secure_headers 6.1.1 → 6.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/.travis.yml +3 -3
- data/CHANGELOG.md +4 -0
- data/Gemfile +2 -2
- data/README.md +2 -1
- data/docs/cookies.md +3 -2
- data/docs/named_overrides_and_appends.md +0 -5
- data/lib/secure_headers/headers/cookie.rb +7 -1
- data/lib/secure_headers/utils/cookies_config.rb +6 -4
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers/headers/cookie_spec.rb +22 -25
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5656a8f0d18034c233413d98058f641e71161f35e2ce73052fb93e219b7ba270
|
4
|
+
data.tar.gz: b4b9bf8b7aa33386090ba4f965ea215a1512132192c407e45c0595af6649488c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9c17adff27589d67d7c4d873600cac3eaa267ea91d8c12621493f0e58121ab71af6a5c0e4b6e9eb3fa23c624918577dd23c436746dd9426c430c31bcb3a78745
|
7
|
+
data.tar.gz: 3db4059a3798a985707575abfe50b8a6d16ecb0b3962d7ed1c52473098150979448c147109ea504533ef2737df47dd141753908200c566d31b95917c73151ab9
|
data/.ruby-version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
2.6.
|
1
|
+
2.6.5
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
## 6.1.2
|
2
|
+
|
3
|
+
Adds the ability to specify `SameSite=none` with the same configurability as `Strict`/`Lax` in order to disable Chrome's soon-to-be-lax-by-default state.
|
4
|
+
|
1
5
|
## 6.1.1
|
2
6
|
|
3
7
|
Adds the ability to disable the automatically-appended `'unsafe-inline'` value when nonces are used #404 (@will)
|
data/Gemfile
CHANGED
@@ -9,7 +9,7 @@ group :test do
|
|
9
9
|
gem "pry-nav"
|
10
10
|
gem "rack"
|
11
11
|
gem "rspec"
|
12
|
-
gem "rubocop"
|
12
|
+
gem "rubocop", "< 0.68"
|
13
13
|
gem "rubocop-github"
|
14
14
|
gem "term-ansicolor"
|
15
15
|
gem "tins"
|
@@ -17,7 +17,7 @@ end
|
|
17
17
|
|
18
18
|
group :guard do
|
19
19
|
gem "growl"
|
20
|
-
gem "guard-rspec", platforms: [:
|
20
|
+
gem "guard-rspec", platforms: [:ruby]
|
21
21
|
gem "rb-fsevent"
|
22
22
|
gem "terminal-notifier-guard"
|
23
23
|
end
|
data/README.md
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# Secure Headers [](http://travis-ci.org/twitter/secure_headers) [](https://codeclimate.com/github/twitter/secureheaders) [](https://coveralls.io/r/twitter/secureheaders)
|
2
2
|
|
3
3
|
**master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
|
4
4
|
|
@@ -57,6 +57,7 @@ SecureHeaders::Configuration.default do |config|
|
|
57
57
|
config.csp = {
|
58
58
|
# "meta" values. these will shape the header, but the values are not included in the header.
|
59
59
|
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
60
|
+
disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.
|
60
61
|
|
61
62
|
# directive values: these values will directly translate into source directives
|
62
63
|
default_src: %w('none'),
|
data/docs/cookies.md
CHANGED
@@ -52,13 +52,14 @@ config.cookies = {
|
|
52
52
|
}
|
53
53
|
```
|
54
54
|
|
55
|
-
`Strict` and `
|
55
|
+
`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
|
56
56
|
|
57
57
|
```ruby
|
58
58
|
config.cookies = {
|
59
59
|
samesite: {
|
60
60
|
strict: { only: ['_rails_session'] },
|
61
|
-
lax: { only: ['_guest'] }
|
61
|
+
lax: { only: ['_guest'] },
|
62
|
+
none: { only: ['_tracking'] },
|
62
63
|
}
|
63
64
|
}
|
64
65
|
```
|
@@ -76,11 +76,6 @@ class ApplicationController < ActionController::Base
|
|
76
76
|
SecureHeaders::Configuration.override(:script_from_otherdomain_com) do |config|
|
77
77
|
config.csp[:script_src] << "otherdomain.com"
|
78
78
|
end
|
79
|
-
|
80
|
-
# overrides the :script_from_otherdomain_com configuration
|
81
|
-
SecureHeaders::Configuration.override(:another_config, :script_from_otherdomain_com) do |config|
|
82
|
-
config.csp[:script_src] << "evenanotherdomain.com"
|
83
|
-
end
|
84
79
|
end
|
85
80
|
|
86
81
|
class MyController < ApplicationController
|
@@ -94,12 +94,14 @@ module SecureHeaders
|
|
94
94
|
"SameSite=Lax"
|
95
95
|
elsif flag_samesite_strict?
|
96
96
|
"SameSite=Strict"
|
97
|
+
elsif flag_samesite_none?
|
98
|
+
"SameSite=None"
|
97
99
|
end
|
98
100
|
end
|
99
101
|
|
100
102
|
def flag_samesite?
|
101
103
|
return false if config == OPT_OUT || config[:samesite] == OPT_OUT
|
102
|
-
flag_samesite_lax? || flag_samesite_strict?
|
104
|
+
flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
|
103
105
|
end
|
104
106
|
|
105
107
|
def flag_samesite_lax?
|
@@ -110,6 +112,10 @@ module SecureHeaders
|
|
110
112
|
flag_samesite_enforcement?(:strict)
|
111
113
|
end
|
112
114
|
|
115
|
+
def flag_samesite_none?
|
116
|
+
flag_samesite_enforcement?(:none)
|
117
|
+
end
|
118
|
+
|
113
119
|
def flag_samesite_enforcement?(mode)
|
114
120
|
return unless config[:samesite]
|
115
121
|
|
@@ -43,10 +43,12 @@ module SecureHeaders
|
|
43
43
|
|
44
44
|
# when configuring with booleans, only one enforcement is permitted
|
45
45
|
def validate_samesite_boolean_config!
|
46
|
-
if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
|
47
|
-
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax
|
48
|
-
elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
|
49
|
-
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax
|
46
|
+
if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
|
47
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
|
48
|
+
elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
|
49
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
|
50
|
+
elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
|
51
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
|
50
52
|
end
|
51
53
|
end
|
52
54
|
|
@@ -68,29 +68,21 @@ module SecureHeaders
|
|
68
68
|
end
|
69
69
|
|
70
70
|
context "SameSite cookies" do
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
it "flags SameSite=Lax when configured with a boolean" do
|
77
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: true}, secure: OPT_OUT, httponly: OPT_OUT)
|
78
|
-
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
|
79
|
-
end
|
80
|
-
|
81
|
-
it "does not flag cookies as SameSite=Lax when excluded" do
|
82
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
|
83
|
-
expect(cookie.to_s).to eq("_session=thisisatest")
|
84
|
-
end
|
71
|
+
%w(None Lax Strict).each do |flag|
|
72
|
+
it "flags SameSite=#{flag}" do
|
73
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
|
74
|
+
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
|
75
|
+
end
|
85
76
|
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
77
|
+
it "flags SameSite=#{flag} when configured with a boolean" do
|
78
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true}, secure: OPT_OUT, httponly: OPT_OUT)
|
79
|
+
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
|
80
|
+
end
|
90
81
|
|
91
|
-
|
92
|
-
|
93
|
-
|
82
|
+
it "does not flag cookies as SameSite=#{flag} when excluded" do
|
83
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
|
84
|
+
expect(cookie.to_s).to eq("_session=thisisatest")
|
85
|
+
end
|
94
86
|
end
|
95
87
|
|
96
88
|
it "flags SameSite=Strict when configured with a boolean" do
|
@@ -149,10 +141,15 @@ module SecureHeaders
|
|
149
141
|
end.to raise_error(CookiesConfigError)
|
150
142
|
end
|
151
143
|
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
144
|
+
cookie_options = %i(none lax strict)
|
145
|
+
cookie_options.each do |flag|
|
146
|
+
(cookie_options - [flag]).each do |other_flag|
|
147
|
+
it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
|
148
|
+
expect do
|
149
|
+
Cookie.validate_config!(samesite: { flag => true, other_flag => true})
|
150
|
+
end.to raise_error(CookiesConfigError)
|
151
|
+
end
|
152
|
+
end
|
156
153
|
end
|
157
154
|
|
158
155
|
it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.
|
4
|
+
version: 6.1.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2020-01-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -115,7 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
115
115
|
- !ruby/object:Gem::Version
|
116
116
|
version: '0'
|
117
117
|
requirements: []
|
118
|
-
rubygems_version: 3.0.
|
118
|
+
rubygems_version: 3.0.3
|
119
119
|
signing_key:
|
120
120
|
specification_version: 4
|
121
121
|
summary: Add easily configured security headers to responses including content-security-policy,
|