secure_headers 4.0.0 → 4.0.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -1
- data/README.md +2 -22
- data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
- data/lib/secure_headers/headers/policy_management.rb +6 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +2 -2
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
- data/upgrading-to-4-0.md +5 -5
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fe8e39e4a81e0429bcba0fde48a5bb670f4bfb21
|
|
4
|
+
data.tar.gz: fc5989c5886abaf9245b2e29c3a0fbdb77e03e40
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 373cbefd9bf90c0aa486de40aea8b14f45c9855a580048b25a1de9e7475cb597b7c4bda979f79c897fc988a9be38741477994ba295153ccb642846b767ab597d
|
|
7
|
+
data.tar.gz: 1911795207a61925df44c32d8ffb23908c909332eab7b579d84a5a008296be0e329fcc950e70885fd876b2c7feed2d4e2c12f65148303f90849757a050b32a04
|
data/CHANGELOG.md
CHANGED
|
@@ -1,7 +1,15 @@
|
|
|
1
|
-
## 4.
|
|
1
|
+
## 4.0.1
|
|
2
|
+
|
|
3
|
+
- Adds support for `worker-src` CSP directive to 4.x line (https://github.com/twitter/secureheaders/pull/364)
|
|
4
|
+
|
|
5
|
+
## 4.0
|
|
2
6
|
|
|
3
7
|
- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
|
|
4
8
|
|
|
9
|
+
## 3.7.2
|
|
10
|
+
|
|
11
|
+
- Adds support for `worker-src` CSP directive to 3.x line (https://github.com/twitter/secureheaders/pull/364)
|
|
12
|
+
|
|
5
13
|
## 3.7.1
|
|
6
14
|
|
|
7
15
|
Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maximally restricted policy (`sandbox;`) and validate other values.
|
data/README.md
CHANGED
|
@@ -67,24 +67,13 @@ SecureHeaders::Configuration.default do |config|
|
|
|
67
67
|
}
|
|
68
68
|
}
|
|
69
69
|
# Add "; preload" and submit the site to hstspreload.org for best protection.
|
|
70
|
-
config.hsts = "max-age=#{20.years.to_i}
|
|
70
|
+
config.hsts = "max-age=#{20.years.to_i}"
|
|
71
71
|
config.x_frame_options = "DENY"
|
|
72
72
|
config.x_content_type_options = "nosniff"
|
|
73
73
|
config.x_xss_protection = "1; mode=block"
|
|
74
74
|
config.x_download_options = "noopen"
|
|
75
75
|
config.x_permitted_cross_domain_policies = "none"
|
|
76
76
|
config.referrer_policy = "origin-when-cross-origin"
|
|
77
|
-
config.clear_site_data = [
|
|
78
|
-
"cache",
|
|
79
|
-
"cookies",
|
|
80
|
-
"storage",
|
|
81
|
-
"executionContexts"
|
|
82
|
-
]
|
|
83
|
-
config.expect_certificate_transparency = {
|
|
84
|
-
enforce: false,
|
|
85
|
-
max_age: 1.day.to_i,
|
|
86
|
-
report_uri: "https://report-uri.io/example-ct"
|
|
87
|
-
}
|
|
88
77
|
config.csp = {
|
|
89
78
|
# "meta" values. these will shape the header, but the values are not included in the header.
|
|
90
79
|
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
|
@@ -106,6 +95,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
106
95
|
plugin_types: %w(application/x-shockwave-flash),
|
|
107
96
|
script_src: %w('self'),
|
|
108
97
|
style_src: %w('unsafe-inline'),
|
|
98
|
+
worker_src: %w('self'),
|
|
109
99
|
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
|
|
110
100
|
report_uri: %w(https://report-uri.io/example-csp)
|
|
111
101
|
}
|
|
@@ -114,16 +104,6 @@ SecureHeaders::Configuration.default do |config|
|
|
|
114
104
|
img_src: %w(somewhereelse.com),
|
|
115
105
|
report_uri: %w(https://report-uri.io/example-csp-report-only)
|
|
116
106
|
})
|
|
117
|
-
config.hpkp = {
|
|
118
|
-
report_only: false,
|
|
119
|
-
max_age: 60.days.to_i,
|
|
120
|
-
include_subdomains: true,
|
|
121
|
-
report_uri: "https://report-uri.io/example-hpkp",
|
|
122
|
-
pins: [
|
|
123
|
-
{sha256: "abc"},
|
|
124
|
-
{sha256: "123"}
|
|
125
|
-
]
|
|
126
|
-
}
|
|
127
107
|
end
|
|
128
108
|
```
|
|
129
109
|
|
|
@@ -72,10 +72,13 @@ module SecureHeaders
|
|
|
72
72
|
BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
|
|
73
73
|
MANIFEST_SRC = :manifest_src
|
|
74
74
|
UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
|
|
75
|
+
WORKER_SRC = :worker_src
|
|
76
|
+
|
|
75
77
|
DIRECTIVES_3_0 = [
|
|
76
78
|
DIRECTIVES_2_0,
|
|
77
79
|
BLOCK_ALL_MIXED_CONTENT,
|
|
78
80
|
MANIFEST_SRC,
|
|
81
|
+
WORKER_SRC,
|
|
79
82
|
UPGRADE_INSECURE_REQUESTS
|
|
80
83
|
].flatten.freeze
|
|
81
84
|
|
|
@@ -86,6 +89,7 @@ module SecureHeaders
|
|
|
86
89
|
FIREFOX_UNSUPPORTED_DIRECTIVES = [
|
|
87
90
|
BLOCK_ALL_MIXED_CONTENT,
|
|
88
91
|
CHILD_SRC,
|
|
92
|
+
WORKER_SRC,
|
|
89
93
|
PLUGIN_TYPES
|
|
90
94
|
].freeze
|
|
91
95
|
|
|
@@ -95,6 +99,7 @@ module SecureHeaders
|
|
|
95
99
|
|
|
96
100
|
FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
|
|
97
101
|
BLOCK_ALL_MIXED_CONTENT,
|
|
102
|
+
WORKER_SRC,
|
|
98
103
|
PLUGIN_TYPES
|
|
99
104
|
].freeze
|
|
100
105
|
|
|
@@ -148,6 +153,7 @@ module SecureHeaders
|
|
|
148
153
|
SANDBOX => :sandbox_list,
|
|
149
154
|
SCRIPT_SRC => :source_list,
|
|
150
155
|
STYLE_SRC => :source_list,
|
|
156
|
+
WORKER_SRC => :source_list,
|
|
151
157
|
UPGRADE_INSECURE_REQUESTS => :boolean
|
|
152
158
|
}.freeze
|
|
153
159
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
Gem::Specification.new do |gem|
|
|
4
4
|
gem.name = "secure_headers"
|
|
5
|
-
gem.version = "4.0.
|
|
5
|
+
gem.version = "4.0.1"
|
|
6
6
|
gem.authors = ["Neil Matatall"]
|
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
|
@@ -143,12 +143,12 @@ module SecureHeaders
|
|
|
143
143
|
|
|
144
144
|
it "does not filter any directives for Chrome" do
|
|
145
145
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
|
|
146
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
146
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
|
|
147
147
|
end
|
|
148
148
|
|
|
149
149
|
it "does not filter any directives for Opera" do
|
|
150
150
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
|
|
151
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
151
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
|
|
152
152
|
end
|
|
153
153
|
|
|
154
154
|
it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
|
data/upgrading-to-4-0.md
CHANGED
|
@@ -4,18 +4,18 @@ The most likely change to break your app is the new cookie defaults. This is the
|
|
|
4
4
|
|
|
5
5
|
## All cookies default to secure/httponly/SameSite=Lax
|
|
6
6
|
|
|
7
|
-
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
|
|
7
|
+
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
|
|
8
8
|
|
|
9
9
|
```ruby
|
|
10
10
|
# specific opt outs
|
|
11
11
|
config.cookies = {
|
|
12
|
-
secure: OPT_OUT,
|
|
13
|
-
httponly: OPT_OUT,
|
|
14
|
-
samesite: OPT_OUT,
|
|
12
|
+
secure: SecureHeaders::OPT_OUT,
|
|
13
|
+
httponly: SecureHeaders::OPT_OUT,
|
|
14
|
+
samesite: SecureHeaders::OPT_OUT,
|
|
15
15
|
}
|
|
16
16
|
|
|
17
17
|
# nuclear option, just make things work again
|
|
18
|
-
config.cookies = OPT_OUT
|
|
18
|
+
config.cookies = SecureHeaders::OPT_OUT
|
|
19
19
|
```
|
|
20
20
|
|
|
21
21
|
## script_src must be set
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.
|
|
4
|
+
version: 4.0.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-10-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|