secure_headers 4.0.0.alpha04 → 4.0.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/README.md +2 -0
- data/docs/per_action_configuration.md +28 -0
- data/lib/secure_headers/headers/clear_site_data.rb +2 -2
- data/secure_headers.gemspec +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: de4e0f18558ac4a65a9983f56e4dd65ca95e5f82
|
|
4
|
+
data.tar.gz: 3c16a5bdeec36aab812bcbfbbdba544b969c3a33
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 14f3bc42066b1b4bd6044b75a78818a6ce6edc60760e84af03d13623758a4d05b9397d0c4b4baa92c71d105e0334fa39ec56124c3014e8a63096236f9c6e6d51
|
|
7
|
+
data.tar.gz: f07cfc4d11b24a7d7ec1ad50b2fb756fd3a69c8558b922eb79daf35bbf5dc721c24ca27dfa8b5ca13865dc3345cb0162161f3c41fa04ffbff8c190908d8a7b32
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,18 @@
|
|
|
2
2
|
|
|
3
3
|
- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
|
|
4
4
|
|
|
5
|
+
## 3.7.1
|
|
6
|
+
|
|
7
|
+
Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maximally restricted policy (`sandbox;`) and validate other values.
|
|
8
|
+
|
|
9
|
+
## 3.7.0
|
|
10
|
+
|
|
11
|
+
Adds support for the `Expect-CT` header (@jacobbednarz: https://github.com/twitter/secureheaders/pull/322)
|
|
12
|
+
|
|
13
|
+
## 3.6.7
|
|
14
|
+
|
|
15
|
+
Actually set manifest-src when configured. https://github.com/twitter/secureheaders/pull/339 Thanks @carlosantoniodasilva!
|
|
16
|
+
|
|
5
17
|
## 3.6.5
|
|
6
18
|
|
|
7
19
|
Update clear-site-data header to use current format specified by the specification.
|
data/README.md
CHANGED
|
@@ -55,6 +55,8 @@ If you do not supply a `default` configuration, exceptions will be raised. If yo
|
|
|
55
55
|
|
|
56
56
|
All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
|
|
57
57
|
|
|
58
|
+
**Word of caution:** The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
|
|
59
|
+
|
|
58
60
|
```ruby
|
|
59
61
|
SecureHeaders::Configuration.default do |config|
|
|
60
62
|
config.cookies = {
|
|
@@ -103,3 +103,31 @@ Content-Security-Policy: ...
|
|
|
103
103
|
console.log("won't execute, not whitelisted")
|
|
104
104
|
</script>
|
|
105
105
|
```
|
|
106
|
+
|
|
107
|
+
## Clearing browser cache
|
|
108
|
+
|
|
109
|
+
You can clear the browser cache after the logout request by using the following.
|
|
110
|
+
|
|
111
|
+
``` ruby
|
|
112
|
+
class ApplicationController < ActionController::Base
|
|
113
|
+
# Configuration override to send the Clear-Site-Data header.
|
|
114
|
+
SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
|
|
115
|
+
config.clear_site_data = [
|
|
116
|
+
SecureHeaders::ClearSiteData::ALL_TYPES
|
|
117
|
+
]
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
|
|
121
|
+
# Clears the browser's cache for browsers supporting the Clear-Site-Data
|
|
122
|
+
# header.
|
|
123
|
+
#
|
|
124
|
+
# Returns nothing.
|
|
125
|
+
def clear_browser_cache
|
|
126
|
+
SecureHeaders.use_secure_headers_override(request, :clear_browser_cache)
|
|
127
|
+
end
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
class SessionsController < ApplicationController
|
|
131
|
+
after_action :clear_browser_cache, only: :destroy
|
|
132
|
+
end
|
|
133
|
+
```
|
|
@@ -8,8 +8,8 @@ module SecureHeaders
|
|
|
8
8
|
CACHE = "cache".freeze
|
|
9
9
|
COOKIES = "cookies".freeze
|
|
10
10
|
STORAGE = "storage".freeze
|
|
11
|
-
|
|
12
|
-
ALL_TYPES = [CACHE, COOKIES, STORAGE,
|
|
11
|
+
EXECUTION_CONTEXTS = "executionContexts".freeze
|
|
12
|
+
ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
|
|
13
13
|
|
|
14
14
|
CONFIG_KEY = :clear_site_data
|
|
15
15
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
Gem::Specification.new do |gem|
|
|
4
4
|
gem.name = "secure_headers"
|
|
5
|
-
gem.version = "4.0.0
|
|
5
|
+
gem.version = "4.0.0"
|
|
6
6
|
gem.authors = ["Neil Matatall"]
|
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.0
|
|
4
|
+
version: 4.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-09-
|
|
11
|
+
date: 2017-09-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -130,9 +130,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
130
130
|
version: '0'
|
|
131
131
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
132
132
|
requirements:
|
|
133
|
-
- - "
|
|
133
|
+
- - ">="
|
|
134
134
|
- !ruby/object:Gem::Version
|
|
135
|
-
version:
|
|
135
|
+
version: '0'
|
|
136
136
|
requirements: []
|
|
137
137
|
rubyforge_project:
|
|
138
138
|
rubygems_version: 2.6.11
|