secure_headers 3.9.0 → 4.0.0.alpha01

data/spec/spec_helper.rb

@@ -1,12 +1,11 @@
-require 'rubygems'
-require 'rspec'
-require 'rack'
-require 'pry-nav'
-
-require 'coveralls'
+# frozen_string_literal: true
+require "rubygems"
+require "rspec"
+require "rack"
+require "coveralls"
 Coveralls.wear!
 
-require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
+require File.join(File.dirname(__FILE__), "..", "lib", "secure_headers")
 
 
 
@@ -14,9 +13,9 @@ USER_AGENTS = {
   edge: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
   firefox: "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1",
   firefox46: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0",
-  chrome: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
-  ie: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
-  opera: 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
+  chrome: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5",
+  ie: "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)",
+  opera: "Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
   ios5: "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
   ios6: "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
   safari5: "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
@@ -34,7 +33,6 @@ def expect_default_values(hash)
   expect(hash[SecureHeaders::XContentTypeOptions::HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::DEFAULT_VALUE)
   expect(hash[SecureHeaders::XPermittedCrossDomainPolicies::HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::DEFAULT_VALUE)
   expect(hash[SecureHeaders::ReferrerPolicy::HEADER_NAME]).to be_nil
-  expect(hash[SecureHeaders::ExpectCertificateTransparency::HEADER_NAME]).to be_nil
 end
 
 module SecureHeaders
@@ -50,15 +48,3 @@ end
 def reset_config
   SecureHeaders::Configuration.clear_configurations
 end
-
-def capture_warning
-  begin
-    old_stderr = $stderr
-    $stderr = StringIO.new
-    yield
-    result = $stderr.string
-  ensure
-    $stderr = old_stderr
-  end
-  result
-end

data/upgrading-to-4-0.md

@@ -0,0 +1,49 @@
+### Breaking Changes
+
+The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
+
+## All cookies default to secure/httponly/SameSite=Lax
+
+By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
+
+```ruby
+# specific opt outs
+config.cookies = {
+  secure: OPT_OUT,
+  httponly: OPT_OUT,
+  samesite: OPT_OUT,
+}
+
+# nuclear option, just make things work again
+config.cookies = OPT_OUT
+```
+
+## Default Content Security Policy
+
+The default CSP has changed to be more universal without sacrificing too much security.
+
+* Flash/Java disabled by default
+* `img-src` allows data: images and favicons (among others)
+* `style-src` allows inline CSS by default (most find it impossible/impractical to remove inline content today)
+* `form-action` (not governed by `default-src`, practically treated as `*`) is set to `'self'`
+
+Previously, the default CSP was:
+
+`Content-Security-Policy: default-src 'self'`
+
+The new default policy is:
+
+`default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:`
+
+## CSP configuration
+
+* Setting `report_only: true` in a CSP config will raise an error. Instead, set `csp_report_only`.
+* Setting `frame_src` and `child_src` when values don't match will raise an error. Just use `frame_src`.
+
+## config.secure_cookies removed
+
+Use `config.cookies` instead.
+
+## Supported ruby versions
+
+We've dropped support for ruby versions <= 2.2. Sorry.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.9.0
+  version: 4.0.0.alpha01
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-21 00:00:00.000000000 Z
+date: 2017-07-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.15.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.15.0
 description: Manages application of security headers with many safe defaults.
 email:
 - neil.matatall@gmail.com
@@ -49,6 +49,7 @@ files:
 - ".github/PULL_REQUEST_TEMPLATE.md"
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".ruby-gemset"
 - ".ruby-version"
 - ".travis.yml"
@@ -73,7 +74,6 @@ files:
 - lib/secure_headers/headers/content_security_policy.rb
 - lib/secure_headers/headers/content_security_policy_config.rb
 - lib/secure_headers/headers/cookie.rb
-- lib/secure_headers/headers/expect_certificate_transparency.rb
 - lib/secure_headers/headers/policy_management.rb
 - lib/secure_headers/headers/public_key_pins.rb
 - lib/secure_headers/headers/referrer_policy.rb
@@ -93,7 +93,6 @@ files:
 - spec/lib/secure_headers/headers/clear_site_data_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/cookie_spec.rb
-- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb
@@ -108,11 +107,17 @@ files:
 - spec/lib/secure_headers_spec.rb
 - spec/spec_helper.rb
 - upgrading-to-3-0.md
+- upgrading-to-4-0.md
 homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
 metadata: {}
-post_install_message: 
+post_install_message: |2+
+
+  **********
+  :wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
+  **********
+
 rdoc_options: []
 require_paths:
 - lib
@@ -123,11 +128,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.1.2
+rubyforge_project: 
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Add easily configured security headers to responses including content-security-policy,
@@ -137,7 +143,6 @@ test_files:
 - spec/lib/secure_headers/headers/clear_site_data_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/cookie_spec.rb
-- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb

data/lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -1,70 +0,0 @@
-# frozen_string_literal: true
-module SecureHeaders
-  class ExpectCertificateTransparencyConfigError < StandardError; end
-
-  class ExpectCertificateTransparency
-    HEADER_NAME = "Expect-CT".freeze
-    CONFIG_KEY  = :expect_certificate_transparency
-    INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
-    INVALID_ENFORCE_VALUE_ERROR = "enforce must be a boolean".freeze
-    REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
-    INVALID_MAX_AGE_ERROR       = "max-age must be a number.".freeze
-
-    class << self
-      # Public: Generate a Expect-CT header.
-      #
-      # Returns nil if not configured, returns header name and value if
-      # configured.
-      def make_header(config)
-        return if config.nil?
-
-        header = new(config)
-        [HEADER_NAME, header.value]
-      end
-
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
-
-        unless [true, false, nil].include?(config[:enforce])
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
-        end
-
-        if !config[:max_age]
-          raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
-        elsif config[:max_age].to_s !~ /\A\d+\z/
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
-        end
-      end
-    end
-
-    def initialize(config)
-      @enforced   = config.fetch(:enforce, nil)
-      @max_age    = config.fetch(:max_age, nil)
-      @report_uri = config.fetch(:report_uri, nil)
-    end
-
-    def value
-      header_value = [
-        enforced_directive,
-        max_age_directive,
-        report_uri_directive
-      ].compact.join(", ").strip
-    end
-
-    def enforced_directive
-      # Unfortunately `if @enforced` isn't enough here in case someone
-      # passes in a random string so let's be specific with it to prevent
-      # accidental enforcement.
-      "enforce" if @enforced == true
-    end
-
-    def max_age_directive
-      "max-age=#{@max_age}" if @max_age
-    end
-
-    def report_uri_directive
-      "report-uri=\"#{@report_uri}\"" if @report_uri
-    end
-  end
-end

data/spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb

@@ -1,42 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-
-module SecureHeaders
-  describe ExpectCertificateTransparency do
-    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce, max-age=1234") }
-    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: false).value).to eq("max-age=1234") }
-    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: "yolocopter").value).to eq("max-age=1234") }
-    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"") }
-    specify do
-      config = { enforce: true, max_age: 1234, report_uri: "https://report-uri.io/expect-ct" }
-      header_value = "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\""
-      expect(ExpectCertificateTransparency.new(config).value).to eq(header_value)
-    end
-
-    context "with an invalid configuration" do
-      it "raises an exception when configuration isn't a hash" do
-        expect do
-          ExpectCertificateTransparency.validate_config!(%w(a))
-        end.to raise_error(ExpectCertificateTransparencyConfigError)
-      end
-
-      it "raises an exception when max-age is not provided" do
-        expect do
-          ExpectCertificateTransparency.validate_config!(foo: "bar")
-        end.to raise_error(ExpectCertificateTransparencyConfigError)
-      end
-
-      it "raises an exception with an invalid max-age" do
-        expect do
-          ExpectCertificateTransparency.validate_config!(max_age: "abc123")
-        end.to raise_error(ExpectCertificateTransparencyConfigError)
-      end
-
-      it "raises an exception with an invalid enforce value" do
-        expect do
-          ExpectCertificateTransparency.validate_config!(enforce: "brokenstring")
-        end.to raise_error(ExpectCertificateTransparencyConfigError)
-      end
-    end
-  end
-end