RubyGems - secure_headers - Versions diffs - 6.1.1 → 6.1.2 - Mend

secure_headers 6.1.1 → 6.1.2

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (13) hide show

checksums.yaml +4 -4
data/.ruby-version +1 -1
data/.travis.yml +3 -3
data/CHANGELOG.md +4 -0
data/Gemfile +2 -2
data/README.md +2 -1
data/docs/cookies.md +3 -2
data/docs/named_overrides_and_appends.md +0 -5
data/lib/secure_headers/headers/cookie.rb +7 -1
data/lib/secure_headers/utils/cookies_config.rb +6 -4
data/lib/secure_headers/version.rb +1 -1
data/spec/lib/secure_headers/headers/cookie_spec.rb +22 -25
metadata +3 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7de332e0980c748038f72b7775399f65556521cf37b4392665fdd11a5192df3b
-  data.tar.gz: a6bea34afe4962462f0a263fd7728fa659ec65c15f8cfbca94c4639bc6452d67
+  metadata.gz: 5656a8f0d18034c233413d98058f641e71161f35e2ce73052fb93e219b7ba270
+  data.tar.gz: b4b9bf8b7aa33386090ba4f965ea215a1512132192c407e45c0595af6649488c
 SHA512:
-  metadata.gz: 1fcad5939d9cb914adf56965624b4620b9b7146fc0d5cc5ca9a1741f257c6884bd16c940805ac260e7cb3c7752411caae94b84c2bf8f7730d21c35ce3fa5702d
-  data.tar.gz: 505e0e2907f8eb9f452c3ae6d14a32bf224de7a2f73de41e8903679f586e4cc4e0fed7a6e6c240a7822cb04050ef30165f552363bc63edda6d258743341f3054
+  metadata.gz: 9c17adff27589d67d7c4d873600cac3eaa267ea91d8c12621493f0e58121ab71af6a5c0e4b6e9eb3fa23c624918577dd23c436746dd9426c430c31bcb3a78745
+  data.tar.gz: 3db4059a3798a985707575abfe50b8a6d16ecb0b3962d7ed1c52473098150979448c147109ea504533ef2737df47dd141753908200c566d31b95917c73151ab9

data/.ruby-version CHANGED

	@@ -1 +1 @@
1	- 2.6.1
1	+ 2.6.5

data/.travis.yml CHANGED

@@ -2,9 +2,9 @@ language: ruby
 rvm:
   - ruby-head
-  - 2.6.1
-  - 2.5.0
-  - 2.4.3
+  - 2.5
+  - 2.6
+  - 2.7
   - jruby-head
 env:

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 6.1.2
+Adds the ability to specify `SameSite=none` with the same configurability as `Strict`/`Lax` in order to disable Chrome's soon-to-be-lax-by-default state.
 ## 6.1.1
 Adds the ability to disable the automatically-appended `'unsafe-inline'` value when nonces are used #404 (@will)

data/Gemfile CHANGED

@@ -9,7 +9,7 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop"
+  gem "rubocop", "< 0.68"
   gem "rubocop-github"
   gem "term-ansicolor"
   gem "tins"
@@ -17,7 +17,7 @@ end
 group :guard do
   gem "growl"
-  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
+  gem "guard-rspec", platforms: [:ruby]
   gem "rb-fsevent"
   gem "terminal-notifier-guard"
 end

data/README.md CHANGED

@@ -1,4 +1,4 @@
-# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
+# Secure Headers [![Build Status](https://travis-ci.org/twitter/secure_headers.svg?branch=master)](http://travis-ci.org/twitter/secure_headers) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
 **master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
@@ -57,6 +57,7 @@ SecureHeaders::Configuration.default do |config|
   config.csp = {
     # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+    disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.
     # directive values: these values will directly translate into source directives
     default_src: %w('none'),

data/docs/cookies.md CHANGED

@@ -52,13 +52,14 @@ config.cookies = {
 }
 ```
-`Strict` and `Lax` enforcement modes can also be specified using a Hash.
+`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
 ```ruby
 config.cookies = {
   samesite: {
     strict: { only: ['_rails_session'] },
-    lax: { only: ['_guest'] }
+    lax: { only: ['_guest'] },
+    none: { only: ['_tracking'] },
   }
 }
 ```

data/docs/named_overrides_and_appends.md CHANGED

@@ -76,11 +76,6 @@ class ApplicationController < ActionController::Base
   SecureHeaders::Configuration.override(:script_from_otherdomain_com) do |config|
     config.csp[:script_src] << "otherdomain.com"
   end
-  # overrides the :script_from_otherdomain_com configuration
-  SecureHeaders::Configuration.override(:another_config, :script_from_otherdomain_com) do |config|
-    config.csp[:script_src] << "evenanotherdomain.com"
-  end
 end
 class MyController < ApplicationController

data/lib/secure_headers/headers/cookie.rb CHANGED

@@ -94,12 +94,14 @@ module SecureHeaders
         "SameSite=Lax"
       elsif flag_samesite_strict?
         "SameSite=Strict"
+      elsif flag_samesite_none?
+        "SameSite=None"
       end
     end
     def flag_samesite?
       return false if config == OPT_OUT || config[:samesite] == OPT_OUT
-      flag_samesite_lax? || flag_samesite_strict?
+      flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
     end
     def flag_samesite_lax?
@@ -110,6 +112,10 @@ module SecureHeaders
       flag_samesite_enforcement?(:strict)
     end
+    def flag_samesite_none?
+      flag_samesite_enforcement?(:none)
+    end
     def flag_samesite_enforcement?(mode)
       return unless config[:samesite]

data/lib/secure_headers/utils/cookies_config.rb CHANGED

@@ -43,10 +43,12 @@ module SecureHeaders
     # when configuring with booleans, only one enforcement is permitted
     def validate_samesite_boolean_config!
-      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
-      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
+      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
       end
     end

data/lib/secure_headers/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module SecureHeaders
-  VERSION = "6.1.1"
+  VERSION = "6.1.2"
 end

data/spec/lib/secure_headers/headers/cookie_spec.rb CHANGED

@@ -68,29 +68,21 @@ module SecureHeaders
     end
     context "SameSite cookies" do
-      it "flags SameSite=Lax" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
-      end
-      it "flags SameSite=Lax when configured with a boolean" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: true}, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
-      end
-      it "does not flag cookies as SameSite=Lax when excluded" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest")
-      end
+      %w(None Lax Strict).each do |flag|
+        it "flags SameSite=#{flag}" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
+        end
-      it "flags SameSite=Strict" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
-      end
+        it "flags SameSite=#{flag} when configured with a boolean" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true}, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
+        end
-      it "does not flag cookies as SameSite=Strict when excluded" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] }}, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest")
+        it "does not flag cookies as SameSite=#{flag} when excluded" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest")
+        end
       end
       it "flags SameSite=Strict when configured with a boolean" do
@@ -149,10 +141,15 @@ module SecureHeaders
       end.to raise_error(CookiesConfigError)
     end
-    it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
-      expect do
-        Cookie.validate_config!(samesite: { lax: true, strict: true})
-      end.to raise_error(CookiesConfigError)
+    cookie_options = %i(none lax strict)
+    cookie_options.each do |flag|
+      (cookie_options - [flag]).each do |other_flag|
+        it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
+          expect do
+            Cookie.validate_config!(samesite: { flag => true, other_flag => true})
+          end.to raise_error(CookiesConfigError)
+        end
+      end
     end
     it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.1.1
+  version: 6.1.2
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-06-26 00:00:00.000000000 Z
+date: 2020-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -115,7 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: Add easily configured security headers to responses including content-security-policy,