secure_headers 4.0.0.alpha04 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/README.md +2 -0
- data/docs/per_action_configuration.md +28 -0
- data/lib/secure_headers/headers/clear_site_data.rb +2 -2
- data/secure_headers.gemspec +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: de4e0f18558ac4a65a9983f56e4dd65ca95e5f82
|
|
4
|
+
data.tar.gz: 3c16a5bdeec36aab812bcbfbbdba544b969c3a33
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 14f3bc42066b1b4bd6044b75a78818a6ce6edc60760e84af03d13623758a4d05b9397d0c4b4baa92c71d105e0334fa39ec56124c3014e8a63096236f9c6e6d51
|
|
7
|
+
data.tar.gz: f07cfc4d11b24a7d7ec1ad50b2fb756fd3a69c8558b922eb79daf35bbf5dc721c24ca27dfa8b5ca13865dc3345cb0162161f3c41fa04ffbff8c190908d8a7b32
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,18 @@
|
|
|
2
2
|
|
|
3
3
|
- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
|
|
4
4
|
|
|
5
|
+
## 3.7.1
|
|
6
|
+
|
|
7
|
+
Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maximally restricted policy (`sandbox;`) and validate other values.
|
|
8
|
+
|
|
9
|
+
## 3.7.0
|
|
10
|
+
|
|
11
|
+
Adds support for the `Expect-CT` header (@jacobbednarz: https://github.com/twitter/secureheaders/pull/322)
|
|
12
|
+
|
|
13
|
+
## 3.6.7
|
|
14
|
+
|
|
15
|
+
Actually set manifest-src when configured. https://github.com/twitter/secureheaders/pull/339 Thanks @carlosantoniodasilva!
|
|
16
|
+
|
|
5
17
|
## 3.6.5
|
|
6
18
|
|
|
7
19
|
Update clear-site-data header to use current format specified by the specification.
|
data/README.md
CHANGED
|
@@ -55,6 +55,8 @@ If you do not supply a `default` configuration, exceptions will be raised. If yo
|
|
|
55
55
|
|
|
56
56
|
All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
|
|
57
57
|
|
|
58
|
+
**Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
|
|
59
|
+
|
|
58
60
|
```ruby
|
|
59
61
|
SecureHeaders::Configuration.default do |config|
|
|
60
62
|
config.cookies = {
|
|
@@ -103,3 +103,31 @@ Content-Security-Policy: ...
|
|
|
103
103
|
console.log("won't execute, not whitelisted")
|
|
104
104
|
</script>
|
|
105
105
|
```
|
|
106
|
+
|
|
107
|
+
## Clearing browser cache
|
|
108
|
+
|
|
109
|
+
You can clear the browser cache after the logout request by using the following.
|
|
110
|
+
|
|
111
|
+
``` ruby
|
|
112
|
+
class ApplicationController < ActionController::Base
|
|
113
|
+
# Configuration override to send the Clear-Site-Data header.
|
|
114
|
+
SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
|
|
115
|
+
config.clear_site_data = [
|
|
116
|
+
SecureHeaders::ClearSiteData::ALL_TYPES
|
|
117
|
+
]
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
|
|
121
|
+
# Clears the browser's cache for browsers supporting the Clear-Site-Data
|
|
122
|
+
# header.
|
|
123
|
+
#
|
|
124
|
+
# Returns nothing.
|
|
125
|
+
def clear_browser_cache
|
|
126
|
+
SecureHeaders.use_secure_headers_override(request, :clear_browser_cache)
|
|
127
|
+
end
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
class SessionsController < ApplicationController
|
|
131
|
+
after_action :clear_browser_cache, only: :destroy
|
|
132
|
+
end
|
|
133
|
+
```
|
|
@@ -8,8 +8,8 @@ module SecureHeaders
|
|
|
8
8
|
CACHE = "cache".freeze
|
|
9
9
|
COOKIES = "cookies".freeze
|
|
10
10
|
STORAGE = "storage".freeze
|
|
11
|
-
|
|
12
|
-
ALL_TYPES = [CACHE, COOKIES, STORAGE,
|
|
11
|
+
EXECUTION_CONTEXTS = "executionContexts".freeze
|
|
12
|
+
ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
|
|
13
13
|
|
|
14
14
|
CONFIG_KEY = :clear_site_data
|
|
15
15
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
Gem::Specification.new do |gem|
|
|
4
4
|
gem.name = "secure_headers"
|
|
5
|
-
gem.version = "4.0.0
|
|
5
|
+
gem.version = "4.0.0"
|
|
6
6
|
gem.authors = ["Neil Matatall"]
|
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.0
|
|
4
|
+
version: 4.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-09-
|
|
11
|
+
date: 2017-09-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -130,9 +130,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
130
130
|
version: '0'
|
|
131
131
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
132
132
|
requirements:
|
|
133
|
-
- - "
|
|
133
|
+
- - ">="
|
|
134
134
|
- !ruby/object:Gem::Version
|
|
135
|
-
version:
|
|
135
|
+
version: '0'
|
|
136
136
|
requirements: []
|
|
137
137
|
rubyforge_project:
|
|
138
138
|
rubygems_version: 2.6.11
|