RubyGems - secure_headers - Versions diffs - 6.1.0 → 6.1.1 - Mend

secure_headers 6.1.0 → 6.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/lib/secure_headers/headers/content_security_policy.rb +2 -1
data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
data/lib/secure_headers/headers/policy_management.rb +2 -1
data/lib/secure_headers/version.rb +3 -1
data/secure_headers.gemspec +2 -2
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +5 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26a6b47b87ec772f94c264ef318bf4c20997b3a541898f80110a1bd26a471753
-  data.tar.gz: 73e40f805bafe030a82cbe37cdf499acea6c2613cce3c25964db89a9fde2f172
+  metadata.gz: 7de332e0980c748038f72b7775399f65556521cf37b4392665fdd11a5192df3b
+  data.tar.gz: a6bea34afe4962462f0a263fd7728fa659ec65c15f8cfbca94c4639bc6452d67
 SHA512:
-  metadata.gz: ed3eb3ba011292b668fd786a22a2c9d93a20067e4391881eafc555f978a7ae3c5da33741f82c908b7cfe4c66cb837f9fc1b2f7360be788d320dab0694fdaeb66
-  data.tar.gz: df5800647d9dc5462d51529461d85374831bdc1fe0755949d4ec9764f69810c7e5456be1095f25d4b34bb2ec2c3c0773243d2ce4ebaf4c11bace6ea035201947
+  metadata.gz: 1fcad5939d9cb914adf56965624b4620b9b7146fc0d5cc5ca9a1741f257c6884bd16c940805ac260e7cb3c7752411caae94b84c2bf8f7730d21c35ce3fa5702d
+  data.tar.gz: 505e0e2907f8eb9f452c3ae6d14a32bf224de7a2f73de41e8903679f586e4cc4e0fed7a6e6c240a7822cb04050ef30165f552363bc63edda6d258743341f3054

data/CHANGELOG.md CHANGED Viewed

@@ -1,7 +1,13 @@
+## 6.1.1
+Adds the ability to disable the automatically-appended `'unsafe-inline'` value when nonces are used #404 (@will)
 ## 6.1
 Adds support for navigate-to, prefetch-src, and require-sri-for #395
+NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle :pray:
 ## 6.0
 - See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -179,7 +179,8 @@ module SecureHeaders
     # unsafe-inline, this is more concise.
     def append_nonce(source_list, nonce)
       if nonce
-        source_list.push("'nonce-#{nonce}'", UNSAFE_INLINE)
+        source_list.push("'nonce-#{nonce}'")
+        source_list.push(UNSAFE_INLINE) unless @config[:disable_nonce_backwards_compatibility]
       end
       source_list

data/lib/secure_headers/headers/content_security_policy_config.rb CHANGED Viewed

@@ -42,6 +42,7 @@ module SecureHeaders
       @style_src = nil
       @worker_src = nil
       @upgrade_insecure_requests = nil
+      @disable_nonce_backwards_compatibility = nil
       from_hash(hash)
     end

data/lib/secure_headers/headers/policy_management.rb CHANGED Viewed

@@ -153,7 +153,8 @@ module SecureHeaders
     META_CONFIGS = [
       :report_only,
-      :preserve_schemes
+      :preserve_schemes,
+      :disable_nonce_backwards_compatibility
     ].freeze
     NONCES = [

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module SecureHeaders
-  VERSION = "6.1.0"
+  VERSION = "6.1.1"
 end

data/secure_headers.gemspec CHANGED Viewed

@@ -1,9 +1,9 @@
+# frozen_string_literal: true
 lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "secure_headers/version"
-# -*- encoding: utf-8 -*-
-# frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
   gem.version       = SecureHeaders::VERSION

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -145,6 +145,11 @@ module SecureHeaders
         csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
       end
+      it "supports strict-dynamic and opting out of the appended 'unsafe-inline'" do
+        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456, disable_nonce_backwards_compatibility: true })
+        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
+      end
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.1.0
+  version: 6.1.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-02-23 00:00:00.000000000 Z
+date: 2019-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake