secure_headers 6.0.0.alpha01 → 6.0.0.alpha02
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +2 -2
- data/README.md +2 -2
- data/docs/upgrading-to-6-0.md +4 -0
- data/lib/secure_headers/view_helper.rb +9 -8
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/view_helpers_spec.rb +28 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b9072ed41af027bbc9628b2e58751bf765c6af1a
|
4
|
+
data.tar.gz: e5344d4ea5226225629bd7449ebcba94c15a27d8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 920786c9cc2df0f8dfc2bae3911fa2ca99207e4d61605e7c1c942d76d678b0e0f83240263694adc1d556057120f17e2b73bd96bf260465a4222c768ab124ef5c
|
7
|
+
data.tar.gz: cb185bf133a9ea8c7e1cd50b6ae1d718e1455402c5f165224f04cefadfb6028136129f2261cf47ae404bddd08c6bf7fa08420be5a1056eb2d00fb06fd3227b23
|
data/CHANGELOG.md
CHANGED
@@ -1,10 +1,10 @@
|
|
1
1
|
## 6.0
|
2
2
|
|
3
3
|
- See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
|
4
|
-
|
4
|
+
|
5
5
|
## 5.0.5
|
6
6
|
|
7
|
-
A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
|
7
|
+
- A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
|
8
8
|
|
9
9
|
## 5.0.4
|
10
10
|
|
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
|
2
2
|
|
3
|
-
**master represents
|
3
|
+
**master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
|
4
4
|
|
5
5
|
**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
|
6
6
|
|
@@ -77,7 +77,7 @@ SecureHeaders::Configuration.default do |config|
|
|
77
77
|
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
78
78
|
|
79
79
|
# directive values: these values will directly translate into source directives
|
80
|
-
default_src: %w(
|
80
|
+
default_src: %w('none'),
|
81
81
|
base_uri: %w('self'),
|
82
82
|
block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
|
83
83
|
child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
|
data/docs/upgrading-to-6-0.md
CHANGED
@@ -35,6 +35,10 @@ These classes are typically not directly instantiated by users of SecureHeaders.
|
|
35
35
|
|
36
36
|
This method is not typically directly called by users of SecureHeaders. Given that named overrides are no longer statically stored, fetching them no longer makes sense.
|
37
37
|
|
38
|
+
## `content_security_policy_nonce` has been renamed
|
39
|
+
|
40
|
+
While tag helpers such as `nonced_javascript_tag` and `nonced_style_tag`, the value for the nonce was available via `content_security_policy_nonce`. Rails 5.2 has implemented a method with the same name but clashes with the number of arguments. It has been renamed to`_content_security_policy_nonce` and will likely be removed in future versions.
|
41
|
+
|
38
42
|
## Configuration headers are no longer cached
|
39
43
|
|
40
44
|
Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded to the default configuration. The same was also done for named overrides. However, now that named overrides are applied dynamically, those can no longer be cached. As a result, caching has been removed in the name of simplicity. Some micro-benchmarks indicate this shouldn't be a performance problem and will help to eliminate a class of bugs entirely.
|
@@ -19,7 +19,7 @@ module SecureHeaders
|
|
19
19
|
#
|
20
20
|
# Returns an html-safe link tag with the nonce attribute.
|
21
21
|
def nonced_stylesheet_link_tag(*args, &block)
|
22
|
-
opts = extract_options(args).merge(nonce:
|
22
|
+
opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
|
23
23
|
|
24
24
|
stylesheet_link_tag(*args, opts, &block)
|
25
25
|
end
|
@@ -37,7 +37,7 @@ module SecureHeaders
|
|
37
37
|
#
|
38
38
|
# Returns an html-safe script tag with the nonce attribute.
|
39
39
|
def nonced_javascript_include_tag(*args, &block)
|
40
|
-
opts = extract_options(args).merge(nonce:
|
40
|
+
opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
|
41
41
|
|
42
42
|
javascript_include_tag(*args, opts, &block)
|
43
43
|
end
|
@@ -47,7 +47,7 @@ module SecureHeaders
|
|
47
47
|
#
|
48
48
|
# Returns an html-safe script tag with the nonce attribute.
|
49
49
|
def nonced_javascript_pack_tag(*args, &block)
|
50
|
-
opts = extract_options(args).merge(nonce:
|
50
|
+
opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
|
51
51
|
|
52
52
|
javascript_pack_tag(*args, opts, &block)
|
53
53
|
end
|
@@ -57,7 +57,7 @@ module SecureHeaders
|
|
57
57
|
#
|
58
58
|
# Returns an html-safe link tag with the nonce attribute.
|
59
59
|
def nonced_stylesheet_pack_tag(*args, &block)
|
60
|
-
opts = extract_options(args).merge(nonce:
|
60
|
+
opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
|
61
61
|
|
62
62
|
stylesheet_pack_tag(*args, opts, &block)
|
63
63
|
end
|
@@ -66,7 +66,7 @@ module SecureHeaders
|
|
66
66
|
# Instructs secure_headers to append a nonce to style/script-src directives.
|
67
67
|
#
|
68
68
|
# Returns a non-html-safe nonce value.
|
69
|
-
def
|
69
|
+
def _content_security_policy_nonce(type)
|
70
70
|
case type
|
71
71
|
when :script
|
72
72
|
SecureHeaders.content_security_policy_script_nonce(@_request)
|
@@ -74,13 +74,14 @@ module SecureHeaders
|
|
74
74
|
SecureHeaders.content_security_policy_style_nonce(@_request)
|
75
75
|
end
|
76
76
|
end
|
77
|
+
alias_method :content_security_policy_nonce, :_content_security_policy_nonce
|
77
78
|
|
78
79
|
def content_security_policy_script_nonce
|
79
|
-
|
80
|
+
_content_security_policy_nonce(:script)
|
80
81
|
end
|
81
82
|
|
82
83
|
def content_security_policy_style_nonce
|
83
|
-
|
84
|
+
_content_security_policy_nonce(:style)
|
84
85
|
end
|
85
86
|
|
86
87
|
##
|
@@ -152,7 +153,7 @@ module SecureHeaders
|
|
152
153
|
else
|
153
154
|
content_or_options.html_safe # :'(
|
154
155
|
end
|
155
|
-
content_tag type, content, options.merge(nonce:
|
156
|
+
content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
|
156
157
|
end
|
157
158
|
|
158
159
|
def extract_options(args)
|
data/secure_headers.gemspec
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
Gem::Specification.new do |gem|
|
4
4
|
gem.name = "secure_headers"
|
5
|
-
gem.version = "6.0.0.
|
5
|
+
gem.version = "6.0.0.alpha02"
|
6
6
|
gem.authors = ["Neil Matatall"]
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
@@ -97,6 +97,12 @@ TEMPLATE
|
|
97
97
|
end
|
98
98
|
end
|
99
99
|
|
100
|
+
class MessageWithConflictingMethod < Message
|
101
|
+
def content_security_policy_nonce
|
102
|
+
"rails-nonce"
|
103
|
+
end
|
104
|
+
end
|
105
|
+
|
100
106
|
module SecureHeaders
|
101
107
|
describe ViewHelpers do
|
102
108
|
let(:app) { lambda { |env| [200, env, "app"] } }
|
@@ -159,5 +165,27 @@ module SecureHeaders
|
|
159
165
|
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
|
160
166
|
end
|
161
167
|
end
|
168
|
+
|
169
|
+
it "avoids calling content_security_policy_nonce internally" do
|
170
|
+
begin
|
171
|
+
allow(SecureRandom).to receive(:base64).and_return("abc123")
|
172
|
+
|
173
|
+
expected_hash = "sha256-3/URElR9+3lvLIouavYD/vhoICSNKilh15CzI/nKqg8="
|
174
|
+
Configuration.instance_variable_set(:@script_hashes, filename => ["'#{expected_hash}'"])
|
175
|
+
expected_style_hash = "sha256-7oYK96jHg36D6BM042er4OfBnyUDTG3pH1L8Zso3aGc="
|
176
|
+
Configuration.instance_variable_set(:@style_hashes, filename => ["'#{expected_style_hash}'"])
|
177
|
+
|
178
|
+
# render erb that calls out to helpers.
|
179
|
+
MessageWithConflictingMethod.new(request).result
|
180
|
+
_, env = middleware.call request.env
|
181
|
+
|
182
|
+
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
|
183
|
+
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
|
184
|
+
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
|
185
|
+
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
|
186
|
+
|
187
|
+
expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).not_to match(/rails-nonce/)
|
188
|
+
end
|
189
|
+
end
|
162
190
|
end
|
163
191
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.0.0.
|
4
|
+
version: 6.0.0.alpha02
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-03-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|