secure_headers 3.7.3 → 3.7.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 5cd934820f1415f10f72f50e9c2b7fa1e28e0c42
4
- data.tar.gz: 44ab45585f8c160e2c584322a134481762b3d19b
3
+ metadata.gz: a365e7f904bc5b4eba16131acbfa3dae889c6b5b
4
+ data.tar.gz: 750fb42f0641c07950c55082f946ea6ae6d8087f
5
5
  SHA512:
6
- metadata.gz: c89380d4d42e28edb2ddd461b2efc14c81591a69b9a7b3c9f95614d103c358565da9e707a6cca3c74d13feec04fb9696a70260129103e92b411b675ab0f73ccd
7
- data.tar.gz: 40bc10998d062ae8103256061d989db50c3b3a9908905cca2b106c313a0f2e417fcc50e3b89c4dd9b4602b2b49a6d3080cd28e761d9f23c56cfff426bd7cac55
6
+ metadata.gz: ba3a0808f3f7f3136e265c687dd766bdc79598eac7eebc98b1ce8160f150716c4b085dfd83da1f4408abcb220eba8e681b29aaf07cb9d8bb196ac5b408c9d8af
7
+ data.tar.gz: 54a80c904e4f06b9888e6d42669a06ecc81b4eea2482f0cf44fdf626c74d1cc79543d07fb6034e43685031d19efe15845e49bfbec9ce94efc49f1ccf2f41456a
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.7.4
2
+
3
+ Backport SameSite=None functionality into 3.x line
4
+
1
5
  ## 3.7.3
2
6
 
3
7
  - Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.
data/docs/cookies.md CHANGED
@@ -38,13 +38,14 @@ config.cookies = {
38
38
  }
39
39
  ```
40
40
 
41
- `Strict` and `Lax` enforcement modes can also be specified using a Hash.
41
+ `Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
42
42
 
43
43
  ```ruby
44
44
  config.cookies = {
45
45
  samesite: {
46
46
  strict: { only: ['_rails_session'] },
47
- lax: { only: ['_guest'] }
47
+ lax: { only: ['_guest'] },
48
+ none: { only: ['_tracking'] },
48
49
  }
49
50
  }
50
51
  ```
@@ -81,11 +81,13 @@ module SecureHeaders
81
81
  "SameSite=Lax"
82
82
  elsif flag_samesite_strict?
83
83
  "SameSite=Strict"
84
+ elsif flag_samesite_none?
85
+ "SameSite=None"
84
86
  end
85
87
  end
86
88
 
87
89
  def flag_samesite?
88
- flag_samesite_lax? || flag_samesite_strict?
90
+ flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
89
91
  end
90
92
 
91
93
  def flag_samesite_lax?
@@ -96,6 +98,10 @@ module SecureHeaders
96
98
  flag_samesite_enforcement?(:strict)
97
99
  end
98
100
 
101
+ def flag_samesite_none?
102
+ flag_samesite_enforcement?(:none)
103
+ end
104
+
99
105
  def flag_samesite_enforcement?(mode)
100
106
  return unless config[:samesite]
101
107
 
@@ -41,10 +41,12 @@ module SecureHeaders
41
41
 
42
42
  # when configuring with booleans, only one enforcement is permitted
43
43
  def validate_samesite_boolean_config!
44
- if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
45
- raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
46
- elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
47
- raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
44
+ if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
45
+ raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
46
+ elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
47
+ raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
48
+ elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
49
+ raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
48
50
  end
49
51
  end
50
52
 
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.7.3"
4
+ gem.version = "3.7.4"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Manages application of security headers with many safe defaults.'
@@ -62,29 +62,21 @@ module SecureHeaders
62
62
  end
63
63
 
64
64
  context "SameSite cookies" do
65
- it "flags SameSite=Lax" do
66
- cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } })
67
- expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
68
- end
69
-
70
- it "flags SameSite=Lax when configured with a boolean" do
71
- cookie = Cookie.new(raw_cookie, samesite: { lax: true})
72
- expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
73
- end
74
-
75
- it "does not flag cookies as SameSite=Lax when excluded" do
76
- cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } })
77
- expect(cookie.to_s).to eq("_session=thisisatest")
78
- end
65
+ %w(None Lax Strict).each do |flag|
66
+ it "flags SameSite=#{flag}" do
67
+ cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } })
68
+ expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
69
+ end
79
70
 
80
- it "flags SameSite=Strict" do
81
- cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } })
82
- expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
83
- end
71
+ it "flags SameSite=#{flag} when configured with a boolean" do
72
+ cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true })
73
+ expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
74
+ end
84
75
 
85
- it "does not flag cookies as SameSite=Strict when excluded" do
86
- cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] } })
87
- expect(cookie.to_s).to eq("_session=thisisatest")
76
+ it "does not flag cookies as SameSite=#{flag} when excluded" do
77
+ cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } })
78
+ expect(cookie.to_s).to eq("_session=thisisatest")
79
+ end
88
80
  end
89
81
 
90
82
  it "flags SameSite=Strict when configured with a boolean" do
@@ -131,10 +123,15 @@ module SecureHeaders
131
123
  end.to raise_error(CookiesConfigError)
132
124
  end
133
125
 
134
- it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
135
- expect do
136
- Cookie.validate_config!(samesite: { lax: true, strict: true})
137
- end.to raise_error(CookiesConfigError)
126
+ cookie_options = %w(none lax strict).map(&:to_sym)
127
+ cookie_options.each do |flag|
128
+ (cookie_options - [flag]).each do |other_flag|
129
+ it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
130
+ expect do
131
+ Cookie.validate_config!(samesite: { flag => true, other_flag => true})
132
+ end.to raise_error(CookiesConfigError)
133
+ end
134
+ end
138
135
  end
139
136
 
140
137
  it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.7.3
4
+ version: 3.7.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-10-19 00:00:00.000000000 Z
11
+ date: 2020-01-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake