secure_headers 3.7.3 → 3.7.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/docs/cookies.md +3 -2
- data/lib/secure_headers/headers/cookie.rb +7 -1
- data/lib/secure_headers/utils/cookies_config.rb +6 -4
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/cookie_spec.rb +22 -25
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a365e7f904bc5b4eba16131acbfa3dae889c6b5b
|
|
4
|
+
data.tar.gz: 750fb42f0641c07950c55082f946ea6ae6d8087f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ba3a0808f3f7f3136e265c687dd766bdc79598eac7eebc98b1ce8160f150716c4b085dfd83da1f4408abcb220eba8e681b29aaf07cb9d8bb196ac5b408c9d8af
|
|
7
|
+
data.tar.gz: 54a80c904e4f06b9888e6d42669a06ecc81b4eea2482f0cf44fdf626c74d1cc79543d07fb6034e43685031d19efe15845e49bfbec9ce94efc49f1ccf2f41456a
|
data/CHANGELOG.md
CHANGED
data/docs/cookies.md
CHANGED
|
@@ -38,13 +38,14 @@ config.cookies = {
|
|
|
38
38
|
}
|
|
39
39
|
```
|
|
40
40
|
|
|
41
|
-
`Strict` and `
|
|
41
|
+
`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
|
|
42
42
|
|
|
43
43
|
```ruby
|
|
44
44
|
config.cookies = {
|
|
45
45
|
samesite: {
|
|
46
46
|
strict: { only: ['_rails_session'] },
|
|
47
|
-
lax: { only: ['_guest'] }
|
|
47
|
+
lax: { only: ['_guest'] },
|
|
48
|
+
none: { only: ['_tracking'] },
|
|
48
49
|
}
|
|
49
50
|
}
|
|
50
51
|
```
|
|
@@ -81,11 +81,13 @@ module SecureHeaders
|
|
|
81
81
|
"SameSite=Lax"
|
|
82
82
|
elsif flag_samesite_strict?
|
|
83
83
|
"SameSite=Strict"
|
|
84
|
+
elsif flag_samesite_none?
|
|
85
|
+
"SameSite=None"
|
|
84
86
|
end
|
|
85
87
|
end
|
|
86
88
|
|
|
87
89
|
def flag_samesite?
|
|
88
|
-
flag_samesite_lax? || flag_samesite_strict?
|
|
90
|
+
flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
|
|
89
91
|
end
|
|
90
92
|
|
|
91
93
|
def flag_samesite_lax?
|
|
@@ -96,6 +98,10 @@ module SecureHeaders
|
|
|
96
98
|
flag_samesite_enforcement?(:strict)
|
|
97
99
|
end
|
|
98
100
|
|
|
101
|
+
def flag_samesite_none?
|
|
102
|
+
flag_samesite_enforcement?(:none)
|
|
103
|
+
end
|
|
104
|
+
|
|
99
105
|
def flag_samesite_enforcement?(mode)
|
|
100
106
|
return unless config[:samesite]
|
|
101
107
|
|
|
@@ -41,10 +41,12 @@ module SecureHeaders
|
|
|
41
41
|
|
|
42
42
|
# when configuring with booleans, only one enforcement is permitted
|
|
43
43
|
def validate_samesite_boolean_config!
|
|
44
|
-
if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
|
|
45
|
-
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax
|
|
46
|
-
elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
|
|
47
|
-
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax
|
|
44
|
+
if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
|
|
45
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
|
|
46
|
+
elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
|
|
47
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
|
|
48
|
+
elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
|
|
49
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
|
|
48
50
|
end
|
|
49
51
|
end
|
|
50
52
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.7.
|
|
4
|
+
gem.version = "3.7.4"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Manages application of security headers with many safe defaults.'
|
|
@@ -62,29 +62,21 @@ module SecureHeaders
|
|
|
62
62
|
end
|
|
63
63
|
|
|
64
64
|
context "SameSite cookies" do
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
it "flags SameSite=Lax when configured with a boolean" do
|
|
71
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: true})
|
|
72
|
-
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
|
|
73
|
-
end
|
|
74
|
-
|
|
75
|
-
it "does not flag cookies as SameSite=Lax when excluded" do
|
|
76
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } })
|
|
77
|
-
expect(cookie.to_s).to eq("_session=thisisatest")
|
|
78
|
-
end
|
|
65
|
+
%w(None Lax Strict).each do |flag|
|
|
66
|
+
it "flags SameSite=#{flag}" do
|
|
67
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } })
|
|
68
|
+
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
|
|
69
|
+
end
|
|
79
70
|
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
71
|
+
it "flags SameSite=#{flag} when configured with a boolean" do
|
|
72
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true })
|
|
73
|
+
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
|
|
74
|
+
end
|
|
84
75
|
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
76
|
+
it "does not flag cookies as SameSite=#{flag} when excluded" do
|
|
77
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } })
|
|
78
|
+
expect(cookie.to_s).to eq("_session=thisisatest")
|
|
79
|
+
end
|
|
88
80
|
end
|
|
89
81
|
|
|
90
82
|
it "flags SameSite=Strict when configured with a boolean" do
|
|
@@ -131,10 +123,15 @@ module SecureHeaders
|
|
|
131
123
|
end.to raise_error(CookiesConfigError)
|
|
132
124
|
end
|
|
133
125
|
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
126
|
+
cookie_options = %w(none lax strict).map(&:to_sym)
|
|
127
|
+
cookie_options.each do |flag|
|
|
128
|
+
(cookie_options - [flag]).each do |other_flag|
|
|
129
|
+
it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
|
|
130
|
+
expect do
|
|
131
|
+
Cookie.validate_config!(samesite: { flag => true, other_flag => true})
|
|
132
|
+
end.to raise_error(CookiesConfigError)
|
|
133
|
+
end
|
|
134
|
+
end
|
|
138
135
|
end
|
|
139
136
|
|
|
140
137
|
it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.7.
|
|
4
|
+
version: 3.7.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-01-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|