secure_headers 4.0.0.alpha01 → 4.0.0.alpha02

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1cfa800eacf250583e379d13a9149d585bc2f48d
-  data.tar.gz: 3de8c81b1308ec9d1d53f822cff8eeb7e20b5af0
+  metadata.gz: c3e3971d0169ad3db917dbf0d64e26425c9e8252
+  data.tar.gz: 6fa1f1c7b0d36063a4be0a19549ced444d6f07b7
 SHA512:
-  metadata.gz: 4c25ae5372ac00f74b0cae3b7de0a767a15b45f275bed64994c2cd7d078a2f0b52bdce562d14280984ad494fd008445d5d5448a3ac94694cd1f9778da3deeacc
-  data.tar.gz: 6fab2c382ed56f9a63dd118a34b617fb82b4ee4e9ef55f37d78e134ec9068c9ee1022ba0a94991d0b7b82ea756d78132d3c0dfc909e66d4068acde4f6d2673ff
+  metadata.gz: d7f430815d9b49f0fdaf5c16854aab22d89f09721975a332769c9e0a2b055522a271a610fc8e8ec89614be286f4d4292e5b2105af61181a2670089f9fb42e58d
+  data.tar.gz: 044e9282dfc9c0a7b01c3ae4420c44781ffe460819e58d46b2eb7a9f08ba02a91937afed977c9ed13d4f9aad168e2d7b308108e9f977e5c515b6285b74a8f2b6

data/lib/secure_headers/headers/content_security_policy.rb

@@ -101,9 +101,11 @@ module SecureHeaders
       else
         @config.directive_value(directive)
       end
-      return unless source_list && source_list.any?
-      normalized_source_list = minify_source_list(directive, source_list)
-      [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
+
+      if source_list != OPT_OUT && source_list && source_list.any?
+        normalized_source_list = minify_source_list(directive, source_list)
+        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
+      end
     end
 
     # If a directive contains *, all other values are omitted.

data/lib/secure_headers/headers/policy_management.rb

@@ -202,7 +202,10 @@ module SecureHeaders
       def validate_config!(config)
         return if config.nil? || config.opt_out?
         raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
-        raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous") unless config.directive_value(:script_src)
+        if config.directive_value(:script_src).nil?
+          raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous. Use `script_src: OPT_OUT` to override")
+        end
+
         ContentSecurityPolicyConfig.attrs.each do |key|
           value = config.directive_value(key)
           next unless value
@@ -342,12 +345,13 @@ module SecureHeaders
       end
 
       def ensure_array_of_strings!(directive, source_expression)
-        unless source_expression.is_a?(Array) && source_expression.compact.all? { |v| v.is_a?(String) }
+        if (!source_expression.is_a?(Array) || !source_expression.compact.all? { |v| v.is_a?(String) }) && source_expression != OPT_OUT
           raise ContentSecurityPolicyConfigError.new("#{directive} must be an array of strings")
         end
       end
 
       def ensure_valid_sources!(directive, source_expression)
+        return if source_expression == OPT_OUT
         source_expression.each do |expression|
           if ContentSecurityPolicy::DEPRECATED_SOURCE_VALUES.include?(expression)
             raise ContentSecurityPolicyConfigError.new("#{directive} contains an invalid keyword source (#{expression}). This value must be single quoted.")

data/secure_headers.gemspec

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "4.0.0.alpha01"
+  gem.version       = "4.0.0.alpha02"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -51,6 +51,11 @@ module SecureHeaders
         expect(csp.value).to eq("default-src example.org")
       end
 
+      it "does not build directives with a value of OPT_OUT (and bypasses directive requirements)" do
+        csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), script_src: OPT_OUT)
+        expect(csp.value).to eq("default-src example.org")
+      end
+
       it "does not remove schemes from report-uri values" do
         csp = ContentSecurityPolicy.new(default_src: %w(https:), report_uri: %w(https://example.org))
         expect(csp.value).to eq("default-src https:; report-uri https://example.org")

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -57,6 +57,12 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
+      it "accepts OPT_OUT as a script-src value" do
+        expect do
+          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: OPT_OUT))
+        end.to_not raise_error
+      end
+
       it "requires :report_only to be a truthy value" do
         expect do
           ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 4.0.0.alpha01
+  version: 4.0.0.alpha02
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-24 00:00:00.000000000 Z
+date: 2017-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake