RubyGems - secure_headers - Versions diffs - 4.0.2 → 5.0.0.alpha01 - Mend

secure_headers 4.0.2 → 5.0.0.alpha01

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -4
data/README.md +4 -4
data/{upgrading-to-3-0.md → docs/upgrading-to-3-0.md} +0 -0
data/{upgrading-to-4-0.md → docs/upgrading-to-4-0.md} +1 -21
data/docs/upgrading-to-5-0.md +15 -0
data/lib/secure_headers/configuration.rb +1 -1
data/lib/secure_headers/headers/expect_certificate_transparency.rb +1 -1
data/lib/secure_headers/middleware.rb +1 -1
data/secure_headers.gemspec +2 -2
data/spec/lib/secure_headers/configuration_spec.rb +22 -0
data/spec/lib/secure_headers/headers/{expect_certificate_transparency_spec.rb → expect_certificate_spec.rb} +3 -3
metadata +10 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bf4c1585c657ad3812d124ed506030b900eb3778
-  data.tar.gz: afe30fa230c2e34ef8c9d253210e918dd8412f11
+  metadata.gz: 2e6ac6e6f7a69c5fef2f3a357feaff630fc394c0
+  data.tar.gz: 218e2ea09bc6a88370be9ad4930764cd94cc5f08
 SHA512:
-  metadata.gz: cc3230d801ffffbb1ddb892721b54aa54bba40c0785edaa399754f10d61e3870d385710ad722754dd604922807eb5fc8aece7abfc89a75c8f4f1c9dfb1467d04
-  data.tar.gz: 11736ff26de3b9a5ada127edc1a8e32c25a0f75269109de5d60d19dc5dc28932f2bdfc9a44c4f1c13f4a44eee4759bcc8dfe4e08a4a600bc78042767f139489b
+  metadata.gz: 0a2a38ec3dd215d754ea66cefeb96482fb0d2d35edf2fa13fbadd600a962b612b172b400425a7fb44304c200f9a79b7042893dfce82f48ea30734028773c205d
+  data.tar.gz: 5cff176050f3790236e65aec87c6f66e98adb473abcd608d3fe4eed0e587f1c7880dbc8c31735d2e3c39c766d8d4bf7a3b4df9e16673f66ab4970f4cb97e410a

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,6 @@
-## 4.0.2
+## 5.0.0
-- Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.
+Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
 ## 4.0.1
@@ -8,7 +8,7 @@
 ## 4.0
-- See the [upgrading to 4.0](upgrading-to-4-0.md) guide. Lots of breaking changes.
+- See the [upgrading to 4.0](docs/upgrading-to-4-0.md) guide. Lots of breaking changes.
 ## 3.7.2
@@ -326,7 +326,7 @@ Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (a
 ## 3.0.0
-secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
+secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
 ## 2.5.1 - 2016-02-16 18:11:11 UTC - Remove noisy deprecation warning

data/README.md CHANGED Viewed

@@ -1,8 +1,8 @@
 # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
-**master represents the unreleased 4.x line**. See the [upgrading to 4.x doc](upgrading-to-4-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
+**master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
-**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
+**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
 **The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
@@ -22,7 +22,7 @@ The gem will automatically apply several headers that are related to security.
 - Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
 - Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
-It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
+It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
 `secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
@@ -55,7 +55,7 @@ If you do not supply a `default` configuration, exceptions will be raised. If yo
 All `nil` values will fallback to their default values. `SecureHeaders::OPT_OUT` will disable the header entirely.
-**Word of caution:**  The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
+**Word of caution:**  The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.
 ```ruby
 SecureHeaders::Configuration.default do |config|

data/{upgrading-to-3-0.md → docs/upgrading-to-3-0.md} RENAMED Viewed

File without changes

data/{upgrading-to-4-0.md → docs/upgrading-to-4-0.md} RENAMED Viewed

@@ -1,26 +1,6 @@
-### Breaking Changes
-The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
-## All cookies default to secure/httponly/SameSite=Lax
-By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
-```ruby
-# specific opt outs
-config.cookies = {
-  secure: SecureHeaders::OPT_OUT,
-  httponly: SecureHeaders::OPT_OUT,
-  samesite: SecureHeaders::OPT_OUT,
-}
-# nuclear option, just make things work again
-config.cookies = SecureHeaders::OPT_OUT
-```
 ## script_src must be set
-Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
+Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose.
 However, sometimes you really don't need a `script-src` e.g. API responses (`default-src 'none'`) so you can set `script_src: SecureHeaders::OPT_OUT` to work around this.

data/docs/upgrading-to-5-0.md ADDED Viewed

@@ -0,0 +1,15 @@
+## All cookies default to secure/httponly/SameSite=Lax
+By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `SecureHeaders::OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
+```ruby
+# specific opt outs
+config.cookies = {
+  secure: SecureHeaders::OPT_OUT,
+  httponly: SecureHeaders::OPT_OUT,
+  samesite: SecureHeaders::OPT_OUT,
+}
+# nuclear option, just make things work again
+config.cookies = SecureHeaders::OPT_OUT
+```

data/lib/secure_headers/configuration.rb CHANGED Viewed

@@ -132,7 +132,7 @@ module SecureHeaders
     end
     def initialize(&block)
-      @cookies = nil
+      @cookies = self.class.send(:deep_copy_if_hash, Cookie::COOKIE_DEFAULTS)
       @clear_site_data = nil
       @csp = nil
       @csp_report_only = nil

data/lib/secure_headers/headers/expect_certificate_transparency.rb CHANGED Viewed

@@ -49,7 +49,7 @@ module SecureHeaders
         enforced_directive,
         max_age_directive,
         report_uri_directive
-      ].compact.join(", ").strip
+      ].compact.join("; ").strip
     end
     def enforced_directive

data/lib/secure_headers/middleware.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module SecureHeaders
         Kernel.warn(HPKP_SAME_HOST_WARNING)
       end
-      flag_cookies!(headers, override_secure(env, config.cookies)) if config.cookies
+      flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
       headers.merge!(SecureHeaders.header_hash_for(req))
       [status, headers, response]
     end

data/secure_headers.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "4.0.2"
+  gem.version       = "5.0.0.alpha01"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."
@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
   gem.post_install_message = <<-POST_INSTALL
 **********
-:wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
+:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
 **********
   POST_INSTALL

data/spec/lib/secure_headers/configuration_spec.rb CHANGED Viewed

@@ -91,5 +91,27 @@ module SecureHeaders
         end
       }.to raise_error(ArgumentError)
     end
+    it "gives cookies a default config" do
+      expect(Configuration.default.cookies).to eq({httponly: true, secure: true, samesite: {lax: true}})
+    end
+    it "allows OPT_OUT" do
+      Configuration.default do |config|
+        config.cookies = OPT_OUT
+      end
+      config = Configuration.get
+      expect(config.cookies).to eq(OPT_OUT)
+    end
+    it "allows me to be explicit too" do
+      Configuration.default do |config|
+        config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
+      end
+      config = Configuration.get
+      expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
+    end
   end
 end

data/spec/lib/secure_headers/headers/{expect_certificate_transparency_spec.rb → expect_certificate_spec.rb} RENAMED Viewed

@@ -3,13 +3,13 @@ require "spec_helper"
 module SecureHeaders
   describe ExpectCertificateTransparency do
-    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce, max-age=1234") }
+    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: true).value).to eq("enforce; max-age=1234") }
     specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: false).value).to eq("max-age=1234") }
     specify { expect(ExpectCertificateTransparency.new(max_age: 1234, enforce: "yolocopter").value).to eq("max-age=1234") }
-    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"") }
+    specify { expect(ExpectCertificateTransparency.new(max_age: 1234, report_uri: "https://report-uri.io/expect-ct").value).to eq("max-age=1234; report-uri=\"https://report-uri.io/expect-ct\"") }
     specify do
       config = { enforce: true, max_age: 1234, report_uri: "https://report-uri.io/expect-ct" }
-      header_value = "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\""
+      header_value = "enforce; max-age=1234; report-uri=\"https://report-uri.io/expect-ct\""
       expect(ExpectCertificateTransparency.new(config).value).to eq(header_value)
     end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 5.0.0.alpha01
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-10-19 00:00:00.000000000 Z
+date: 2017-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -67,6 +67,9 @@ files:
 - docs/named_overrides_and_appends.md
 - docs/per_action_configuration.md
 - docs/sinatra.md
+- docs/upgrading-to-3-0.md
+- docs/upgrading-to-4-0.md
+- docs/upgrading-to-5-0.md
 - lib/secure_headers.rb
 - lib/secure_headers/configuration.rb
 - lib/secure_headers/hash_helper.rb
@@ -94,7 +97,7 @@ files:
 - spec/lib/secure_headers/headers/clear_site_data_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/cookie_spec.rb
-- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
+- spec/lib/secure_headers/headers/expect_certificate_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb
@@ -108,8 +111,6 @@ files:
 - spec/lib/secure_headers/view_helpers_spec.rb
 - spec/lib/secure_headers_spec.rb
 - spec/spec_helper.rb
-- upgrading-to-3-0.md
-- upgrading-to-4-0.md
 homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
@@ -117,7 +118,7 @@ metadata: {}
 post_install_message: |2+
   **********
-  :wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
+  :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
   **********
 rdoc_options: []
@@ -130,9 +131,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
 rubygems_version: 2.6.11
@@ -145,7 +146,7 @@ test_files:
 - spec/lib/secure_headers/headers/clear_site_data_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/cookie_spec.rb
-- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
+- spec/lib/secure_headers/headers/expect_certificate_spec.rb
 - spec/lib/secure_headers/headers/policy_management_spec.rb
 - spec/lib/secure_headers/headers/public_key_pins_spec.rb
 - spec/lib/secure_headers/headers/referrer_policy_spec.rb