secure_headers 3.6.6 → 3.6.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -1
- data/README.md +1 -0
- data/lib/secure_headers/headers/content_security_policy_config.rb +0 -1
- data/lib/secure_headers/headers/policy_management.rb +8 -16
- data/secure_headers.gemspec +2 -2
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +5 -6
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9ba9d50d38ff5d5eb3770fd8e2d445ac0c8bf934
|
|
4
|
+
data.tar.gz: 0d0a0bd64c859ce0421effd4b1648de3df8acfa1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d0c708c8b93bf64c601a0fe7c358a9d2270016a80931d786774e8180ca50b7c61207e4f9759fb085fde7703099a1be96c4b5210b642d17a0c13000a4cdc8c51f
|
|
7
|
+
data.tar.gz: 00fe77abc4a759ada4b509b899c48f0b0ee62d86b151b5c6a41f6bbde390c4dccc8ed1a33e02ed67a45fa8e2d61da0ebeeefa1c2a59566e587b583f53df98805
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,10 @@
|
|
|
1
|
+
## 3.6.7
|
|
2
|
+
|
|
3
|
+
Actually set manifest-src when configured. https://github.com/twitter/secureheaders/pull/339 Thanks @carlosantoniodasilva!
|
|
4
|
+
|
|
1
5
|
## 3.6.6
|
|
2
6
|
|
|
3
|
-
|
|
7
|
+
wat?
|
|
4
8
|
|
|
5
9
|
## 3.6.5
|
|
6
10
|
|
data/README.md
CHANGED
|
@@ -91,6 +91,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
91
91
|
form_action: %w('self' github.com),
|
|
92
92
|
frame_ancestors: %w('none'),
|
|
93
93
|
img_src: %w(mycdn.com data:),
|
|
94
|
+
manifest_src: %w('self'),
|
|
94
95
|
media_src: %w(utoob.com),
|
|
95
96
|
object_src: %w('self'),
|
|
96
97
|
plugin_types: %w(application/x-shockwave-flash),
|
|
@@ -62,22 +62,15 @@ module SecureHeaders
|
|
|
62
62
|
|
|
63
63
|
# All the directives currently under consideration for CSP level 3.
|
|
64
64
|
# https://w3c.github.io/webappsec/specs/CSP2/
|
|
65
|
+
BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
|
|
65
66
|
MANIFEST_SRC = :manifest_src
|
|
66
|
-
|
|
67
|
+
UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
|
|
67
68
|
DIRECTIVES_3_0 = [
|
|
68
69
|
DIRECTIVES_2_0,
|
|
69
|
-
MANIFEST_SRC,
|
|
70
|
-
REFLECTED_XSS
|
|
71
|
-
].flatten.freeze
|
|
72
|
-
|
|
73
|
-
# All the directives that are not currently in a formal spec, but have
|
|
74
|
-
# been implemented somewhere.
|
|
75
|
-
BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
|
|
76
|
-
UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
|
|
77
|
-
DIRECTIVES_DRAFT = [
|
|
78
70
|
BLOCK_ALL_MIXED_CONTENT,
|
|
71
|
+
MANIFEST_SRC,
|
|
79
72
|
UPGRADE_INSECURE_REQUESTS
|
|
80
|
-
].freeze
|
|
73
|
+
].flatten.freeze
|
|
81
74
|
|
|
82
75
|
EDGE_DIRECTIVES = DIRECTIVES_1_0
|
|
83
76
|
SAFARI_DIRECTIVES = DIRECTIVES_1_0
|
|
@@ -99,18 +92,18 @@ module SecureHeaders
|
|
|
99
92
|
].freeze
|
|
100
93
|
|
|
101
94
|
FIREFOX_DIRECTIVES = (
|
|
102
|
-
|
|
95
|
+
DIRECTIVES_3_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
|
|
103
96
|
).freeze
|
|
104
97
|
|
|
105
98
|
FIREFOX_46_DIRECTIVES = (
|
|
106
|
-
|
|
99
|
+
DIRECTIVES_3_0 - FIREFOX_46_UNSUPPORTED_DIRECTIVES - FIREFOX_46_DEPRECATED_DIRECTIVES
|
|
107
100
|
).freeze
|
|
108
101
|
|
|
109
102
|
CHROME_DIRECTIVES = (
|
|
110
|
-
|
|
103
|
+
DIRECTIVES_3_0
|
|
111
104
|
).freeze
|
|
112
105
|
|
|
113
|
-
ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0
|
|
106
|
+
ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0).uniq.sort
|
|
114
107
|
|
|
115
108
|
# Think of default-src and report-uri as the beginning and end respectively,
|
|
116
109
|
# everything else is in between.
|
|
@@ -156,7 +149,6 @@ module SecureHeaders
|
|
|
156
149
|
MEDIA_SRC => :source_list,
|
|
157
150
|
OBJECT_SRC => :source_list,
|
|
158
151
|
PLUGIN_TYPES => :source_list,
|
|
159
|
-
REFLECTED_XSS => :string,
|
|
160
152
|
REPORT_URI => :source_list,
|
|
161
153
|
SANDBOX => :source_list,
|
|
162
154
|
SCRIPT_SRC => :source_list,
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.6.
|
|
4
|
+
gem.version = "3.6.7"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Manages application of security headers with many safe defaults.'
|
|
@@ -15,5 +15,5 @@ Gem::Specification.new do |gem|
|
|
|
15
15
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
|
16
16
|
gem.require_paths = ["lib"]
|
|
17
17
|
gem.add_development_dependency "rake"
|
|
18
|
-
gem.add_dependency "useragent"
|
|
18
|
+
gem.add_dependency "useragent"
|
|
19
19
|
end
|
|
@@ -119,7 +119,6 @@ module SecureHeaders
|
|
|
119
119
|
end.merge({
|
|
120
120
|
block_all_mixed_content: true,
|
|
121
121
|
upgrade_insecure_requests: true,
|
|
122
|
-
reflected_xss: "block",
|
|
123
122
|
script_src: %w(script-src.com),
|
|
124
123
|
script_nonce: 123456
|
|
125
124
|
})
|
|
@@ -127,22 +126,22 @@ module SecureHeaders
|
|
|
127
126
|
|
|
128
127
|
it "does not filter any directives for Chrome" do
|
|
129
128
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
|
|
130
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
129
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
131
130
|
end
|
|
132
131
|
|
|
133
132
|
it "does not filter any directives for Opera" do
|
|
134
133
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
|
|
135
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
134
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
136
135
|
end
|
|
137
136
|
|
|
138
137
|
it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
|
|
139
138
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
|
|
140
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
139
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
141
140
|
end
|
|
142
141
|
|
|
143
142
|
it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
|
|
144
143
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
|
|
145
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
144
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
146
145
|
end
|
|
147
146
|
|
|
148
147
|
it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
|
|
@@ -164,7 +163,7 @@ module SecureHeaders
|
|
|
164
163
|
ua = USER_AGENTS[:firefox].dup
|
|
165
164
|
allow(ua).to receive(:version).and_return(nil)
|
|
166
165
|
policy = ContentSecurityPolicy.new(complex_opts, ua)
|
|
167
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
166
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
168
167
|
end
|
|
169
168
|
end
|
|
170
169
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.6.
|
|
4
|
+
version: 3.6.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-07-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -30,14 +30,14 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - ">="
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 0
|
|
33
|
+
version: '0'
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 0
|
|
40
|
+
version: '0'
|
|
41
41
|
description: Manages application of security headers with many safe defaults.
|
|
42
42
|
email:
|
|
43
43
|
- neil.matatall@gmail.com
|