secure_headers 4.0.0.alpha01 → 4.0.0.alpha02
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/secure_headers/headers/content_security_policy.rb +5 -3
- data/lib/secure_headers/headers/policy_management.rb +6 -2
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +5 -0
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +6 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c3e3971d0169ad3db917dbf0d64e26425c9e8252
|
4
|
+
data.tar.gz: 6fa1f1c7b0d36063a4be0a19549ced444d6f07b7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d7f430815d9b49f0fdaf5c16854aab22d89f09721975a332769c9e0a2b055522a271a610fc8e8ec89614be286f4d4292e5b2105af61181a2670089f9fb42e58d
|
7
|
+
data.tar.gz: 044e9282dfc9c0a7b01c3ae4420c44781ffe460819e58d46b2eb7a9f08ba02a91937afed977c9ed13d4f9aad168e2d7b308108e9f977e5c515b6285b74a8f2b6
|
@@ -101,9 +101,11 @@ module SecureHeaders
|
|
101
101
|
else
|
102
102
|
@config.directive_value(directive)
|
103
103
|
end
|
104
|
-
|
105
|
-
|
106
|
-
|
104
|
+
|
105
|
+
if source_list != OPT_OUT && source_list && source_list.any?
|
106
|
+
normalized_source_list = minify_source_list(directive, source_list)
|
107
|
+
[symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
|
108
|
+
end
|
107
109
|
end
|
108
110
|
|
109
111
|
# If a directive contains *, all other values are omitted.
|
@@ -202,7 +202,10 @@ module SecureHeaders
|
|
202
202
|
def validate_config!(config)
|
203
203
|
return if config.nil? || config.opt_out?
|
204
204
|
raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
|
205
|
-
|
205
|
+
if config.directive_value(:script_src).nil?
|
206
|
+
raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous. Use `script_src: OPT_OUT` to override")
|
207
|
+
end
|
208
|
+
|
206
209
|
ContentSecurityPolicyConfig.attrs.each do |key|
|
207
210
|
value = config.directive_value(key)
|
208
211
|
next unless value
|
@@ -342,12 +345,13 @@ module SecureHeaders
|
|
342
345
|
end
|
343
346
|
|
344
347
|
def ensure_array_of_strings!(directive, source_expression)
|
345
|
-
|
348
|
+
if (!source_expression.is_a?(Array) || !source_expression.compact.all? { |v| v.is_a?(String) }) && source_expression != OPT_OUT
|
346
349
|
raise ContentSecurityPolicyConfigError.new("#{directive} must be an array of strings")
|
347
350
|
end
|
348
351
|
end
|
349
352
|
|
350
353
|
def ensure_valid_sources!(directive, source_expression)
|
354
|
+
return if source_expression == OPT_OUT
|
351
355
|
source_expression.each do |expression|
|
352
356
|
if ContentSecurityPolicy::DEPRECATED_SOURCE_VALUES.include?(expression)
|
353
357
|
raise ContentSecurityPolicyConfigError.new("#{directive} contains an invalid keyword source (#{expression}). This value must be single quoted.")
|
data/secure_headers.gemspec
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
Gem::Specification.new do |gem|
|
4
4
|
gem.name = "secure_headers"
|
5
|
-
gem.version = "4.0.0.
|
5
|
+
gem.version = "4.0.0.alpha02"
|
6
6
|
gem.authors = ["Neil Matatall"]
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
@@ -51,6 +51,11 @@ module SecureHeaders
|
|
51
51
|
expect(csp.value).to eq("default-src example.org")
|
52
52
|
end
|
53
53
|
|
54
|
+
it "does not build directives with a value of OPT_OUT (and bypasses directive requirements)" do
|
55
|
+
csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), script_src: OPT_OUT)
|
56
|
+
expect(csp.value).to eq("default-src example.org")
|
57
|
+
end
|
58
|
+
|
54
59
|
it "does not remove schemes from report-uri values" do
|
55
60
|
csp = ContentSecurityPolicy.new(default_src: %w(https:), report_uri: %w(https://example.org))
|
56
61
|
expect(csp.value).to eq("default-src https:; report-uri https://example.org")
|
@@ -57,6 +57,12 @@ module SecureHeaders
|
|
57
57
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
58
58
|
end
|
59
59
|
|
60
|
+
it "accepts OPT_OUT as a script-src value" do
|
61
|
+
expect do
|
62
|
+
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: OPT_OUT))
|
63
|
+
end.to_not raise_error
|
64
|
+
end
|
65
|
+
|
60
66
|
it "requires :report_only to be a truthy value" do
|
61
67
|
expect do
|
62
68
|
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.0.0.
|
4
|
+
version: 4.0.0.alpha02
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-07-
|
11
|
+
date: 2017-07-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|