  - spec/lib/secure_headers/headers/clear_site_data_spec.rb
91
94
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
92
95
  - spec/lib/secure_headers/headers/cookie_spec.rb
96
+ - spec/lib/secure_headers/headers/expect_certificate_spec.rb
93
97
  - spec/lib/secure_headers/headers/policy_management_spec.rb
94
98
  - spec/lib/secure_headers/headers/public_key_pins_spec.rb
95
99
  - spec/lib/secure_headers/headers/referrer_policy_spec.rb
@@ -124,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
124
128
  version: '0'
125
129
  requirements: []
126
130
  rubyforge_project:
127
- rubygems_version: 2.4.5.1
131
+ rubygems_version: 2.5.2
128
132
  signing_key:
129
133
  specification_version: 4
130
134
  summary: Add easily configured security headers to responses including content-security-policy,
@@ -134,6 +138,7 @@ test_files:
134
138
  - spec/lib/secure_headers/headers/clear_site_data_spec.rb
135
139
  - spec/lib/secure_headers/headers/content_security_policy_spec.rb
136
140
  - spec/lib/secure_headers/headers/cookie_spec.rb
141
+ - spec/lib/secure_headers/headers/expect_certificate_spec.rb
137
142
  - spec/lib/secure_headers/headers/policy_management_spec.rb
138
143
  - spec/lib/secure_headers/headers/public_key_pins_spec.rb
139
144
  - spec/lib/secure_headers/headers/referrer_policy_spec.rb