secure_headers 3.7.0 → 4.0.0.alpha01
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rspec +1 -0
- data/.rubocop.yml +3 -0
- data/.ruby-version +1 -1
- data/.travis.yml +8 -6
- data/CHANGELOG.md +2 -10
- data/CONTRIBUTING.md +1 -1
- data/Gemfile +7 -4
- data/Guardfile +1 -0
- data/README.md +4 -24
- data/Rakefile +22 -18
- data/docs/cookies.md +16 -2
- data/lib/secure_headers/configuration.rb +6 -16
- data/lib/secure_headers/hash_helper.rb +2 -1
- data/lib/secure_headers/headers/clear_site_data.rb +2 -1
- data/lib/secure_headers/headers/content_security_policy.rb +7 -12
- data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
- data/lib/secure_headers/headers/cookie.rb +21 -3
- data/lib/secure_headers/headers/policy_management.rb +10 -2
- data/lib/secure_headers/headers/public_key_pins.rb +4 -3
- data/lib/secure_headers/headers/referrer_policy.rb +1 -0
- data/lib/secure_headers/headers/strict_transport_security.rb +2 -1
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -0
- data/lib/secure_headers/headers/x_download_options.rb +2 -1
- data/lib/secure_headers/headers/x_frame_options.rb +1 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +2 -1
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/middleware.rb +10 -9
- data/lib/secure_headers/railtie.rb +7 -6
- data/lib/secure_headers/utils/cookies_config.rb +13 -12
- data/lib/secure_headers/view_helper.rb +2 -1
- data/lib/secure_headers.rb +1 -2
- data/lib/tasks/tasks.rake +2 -1
- data/secure_headers.gemspec +13 -3
- data/spec/lib/secure_headers/configuration_spec.rb +9 -8
- data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +11 -16
- data/spec/lib/secure_headers/headers/cookie_spec.rb +38 -20
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +20 -10
- data/spec/lib/secure_headers/headers/public_key_pins_spec.rb +7 -6
- data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +4 -3
- data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +5 -4
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +3 -2
- data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +2 -1
- data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +4 -3
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +4 -3
- data/spec/lib/secure_headers/middleware_spec.rb +18 -21
- data/spec/lib/secure_headers/view_helpers_spec.rb +5 -4
- data/spec/lib/secure_headers_spec.rb +92 -120
- data/spec/spec_helper.rb +9 -23
- data/upgrading-to-4-0.md +49 -0
- metadata +15 -11
- data/lib/secure_headers/headers/expect_certificate_transparency.rb +0 -70
- data/spec/lib/secure_headers/headers/expect_certificate_spec.rb +0 -42
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1cfa800eacf250583e379d13a9149d585bc2f48d
|
|
4
|
+
data.tar.gz: 3de8c81b1308ec9d1d53f822cff8eeb7e20b5af0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4c25ae5372ac00f74b0cae3b7de0a767a15b45f275bed64994c2cd7d078a2f0b52bdce562d14280984ad494fd008445d5d5448a3ac94694cd1f9778da3deeacc
|
|
7
|
+
data.tar.gz: 6fab2c382ed56f9a63dd118a34b617fb82b4ee4e9ef55f37d78e134ec9068c9ee1022ba0a94991d0b7b82ea756d78132d3c0dfc909e66d4068acde4f6d2673ff
|
data/.rspec
CHANGED
data/.rubocop.yml
ADDED
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.
|
|
1
|
+
2.4.1
|
data/.travis.yml
CHANGED
|
@@ -2,15 +2,17 @@ language: ruby
|
|
|
2
2
|
|
|
3
3
|
rvm:
|
|
4
4
|
- ruby-head
|
|
5
|
-
- 2.4.
|
|
6
|
-
- 2.3.
|
|
5
|
+
- 2.4.1
|
|
6
|
+
- 2.3.4
|
|
7
7
|
- 2.2
|
|
8
|
-
- 2.1
|
|
9
|
-
- 2.0.0
|
|
10
|
-
- 1.9.3
|
|
11
|
-
- jruby-19mode
|
|
12
8
|
- jruby-head
|
|
13
9
|
|
|
10
|
+
env:
|
|
11
|
+
- SUITE=rspec spec
|
|
12
|
+
- SUITE=rubocop
|
|
13
|
+
|
|
14
|
+
script: bundle exec $SUITE
|
|
15
|
+
|
|
14
16
|
matrix:
|
|
15
17
|
allow_failures:
|
|
16
18
|
- rvm: jruby-head
|
data/CHANGELOG.md
CHANGED
|
@@ -1,14 +1,6 @@
|
|
|
1
|
-
##
|
|
1
|
+
## 4.x
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
## 3.6.7
|
|
6
|
-
|
|
7
|
-
Actually set manifest-src when configured. https://github.com/twitter/secureheaders/pull/339 Thanks @carlosantoniodasilva!
|
|
8
|
-
|
|
9
|
-
## 3.6.6
|
|
10
|
-
|
|
11
|
-
wat?
|
|
3
|
+
- See the [upgrading to 4.0](upgrading-to-4.0.md) guide. Lots of breaking changes.
|
|
12
4
|
|
|
13
5
|
## 3.6.5
|
|
14
6
|
|
data/CONTRIBUTING.md
CHANGED
|
@@ -30,7 +30,7 @@ Here are a few things you can do that will increase the likelihood of your pull
|
|
|
30
30
|
0. Ensure CI is green
|
|
31
31
|
0. Pull the latest code
|
|
32
32
|
0. Increment the version
|
|
33
|
-
0. Run `gem build
|
|
33
|
+
0. Run `gem build secure_headers.gemspec`
|
|
34
34
|
0. Bump the Gemfile and Gemfile.lock versions for an app which relies on this gem
|
|
35
35
|
0. Test behavior locally, branch deploy, whatever needs to happen
|
|
36
36
|
0. Run `bundle exec rake release`
|
data/Gemfile
CHANGED
|
@@ -1,19 +1,22 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
source "https://rubygems.org"
|
|
2
3
|
|
|
3
4
|
gemspec
|
|
4
5
|
|
|
5
6
|
group :test do
|
|
6
|
-
gem "
|
|
7
|
-
gem "pry-nav"
|
|
7
|
+
gem "coveralls"
|
|
8
8
|
gem "json", "~> 1"
|
|
9
|
+
gem "pry-nav"
|
|
9
10
|
gem "rack", "~> 1"
|
|
10
11
|
gem "rspec"
|
|
11
|
-
gem "
|
|
12
|
+
gem "rubocop", "~> 0.47.0"
|
|
13
|
+
gem "rubocop-github"
|
|
12
14
|
gem "term-ansicolor", "< 1.4"
|
|
15
|
+
gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
|
|
13
16
|
end
|
|
14
17
|
|
|
15
18
|
group :guard do
|
|
16
|
-
gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22]
|
|
17
19
|
gem "growl"
|
|
20
|
+
gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
|
|
18
21
|
gem "rb-fsevent"
|
|
19
22
|
end
|
data/Guardfile
CHANGED
data/README.md
CHANGED
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
# Secure Headers [](http://travis-ci.org/twitter/secureheaders) [](https://codeclimate.com/github/twitter/secureheaders) [](https://coveralls.io/r/twitter/secureheaders)
|
|
2
2
|
|
|
3
|
+
**master represents the unreleased 4.x line**. See the [upgrading to 4.x doc](upgrading-to-4-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
|
|
3
4
|
|
|
4
|
-
**The 3.x branch
|
|
5
|
+
**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
|
|
5
6
|
|
|
6
|
-
**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be maintained**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
|
|
7
|
+
**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
|
|
7
8
|
|
|
8
9
|
The gem will automatically apply several headers that are related to security. This includes:
|
|
9
10
|
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
|
|
@@ -18,7 +19,6 @@ The gem will automatically apply several headers that are related to security.
|
|
|
18
19
|
- X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
|
|
19
20
|
- Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
|
|
20
21
|
- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
|
|
21
|
-
- Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
|
|
22
22
|
- Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
|
|
23
23
|
|
|
24
24
|
It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
|
|
@@ -77,14 +77,8 @@ SecureHeaders::Configuration.default do |config|
|
|
|
77
77
|
"storage",
|
|
78
78
|
"executionContexts"
|
|
79
79
|
]
|
|
80
|
-
config.expect_certificate_transparency = {
|
|
81
|
-
enforce: false,
|
|
82
|
-
max_age: 1.day.to_i,
|
|
83
|
-
report_uri: "https://report-uri.io/example-ct"
|
|
84
|
-
}
|
|
85
80
|
config.csp = {
|
|
86
|
-
# "meta" values. these will
|
|
87
|
-
# report_only: true, # default: false [DEPRECATED from 3.5.0: instead, configure csp_report_only]
|
|
81
|
+
# "meta" values. these will shape the header, but the values are not included in the header.
|
|
88
82
|
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
|
89
83
|
|
|
90
84
|
# directive values: these values will directly translate into source directives
|
|
@@ -138,20 +132,6 @@ X-Permitted-Cross-Domain-Policies: none
|
|
|
138
132
|
X-Xss-Protection: 1; mode=block
|
|
139
133
|
```
|
|
140
134
|
|
|
141
|
-
### Default CSP
|
|
142
|
-
|
|
143
|
-
By default, the above CSP will be applied to all requests. If you **only** want to set a Report-Only header, opt-out of the default enforced header for clarity. The configuration will assume that if you only supply `csp_report_only` that you intended to opt-out of `csp` but that's for the sake of backwards compatibility and it will be removed in the future.
|
|
144
|
-
|
|
145
|
-
```ruby
|
|
146
|
-
Configuration.default do |config|
|
|
147
|
-
config.csp = SecureHeaders::OPT_OUT # If this line is omitted, we will assume you meant to opt out.
|
|
148
|
-
config.csp_report_only = {
|
|
149
|
-
default_src: %w('self')
|
|
150
|
-
}
|
|
151
|
-
end
|
|
152
|
-
```
|
|
153
|
-
|
|
154
|
-
|
|
155
135
|
## Similar libraries
|
|
156
136
|
|
|
157
137
|
* Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)
|
data/Rakefile
CHANGED
|
@@ -1,28 +1,32 @@
|
|
|
1
1
|
#!/usr/bin/env rake
|
|
2
|
-
|
|
3
|
-
require
|
|
4
|
-
require
|
|
5
|
-
require
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
require "bundler/gem_tasks"
|
|
4
|
+
require "rspec/core/rake_task"
|
|
5
|
+
require "net/http"
|
|
6
|
+
require "net/https"
|
|
6
7
|
|
|
7
|
-
|
|
8
|
-
RSpec::Core::RakeTask.new do |t|
|
|
9
|
-
t.verbose = false
|
|
10
|
-
t.rspec_opts = "--format progress"
|
|
11
|
-
end
|
|
12
|
-
|
|
13
|
-
task default: :spec
|
|
8
|
+
RSpec::Core::RakeTask.new
|
|
14
9
|
|
|
15
10
|
begin
|
|
16
|
-
require
|
|
11
|
+
require "rdoc/task"
|
|
17
12
|
rescue LoadError
|
|
18
|
-
require
|
|
19
|
-
require
|
|
13
|
+
require "rdoc/rdoc"
|
|
14
|
+
require "rake/rdoctask"
|
|
20
15
|
RDoc::Task = Rake::RDocTask
|
|
21
16
|
end
|
|
22
17
|
|
|
18
|
+
begin
|
|
19
|
+
require "rubocop/rake_task"
|
|
20
|
+
RuboCop::RakeTask.new
|
|
21
|
+
rescue LoadError
|
|
22
|
+
task(:rubocop) { $stderr.puts "RuboCop is disabled" }
|
|
23
|
+
end
|
|
24
|
+
|
|
23
25
|
RDoc::Task.new(:rdoc) do |rdoc|
|
|
24
|
-
rdoc.rdoc_dir =
|
|
25
|
-
rdoc.title =
|
|
26
|
-
rdoc.options <<
|
|
27
|
-
rdoc.rdoc_files.include(
|
|
26
|
+
rdoc.rdoc_dir = "rdoc"
|
|
27
|
+
rdoc.title = "SecureHeaders"
|
|
28
|
+
rdoc.options << "--line-numbers"
|
|
29
|
+
rdoc.rdoc_files.include("lib/**/*.rb")
|
|
28
30
|
end
|
|
31
|
+
|
|
32
|
+
task default: [:spec, :rubocop]
|
data/docs/cookies.md
CHANGED
|
@@ -4,14 +4,28 @@ SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.
|
|
|
4
4
|
|
|
5
5
|
__Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
|
|
6
6
|
|
|
7
|
+
#### Defaults
|
|
8
|
+
|
|
9
|
+
By default, all cookies will get both `Secure`, `HttpOnly`, and `SameSite=Lax`.
|
|
10
|
+
|
|
11
|
+
```ruby
|
|
12
|
+
config.cookies = {
|
|
13
|
+
secure: true, # defaults to true but will be a no op on non-HTTPS requests
|
|
14
|
+
httponly: true, # defaults to true
|
|
15
|
+
samesite: { # defaults to set `SameSite=Lax`
|
|
16
|
+
lax: true
|
|
17
|
+
}
|
|
18
|
+
}
|
|
19
|
+
```
|
|
20
|
+
|
|
7
21
|
#### Boolean-based configuration
|
|
8
22
|
|
|
9
|
-
Boolean-based configuration is intended to globally enable or disable a specific cookie attribute.
|
|
23
|
+
Boolean-based configuration is intended to globally enable or disable a specific cookie attribute. *Note: As of 4.0, you must use OPT_OUT rather than false to opt out of the defaults.*
|
|
10
24
|
|
|
11
25
|
```ruby
|
|
12
26
|
config.cookies = {
|
|
13
27
|
secure: true, # mark all cookies as Secure
|
|
14
|
-
httponly:
|
|
28
|
+
httponly: OPT_OUT, # do not mark any cookies as HttpOnly
|
|
15
29
|
}
|
|
16
30
|
```
|
|
17
31
|
|
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
require "yaml"
|
|
2
3
|
|
|
3
4
|
module SecureHeaders
|
|
4
5
|
class Configuration
|
|
@@ -116,7 +117,7 @@ module SecureHeaders
|
|
|
116
117
|
|
|
117
118
|
attr_writer :hsts, :x_frame_options, :x_content_type_options,
|
|
118
119
|
:x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
|
|
119
|
-
:referrer_policy, :clear_site_data
|
|
120
|
+
:referrer_policy, :clear_site_data
|
|
120
121
|
|
|
121
122
|
attr_reader :cached_headers, :csp, :cookies, :csp_report_only, :hpkp, :hpkp_report_host
|
|
122
123
|
|
|
@@ -143,7 +144,6 @@ module SecureHeaders
|
|
|
143
144
|
@x_frame_options = nil
|
|
144
145
|
@x_permitted_cross_domain_policies = nil
|
|
145
146
|
@x_xss_protection = nil
|
|
146
|
-
@expect_certificate_transparency = nil
|
|
147
147
|
|
|
148
148
|
self.hpkp = OPT_OUT
|
|
149
149
|
self.referrer_policy = OPT_OUT
|
|
@@ -169,7 +169,6 @@ module SecureHeaders
|
|
|
169
169
|
copy.x_download_options = @x_download_options
|
|
170
170
|
copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
|
|
171
171
|
copy.clear_site_data = @clear_site_data
|
|
172
|
-
copy.expect_certificate_transparency = @expect_certificate_transparency
|
|
173
172
|
copy.referrer_policy = @referrer_policy
|
|
174
173
|
copy.hpkp = @hpkp
|
|
175
174
|
copy.hpkp_report_host = @hpkp_report_host
|
|
@@ -202,14 +201,12 @@ module SecureHeaders
|
|
|
202
201
|
XDownloadOptions.validate_config!(@x_download_options)
|
|
203
202
|
XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
|
|
204
203
|
ClearSiteData.validate_config!(@clear_site_data)
|
|
205
|
-
ExpectCertificateTransparency.validate_config!(@expect_certificate_transparency)
|
|
206
204
|
PublicKeyPins.validate_config!(@hpkp)
|
|
207
205
|
Cookie.validate_config!(@cookies)
|
|
208
206
|
end
|
|
209
207
|
|
|
210
208
|
def secure_cookies=(secure_cookies)
|
|
211
|
-
|
|
212
|
-
@cookies = (@cookies || {}).merge(secure: secure_cookies)
|
|
209
|
+
raise ArgumentError, "#{Kernel.caller.first}: `#secure_cookies=` is no longer supported. Please use `#cookies=` to configure secure cookies instead."
|
|
213
210
|
end
|
|
214
211
|
|
|
215
212
|
def csp=(new_csp)
|
|
@@ -217,10 +214,8 @@ module SecureHeaders
|
|
|
217
214
|
@csp = new_csp.dup
|
|
218
215
|
else
|
|
219
216
|
if new_csp[:report_only]
|
|
220
|
-
#
|
|
221
|
-
|
|
222
|
-
@csp = OPT_OUT
|
|
223
|
-
self.csp_report_only = new_csp
|
|
217
|
+
# invalid configuration implies that CSPRO should be set, CSP should not - so opt out
|
|
218
|
+
raise ArgumentError, "#{Kernel.caller.first}: `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
|
|
224
219
|
else
|
|
225
220
|
@csp = ContentSecurityPolicyConfig.new(new_csp)
|
|
226
221
|
end
|
|
@@ -247,11 +242,6 @@ module SecureHeaders
|
|
|
247
242
|
end
|
|
248
243
|
end
|
|
249
244
|
end
|
|
250
|
-
|
|
251
|
-
if !@csp_report_only.opt_out? && @csp.to_h == ContentSecurityPolicyConfig::DEFAULT
|
|
252
|
-
Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp_report_only=` was configured before `#csp=`. It is assumed you intended to opt out of `#csp=` so be sure to add `config.csp = SecureHeaders::OPT_OUT` to your config. Ensure that #csp_report_only is configured after #csp="
|
|
253
|
-
@csp = OPT_OUT
|
|
254
|
-
end
|
|
255
245
|
end
|
|
256
246
|
|
|
257
247
|
protected
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
module SecureHeaders
|
|
2
3
|
class ClearSiteDataConfigError < StandardError; end
|
|
3
4
|
class ClearSiteData
|
|
@@ -16,7 +17,7 @@ module SecureHeaders
|
|
|
16
17
|
# Public: make an Clear-Site-Data header name, value pair
|
|
17
18
|
#
|
|
18
19
|
# Returns nil if not configured, returns header name and value if configured.
|
|
19
|
-
def make_header(config=nil)
|
|
20
|
+
def make_header(config = nil)
|
|
20
21
|
case config
|
|
21
22
|
when nil, OPT_OUT, []
|
|
22
23
|
# noop
|
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
|
|
2
|
-
require_relative
|
|
3
|
-
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
require_relative "policy_management"
|
|
3
|
+
require_relative "content_security_policy_config"
|
|
4
|
+
require "useragent"
|
|
4
5
|
|
|
5
6
|
module SecureHeaders
|
|
6
7
|
class ContentSecurityPolicy
|
|
@@ -54,18 +55,12 @@ module SecureHeaders
|
|
|
54
55
|
|
|
55
56
|
private
|
|
56
57
|
|
|
57
|
-
# frame-src is deprecated, child-src is being implemented. They are
|
|
58
|
-
# very similar and in most cases, the same value can be used for both.
|
|
59
58
|
def normalize_child_frame_src
|
|
60
59
|
if @config.frame_src && @config.child_src && @config.frame_src != @config.child_src
|
|
61
|
-
|
|
60
|
+
raise ArgumentError, "#{Kernel.caller.first}: both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers."
|
|
62
61
|
end
|
|
63
62
|
|
|
64
|
-
|
|
65
|
-
@config.child_src || @config.frame_src
|
|
66
|
-
else
|
|
67
|
-
@config.frame_src || @config.child_src
|
|
68
|
-
end
|
|
63
|
+
@config.frame_src || @config.child_src
|
|
69
64
|
end
|
|
70
65
|
|
|
71
66
|
# Private: converts the config object into a string representing a policy.
|
|
@@ -229,7 +224,7 @@ module SecureHeaders
|
|
|
229
224
|
end
|
|
230
225
|
|
|
231
226
|
def symbol_to_hyphen_case(sym)
|
|
232
|
-
sym.to_s.tr(
|
|
227
|
+
sym.to_s.tr("_", "-")
|
|
233
228
|
end
|
|
234
229
|
end
|
|
235
230
|
end
|
|
@@ -1,5 +1,7 @@
|
|
|
1
|
-
|
|
2
|
-
require
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
require "cgi"
|
|
3
|
+
require "secure_headers/utils/cookies_config"
|
|
4
|
+
|
|
3
5
|
|
|
4
6
|
module SecureHeaders
|
|
5
7
|
class CookiesConfigError < StandardError; end
|
|
@@ -13,8 +15,18 @@ module SecureHeaders
|
|
|
13
15
|
|
|
14
16
|
attr_reader :raw_cookie, :config
|
|
15
17
|
|
|
18
|
+
COOKIE_DEFAULTS = {
|
|
19
|
+
httponly: true,
|
|
20
|
+
secure: true,
|
|
21
|
+
samesite: { lax: true },
|
|
22
|
+
}.freeze
|
|
23
|
+
|
|
16
24
|
def initialize(cookie, config)
|
|
17
25
|
@raw_cookie = cookie
|
|
26
|
+
unless config == OPT_OUT
|
|
27
|
+
config ||= {}
|
|
28
|
+
config = COOKIE_DEFAULTS.merge(config)
|
|
29
|
+
end
|
|
18
30
|
@config = config
|
|
19
31
|
@attributes = {
|
|
20
32
|
httponly: nil,
|
|
@@ -56,6 +68,7 @@ module SecureHeaders
|
|
|
56
68
|
end
|
|
57
69
|
|
|
58
70
|
def flag_cookie?(attribute)
|
|
71
|
+
return false if config == OPT_OUT
|
|
59
72
|
case config[attribute]
|
|
60
73
|
when TrueClass
|
|
61
74
|
true
|
|
@@ -85,6 +98,7 @@ module SecureHeaders
|
|
|
85
98
|
end
|
|
86
99
|
|
|
87
100
|
def flag_samesite?
|
|
101
|
+
return false if config == OPT_OUT || config[:samesite] == OPT_OUT
|
|
88
102
|
flag_samesite_lax? || flag_samesite_strict?
|
|
89
103
|
end
|
|
90
104
|
|
|
@@ -99,6 +113,10 @@ module SecureHeaders
|
|
|
99
113
|
def flag_samesite_enforcement?(mode)
|
|
100
114
|
return unless config[:samesite]
|
|
101
115
|
|
|
116
|
+
if config[:samesite].is_a?(TrueClass) && mode == :lax
|
|
117
|
+
return true
|
|
118
|
+
end
|
|
119
|
+
|
|
102
120
|
case config[:samesite][mode]
|
|
103
121
|
when Hash
|
|
104
122
|
conditionally_flag?(config[:samesite][mode])
|
|
@@ -113,7 +131,7 @@ module SecureHeaders
|
|
|
113
131
|
return unless cookie
|
|
114
132
|
|
|
115
133
|
cookie.split(/[;,]\s?/).each do |pairs|
|
|
116
|
-
name, values = pairs.split(
|
|
134
|
+
name, values = pairs.split("=", 2)
|
|
117
135
|
name = CGI.unescape(name)
|
|
118
136
|
|
|
119
137
|
attribute = name.downcase.to_sym
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
module SecureHeaders
|
|
2
3
|
module PolicyManagement
|
|
3
4
|
def self.included(base)
|
|
@@ -5,8 +6,14 @@ module SecureHeaders
|
|
|
5
6
|
end
|
|
6
7
|
|
|
7
8
|
MODERN_BROWSERS = %w(Chrome Opera Firefox)
|
|
8
|
-
|
|
9
|
-
|
|
9
|
+
DEFAULT_CONFIG = {
|
|
10
|
+
default_src: %w(https:),
|
|
11
|
+
img_src: %w(https: data: 'self'),
|
|
12
|
+
object_src: %w('none'),
|
|
13
|
+
script_src: %w(https:),
|
|
14
|
+
style_src: %w('self' 'unsafe-inline' https:),
|
|
15
|
+
form_action: %w('self')
|
|
16
|
+
}.freeze
|
|
10
17
|
DATA_PROTOCOL = "data:".freeze
|
|
11
18
|
BLOB_PROTOCOL = "blob:".freeze
|
|
12
19
|
SELF = "'self'".freeze
|
|
@@ -195,6 +202,7 @@ module SecureHeaders
|
|
|
195
202
|
def validate_config!(config)
|
|
196
203
|
return if config.nil? || config.opt_out?
|
|
197
204
|
raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
|
|
205
|
+
raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous") unless config.directive_value(:script_src)
|
|
198
206
|
ContentSecurityPolicyConfig.attrs.each do |key|
|
|
199
207
|
value = config.directive_value(key)
|
|
200
208
|
next unless value
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
module SecureHeaders
|
|
2
3
|
class PublicKeyPinsConfigError < StandardError; end
|
|
3
4
|
class PublicKeyPins
|
|
@@ -54,7 +55,7 @@ module SecureHeaders
|
|
|
54
55
|
pin_directives,
|
|
55
56
|
report_uri_directive,
|
|
56
57
|
subdomain_directive
|
|
57
|
-
].compact.join(
|
|
58
|
+
].compact.join("; ").strip
|
|
58
59
|
end
|
|
59
60
|
|
|
60
61
|
def pin_directives
|
|
@@ -63,7 +64,7 @@ module SecureHeaders
|
|
|
63
64
|
pin.map do |token, hash|
|
|
64
65
|
"pin-#{token}=\"#{hash}\"" if HASH_ALGORITHMS.include?(token)
|
|
65
66
|
end
|
|
66
|
-
end.join(
|
|
67
|
+
end.join("; ")
|
|
67
68
|
end
|
|
68
69
|
|
|
69
70
|
def max_age_directive
|
|
@@ -75,7 +76,7 @@ module SecureHeaders
|
|
|
75
76
|
end
|
|
76
77
|
|
|
77
78
|
def subdomain_directive
|
|
78
|
-
@include_subdomains ?
|
|
79
|
+
@include_subdomains ? "includeSubDomains" : nil
|
|
79
80
|
end
|
|
80
81
|
end
|
|
81
82
|
end
|
|
@@ -1,8 +1,9 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
module SecureHeaders
|
|
2
3
|
class STSConfigError < StandardError; end
|
|
3
4
|
|
|
4
5
|
class StrictTransportSecurity
|
|
5
|
-
HEADER_NAME =
|
|
6
|
+
HEADER_NAME = "Strict-Transport-Security".freeze
|
|
6
7
|
HSTS_MAX_AGE = "631138519"
|
|
7
8
|
DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
|
|
8
9
|
VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
|
|
@@ -1,8 +1,9 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
module SecureHeaders
|
|
2
3
|
class XDOConfigError < StandardError; end
|
|
3
4
|
class XDownloadOptions
|
|
4
5
|
HEADER_NAME = "X-Download-Options".freeze
|
|
5
|
-
DEFAULT_VALUE =
|
|
6
|
+
DEFAULT_VALUE = "noopen"
|
|
6
7
|
CONFIG_KEY = :x_download_options
|
|
7
8
|
|
|
8
9
|
class << self
|
|
@@ -1,8 +1,9 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
module SecureHeaders
|
|
2
3
|
class XPCDPConfigError < StandardError; end
|
|
3
4
|
class XPermittedCrossDomainPolicies
|
|
4
5
|
HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
|
|
5
|
-
DEFAULT_VALUE =
|
|
6
|
+
DEFAULT_VALUE = "none"
|
|
6
7
|
VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
|
|
7
8
|
CONFIG_KEY = :x_permitted_cross_domain_policies
|
|
8
9
|
|
|
@@ -1,7 +1,8 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
module SecureHeaders
|
|
2
3
|
class XXssProtectionConfigError < StandardError; end
|
|
3
4
|
class XXssProtection
|
|
4
|
-
HEADER_NAME =
|
|
5
|
+
HEADER_NAME = "X-XSS-Protection".freeze
|
|
5
6
|
DEFAULT_VALUE = "1; mode=block"
|
|
6
7
|
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
|
|
7
8
|
CONFIG_KEY = :x_xss_protection
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
module SecureHeaders
|
|
2
3
|
class Middleware
|
|
3
4
|
HPKP_SAME_HOST_WARNING = "[WARNING] HPKP report host should not be the same as the request host. See https://github.com/twitter/secureheaders/issues/166"
|
|
@@ -25,11 +26,11 @@ module SecureHeaders
|
|
|
25
26
|
|
|
26
27
|
# inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
|
|
27
28
|
def flag_cookies!(headers, config)
|
|
28
|
-
if cookies = headers[
|
|
29
|
+
if cookies = headers["Set-Cookie"]
|
|
29
30
|
# Support Rails 2.3 / Rack 1.1 arrays as headers
|
|
30
31
|
cookies = cookies.split("\n") unless cookies.is_a?(Array)
|
|
31
32
|
|
|
32
|
-
headers[
|
|
33
|
+
headers["Set-Cookie"] = cookies.map do |cookie|
|
|
33
34
|
SecureHeaders::Cookie.new(cookie, config).to_s
|
|
34
35
|
end.join("\n")
|
|
35
36
|
end
|
|
@@ -37,8 +38,8 @@ module SecureHeaders
|
|
|
37
38
|
|
|
38
39
|
# disable Secure cookies for non-https requests
|
|
39
40
|
def override_secure(env, config = {})
|
|
40
|
-
if scheme(env) !=
|
|
41
|
-
config
|
|
41
|
+
if scheme(env) != "https"
|
|
42
|
+
config[:secure] = OPT_OUT
|
|
42
43
|
end
|
|
43
44
|
|
|
44
45
|
config
|
|
@@ -46,12 +47,12 @@ module SecureHeaders
|
|
|
46
47
|
|
|
47
48
|
# derived from https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L119
|
|
48
49
|
def scheme(env)
|
|
49
|
-
if env[
|
|
50
|
-
|
|
51
|
-
elsif env[
|
|
52
|
-
env[
|
|
50
|
+
if env["HTTPS"] == "on" || env["HTTP_X_SSL_REQUEST"] == "on"
|
|
51
|
+
"https"
|
|
52
|
+
elsif env["HTTP_X_FORWARDED_PROTO"]
|
|
53
|
+
env["HTTP_X_FORWARDED_PROTO"].split(",")[0]
|
|
53
54
|
else
|
|
54
|
-
env[
|
|
55
|
+
env["rack.url_scheme"]
|
|
55
56
|
end
|
|
56
57
|
end
|
|
57
58
|
end
|