secure_headers 6.1.0 → 6.1.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/lib/secure_headers/headers/content_security_policy.rb +2 -1
  4. data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
  5. data/lib/secure_headers/headers/policy_management.rb +2 -1
  6. data/lib/secure_headers/version.rb +3 -1
  7. data/secure_headers.gemspec +2 -2
  8. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +5 -0
  9. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 26a6b47b87ec772f94c264ef318bf4c20997b3a541898f80110a1bd26a471753
4
- data.tar.gz: 73e40f805bafe030a82cbe37cdf499acea6c2613cce3c25964db89a9fde2f172
3
+ metadata.gz: 7de332e0980c748038f72b7775399f65556521cf37b4392665fdd11a5192df3b
4
+ data.tar.gz: a6bea34afe4962462f0a263fd7728fa659ec65c15f8cfbca94c4639bc6452d67
5
5
  SHA512:
6
- metadata.gz: ed3eb3ba011292b668fd786a22a2c9d93a20067e4391881eafc555f978a7ae3c5da33741f82c908b7cfe4c66cb837f9fc1b2f7360be788d320dab0694fdaeb66
7
- data.tar.gz: df5800647d9dc5462d51529461d85374831bdc1fe0755949d4ec9764f69810c7e5456be1095f25d4b34bb2ec2c3c0773243d2ce4ebaf4c11bace6ea035201947
6
+ metadata.gz: 1fcad5939d9cb914adf56965624b4620b9b7146fc0d5cc5ca9a1741f257c6884bd16c940805ac260e7cb3c7752411caae94b84c2bf8f7730d21c35ce3fa5702d
7
+ data.tar.gz: 505e0e2907f8eb9f452c3ae6d14a32bf224de7a2f73de41e8903679f586e4cc4e0fed7a6e6c240a7822cb04050ef30165f552363bc63edda6d258743341f3054
data/CHANGELOG.md CHANGED
@@ -1,7 +1,13 @@
1
+ ## 6.1.1
2
+
3
+ Adds the ability to disable the automatically-appended `'unsafe-inline'` value when nonces are used #404 (@will)
4
+
1
5
  ## 6.1
2
6
 
3
7
  Adds support for navigate-to, prefetch-src, and require-sri-for #395
4
8
 
9
+ NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle :pray:
10
+
5
11
  ## 6.0
6
12
 
7
13
  - See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -179,7 +179,8 @@ module SecureHeaders
179
179
  # unsafe-inline, this is more concise.
180
180
  def append_nonce(source_list, nonce)
181
181
  if nonce
182
- source_list.push("'nonce-#{nonce}'", UNSAFE_INLINE)
182
+ source_list.push("'nonce-#{nonce}'")
183
+ source_list.push(UNSAFE_INLINE) unless @config[:disable_nonce_backwards_compatibility]
183
184
  end
184
185
 
185
186
  source_list
data/lib/secure_headers/headers/content_security_policy_config.rb CHANGED
@@ -42,6 +42,7 @@ module SecureHeaders
42
42
  @style_src = nil
43
43
  @worker_src = nil
44
44
  @upgrade_insecure_requests = nil
45
+ @disable_nonce_backwards_compatibility = nil
45
46
 
46
47
  from_hash(hash)
47
48
  end
data/lib/secure_headers/headers/policy_management.rb CHANGED
@@ -153,7 +153,8 @@ module SecureHeaders
153
153
 
154
154
  META_CONFIGS = [
155
155
  :report_only,
156
- :preserve_schemes
156
+ :preserve_schemes,
157
+ :disable_nonce_backwards_compatibility
157
158
  ].freeze
158
159
 
159
160
  NONCES = [
data/lib/secure_headers/version.rb CHANGED
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module SecureHeaders
2
- VERSION = "6.1.0"
4
+ VERSION = "6.1.1"
3
5
  end
data/secure_headers.gemspec CHANGED
@@ -1,9 +1,9 @@
1
+ # frozen_string_literal: true
2
+
1
3
  lib = File.expand_path("../lib", __FILE__)
2
4
  $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
3
5
  require "secure_headers/version"
4
6
 
5
- # -*- encoding: utf-8 -*-
6
- # frozen_string_literal: true
7
7
  Gem::Specification.new do |gem|
8
8
  gem.name = "secure_headers"
9
9
  gem.version = SecureHeaders::VERSION
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -145,6 +145,11 @@ module SecureHeaders
145
145
  csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
146
146
  expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
147
147
  end
148
+
149
+ it "supports strict-dynamic and opting out of the appended 'unsafe-inline'" do
150
+ csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456, disable_nonce_backwards_compatibility: true })
151
+ expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
152
+ end
148
153
  end
149
154
  end
150
155
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.0
4
+ version: 6.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-02-23 00:00:00.000000000 Z
11
+ date: 2019-06-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake