secure_headers 5.0.1 → 5.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 36d743dc370dce07a032c6e5154eef9081e5d258
-  data.tar.gz: 89c7965e04093df147c7543f9b3cd4cc3e347e41
+  metadata.gz: e421f2b5968b737c264d985109c40f477a84c44c
+  data.tar.gz: 7839fcc26e1db7ddda587f063a6f2f0db052ffa2
 SHA512:
-  metadata.gz: 11985973764bd80715c68e232e977074f084557deea8b2b96962d5c74f79af81601df30d6dda3150d5b278c75ee7f45c95e93bac26d62265fd5dabd99a39e024
-  data.tar.gz: 9cf62ba5f6ebaad74cec79c2201faf1521aad2a65627d5a64c74c9ff668b535664c1c49b285578713ce2bc2472b704e6b972c51074d2574ff2ad574cf6b87870
+  metadata.gz: cd41e5df0da65b0f5304d58f73eec970315dd316598d7049fc59de87b16b97e281032c55df7b96490423e93bf24457e30b87196f2a000d127194a1c1878d4032
+  data.tar.gz: 4465312cd5cc22f2f74f77a4572c3585a9ecd1461ea2cfcbb3fd9dc1f506c06e22aff4efdd92b2eb8f90cd8c88b9eeacf34126c86444398f6d2ecfba04903e72

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 5.0.2
+
+- Updates `Referrer-Policy` header to support multiple policy values
+
 ## 5.0.1
 
 - Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.

data/README.md

@@ -18,7 +18,6 @@ The gem will automatically apply several headers that are related to security.
 - X-Download-Options - [Prevent file downloads opening](https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx)
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
 - Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
-- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
 - Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
 - Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
 
@@ -31,7 +30,6 @@ It can also mark all http cookies with the Secure, HttpOnly and SameSite attribu
 - [Named overrides and appends](docs/named_overrides_and_appends.md)
 - [Per action configuration](docs/per_action_configuration.md)
 - [Cookies](docs/cookies.md)
-- [HPKP](docs/HPKP.md)
 - [Hashes](docs/hashes.md)
 - [Sinatra Config](docs/sinatra.md)
 
@@ -67,13 +65,13 @@ SecureHeaders::Configuration.default do |config|
     }
   }
   # Add "; preload" and submit the site to hstspreload.org for best protection.
-  config.hsts = "max-age=#{20.years.to_i}"
+  config.hsts = "max-age=#{1.week.to_i}"
   config.x_frame_options = "DENY"
   config.x_content_type_options = "nosniff"
   config.x_xss_protection = "1; mode=block"
   config.x_download_options = "noopen"
   config.x_permitted_cross_domain_policies = "none"
-  config.referrer_policy = "origin-when-cross-origin"
+  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
   config.csp = {
     # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.

data/lib/secure_headers/headers/referrer_policy.rb

@@ -22,14 +22,21 @@ module SecureHeaders
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
       def make_header(config = nil)
-        [HEADER_NAME, config || DEFAULT_VALUE]
+        config ||= DEFAULT_VALUE
+        [HEADER_NAME, Array(config).join(", ")]
       end
 
       def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless VALID_POLICIES.include?(config.downcase)
-          raise ReferrerPolicyConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
+        case config
+        when nil, OPT_OUT
+          # valid
+        when String, Array
+          config = Array(config)
+          unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
+            raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
+          end
+        else
+          raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
         end
       end
     end

data/secure_headers.gemspec

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "5.0.1"
+  gem.version       = "5.0.2"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."

data/spec/lib/secure_headers/headers/referrer_policy_spec.rb

@@ -5,6 +5,7 @@ module SecureHeaders
   describe ReferrerPolicy do
     specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
     specify { expect(ReferrerPolicy.make_header("no-referrer")).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
+    specify { expect(ReferrerPolicy.make_header(%w(origin-when-cross-origin strict-origin-when-cross-origin))).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin, strict-origin-when-cross-origin"]) }
 
     context "valid configuration values" do
       it "accepts 'no-referrer'" do
@@ -60,14 +61,31 @@ module SecureHeaders
           ReferrerPolicy.validate_config!(nil)
         end.not_to raise_error
       end
+
+      it "accepts array of policy values" do
+        expect do
+          ReferrerPolicy.validate_config!(
+            %w(
+              origin-when-cross-origin
+              strict-origin-when-cross-origin
+            )
+          )
+        end.not_to raise_error
+      end
     end
 
-    context "invlaid configuration values" do
+    context "invalid configuration values" do
       it "doesn't accept invalid values" do
         expect do
           ReferrerPolicy.validate_config!("open")
         end.to raise_error(ReferrerPolicyConfigError)
       end
+
+      it "doesn't accept invalid types" do
+        expect do
+          ReferrerPolicy.validate_config!({})
+        end.to raise_error(TypeError)
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 5.0.1
+  version: 5.0.2
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-19 00:00:00.000000000 Z
+date: 2017-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -61,7 +61,6 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- docs/HPKP.md
 - docs/cookies.md
 - docs/hashes.md
 - docs/named_overrides_and_appends.md

data/docs/HPKP.md

@@ -1,17 +0,0 @@
-## HTTP Public Key Pins
-
-Be aware that pinning error reporting is governed by the same rules as everything else. If you have a pinning failure that tries to report back to the same origin, by definition this will not work.
-
-```ruby
-config.hpkp = {
-  max_age: 60.days.to_i,    # max_age is a required parameter
-  include_subdomains: true, # whether or not to apply pins to subdomains
-  # Per the spec, SHA256 hashes are the only currently supported format.
-  pins: [
-    {sha256: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'},
-    {sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
-  ],
-  report_only: true,        # defaults to false (report-only mode)
-  report_uri: 'https://report-uri.io/example-hpkp'
-}
-```