secure_headers 4.0.0 → 4.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -1
- data/README.md +2 -22
- data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
- data/lib/secure_headers/headers/policy_management.rb +6 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +2 -2
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
- data/upgrading-to-4-0.md +5 -5
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fe8e39e4a81e0429bcba0fde48a5bb670f4bfb21
|
|
4
|
+
data.tar.gz: fc5989c5886abaf9245b2e29c3a0fbdb77e03e40
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 373cbefd9bf90c0aa486de40aea8b14f45c9855a580048b25a1de9e7475cb597b7c4bda979f79c897fc988a9be38741477994ba295153ccb642846b767ab597d
|
|
7
|
+
data.tar.gz: 1911795207a61925df44c32d8ffb23908c909332eab7b579d84a5a008296be0e329fcc950e70885fd876b2c7feed2d4e2c12f65148303f90849757a050b32a04
|
data/CHANGELOG.md
CHANGED
|
@@ -1,7 +1,15 @@
|
|
|
1
|
-
## 4.
|
|
1
|
+
## 4.0.1
|
|
2
|
+
|
|
3
|
+
- Adds support for `worker-src` CSP directive to 4.x line (https://github.com/twitter/secureheaders/pull/364)
|
|
4
|
+
|
|
5
|
+
## 4.0
|
|
2
6
|
|
|
3
7
|
- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
|
|
4
8
|
|
|
9
|
+
## 3.7.2
|
|
10
|
+
|
|
11
|
+
- Adds support for `worker-src` CSP directive to 3.x line (https://github.com/twitter/secureheaders/pull/364)
|
|
12
|
+
|
|
5
13
|
## 3.7.1
|
|
6
14
|
|
|
7
15
|
Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maximally restricted policy (`sandbox;`) and validate other values.
|
data/README.md
CHANGED
|
@@ -67,24 +67,13 @@ SecureHeaders::Configuration.default do |config|
|
|
|
67
67
|
}
|
|
68
68
|
}
|
|
69
69
|
# Add "; preload" and submit the site to hstspreload.org for best protection.
|
|
70
|
-
config.hsts = "max-age=#{20.years.to_i}
|
|
70
|
+
config.hsts = "max-age=#{20.years.to_i}"
|
|
71
71
|
config.x_frame_options = "DENY"
|
|
72
72
|
config.x_content_type_options = "nosniff"
|
|
73
73
|
config.x_xss_protection = "1; mode=block"
|
|
74
74
|
config.x_download_options = "noopen"
|
|
75
75
|
config.x_permitted_cross_domain_policies = "none"
|
|
76
76
|
config.referrer_policy = "origin-when-cross-origin"
|
|
77
|
-
config.clear_site_data = [
|
|
78
|
-
"cache",
|
|
79
|
-
"cookies",
|
|
80
|
-
"storage",
|
|
81
|
-
"executionContexts"
|
|
82
|
-
]
|
|
83
|
-
config.expect_certificate_transparency = {
|
|
84
|
-
enforce: false,
|
|
85
|
-
max_age: 1.day.to_i,
|
|
86
|
-
report_uri: "https://report-uri.io/example-ct"
|
|
87
|
-
}
|
|
88
77
|
config.csp = {
|
|
89
78
|
# "meta" values. these will shape the header, but the values are not included in the header.
|
|
90
79
|
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
|
@@ -106,6 +95,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
106
95
|
plugin_types: %w(application/x-shockwave-flash),
|
|
107
96
|
script_src: %w('self'),
|
|
108
97
|
style_src: %w('unsafe-inline'),
|
|
98
|
+
worker_src: %w('self'),
|
|
109
99
|
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
|
|
110
100
|
report_uri: %w(https://report-uri.io/example-csp)
|
|
111
101
|
}
|
|
@@ -114,16 +104,6 @@ SecureHeaders::Configuration.default do |config|
|
|
|
114
104
|
img_src: %w(somewhereelse.com),
|
|
115
105
|
report_uri: %w(https://report-uri.io/example-csp-report-only)
|
|
116
106
|
})
|
|
117
|
-
config.hpkp = {
|
|
118
|
-
report_only: false,
|
|
119
|
-
max_age: 60.days.to_i,
|
|
120
|
-
include_subdomains: true,
|
|
121
|
-
report_uri: "https://report-uri.io/example-hpkp",
|
|
122
|
-
pins: [
|
|
123
|
-
{sha256: "abc"},
|
|
124
|
-
{sha256: "123"}
|
|
125
|
-
]
|
|
126
|
-
}
|
|
127
107
|
end
|
|
128
108
|
```
|
|
129
109
|
|
|
@@ -72,10 +72,13 @@ module SecureHeaders
|
|
|
72
72
|
BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
|
|
73
73
|
MANIFEST_SRC = :manifest_src
|
|
74
74
|
UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
|
|
75
|
+
WORKER_SRC = :worker_src
|
|
76
|
+
|
|
75
77
|
DIRECTIVES_3_0 = [
|
|
76
78
|
DIRECTIVES_2_0,
|
|
77
79
|
BLOCK_ALL_MIXED_CONTENT,
|
|
78
80
|
MANIFEST_SRC,
|
|
81
|
+
WORKER_SRC,
|
|
79
82
|
UPGRADE_INSECURE_REQUESTS
|
|
80
83
|
].flatten.freeze
|
|
81
84
|
|
|
@@ -86,6 +89,7 @@ module SecureHeaders
|
|
|
86
89
|
FIREFOX_UNSUPPORTED_DIRECTIVES = [
|
|
87
90
|
BLOCK_ALL_MIXED_CONTENT,
|
|
88
91
|
CHILD_SRC,
|
|
92
|
+
WORKER_SRC,
|
|
89
93
|
PLUGIN_TYPES
|
|
90
94
|
].freeze
|
|
91
95
|
|
|
@@ -95,6 +99,7 @@ module SecureHeaders
|
|
|
95
99
|
|
|
96
100
|
FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
|
|
97
101
|
BLOCK_ALL_MIXED_CONTENT,
|
|
102
|
+
WORKER_SRC,
|
|
98
103
|
PLUGIN_TYPES
|
|
99
104
|
].freeze
|
|
100
105
|
|
|
@@ -148,6 +153,7 @@ module SecureHeaders
|
|
|
148
153
|
SANDBOX => :sandbox_list,
|
|
149
154
|
SCRIPT_SRC => :source_list,
|
|
150
155
|
STYLE_SRC => :source_list,
|
|
156
|
+
WORKER_SRC => :source_list,
|
|
151
157
|
UPGRADE_INSECURE_REQUESTS => :boolean
|
|
152
158
|
}.freeze
|
|
153
159
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
Gem::Specification.new do |gem|
|
|
4
4
|
gem.name = "secure_headers"
|
|
5
|
-
gem.version = "4.0.
|
|
5
|
+
gem.version = "4.0.1"
|
|
6
6
|
gem.authors = ["Neil Matatall"]
|
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
|
@@ -143,12 +143,12 @@ module SecureHeaders
|
|
|
143
143
|
|
|
144
144
|
it "does not filter any directives for Chrome" do
|
|
145
145
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
|
|
146
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
146
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
|
|
147
147
|
end
|
|
148
148
|
|
|
149
149
|
it "does not filter any directives for Opera" do
|
|
150
150
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
|
|
151
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
151
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
|
|
152
152
|
end
|
|
153
153
|
|
|
154
154
|
it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
|
data/upgrading-to-4-0.md
CHANGED
|
@@ -4,18 +4,18 @@ The most likely change to break your app is the new cookie defaults. This is the
|
|
|
4
4
|
|
|
5
5
|
## All cookies default to secure/httponly/SameSite=Lax
|
|
6
6
|
|
|
7
|
-
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
|
|
7
|
+
By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
|
|
8
8
|
|
|
9
9
|
```ruby
|
|
10
10
|
# specific opt outs
|
|
11
11
|
config.cookies = {
|
|
12
|
-
secure: OPT_OUT,
|
|
13
|
-
httponly: OPT_OUT,
|
|
14
|
-
samesite: OPT_OUT,
|
|
12
|
+
secure: SecureHeaders::OPT_OUT,
|
|
13
|
+
httponly: SecureHeaders::OPT_OUT,
|
|
14
|
+
samesite: SecureHeaders::OPT_OUT,
|
|
15
15
|
}
|
|
16
16
|
|
|
17
17
|
# nuclear option, just make things work again
|
|
18
|
-
config.cookies = OPT_OUT
|
|
18
|
+
config.cookies = SecureHeaders::OPT_OUT
|
|
19
19
|
```
|
|
20
20
|
|
|
21
21
|
## script_src must be set
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.
|
|
4
|
+
version: 4.0.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-10-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|