secure_headers 6.3.1 → 6.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b136a1c21b128826c37c798c9e20db99b1d5a5c035001ed8289692ed8f0096f
-  data.tar.gz: d93c60ba6357a9cd8f64c16b53c9f2843753101e1669fb1bbaea56e549d89466
+  metadata.gz: 5e68ad14ceec22ceeeabe2f49b47ad9325f43585cbb688f9f6ffe9c9f3536abc
+  data.tar.gz: ffab69d446b3935d4cf01ad21c660d8035ab8ecd4343d682841510509bb8b714
 SHA512:
-  metadata.gz: 13083c3da3a4f68d445be6012a1fa6e37c052e6ac6bdc457d379d725383142c8698f91c2d1a6fc75f13bfad52298e291131e9828bb6f6a1fc6b8cba9bc3d5892
-  data.tar.gz: 92214a6b589ba640e504e58f07b051351a7eea7bce87701730101a68a29045fe81c90d79600f00a36ee7bf3e4c5c7c4071ad74b01bab5e40c53751858bc198d7
+  metadata.gz: 02a79d8c96fd8d64eba216bd8785ae2deee7dceb7ef388f65e100f1597ed1f3005ecbeb069e823beef5fcdf89a6998ea296d954e3d80de0ba61456a13445b6e3
+  data.tar.gz: 645a0f3aac96761574b57e4464b08c83cbf6839fc4a0503e54dedd768aebdb503a080ee368753add3ab0c2a3eeb31bd4f866f0e39ed7691c17587ad7125299eb

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 6.3.2
+
+Add support for style-src-attr, style-src-elem, script-src-attr, and script-src-elem directives (@ggalmazor)
+
 ## 6.3.1
 
 Fixes deprecation warnings when running under ruby 2.7

data/README.md

@@ -75,7 +75,11 @@ SecureHeaders::Configuration.default do |config|
     sandbox: true, # true and [] will set a maximally restrictive setting
     plugin_types: %w(application/x-shockwave-flash),
     script_src: %w('self'),
+    script_src_elem: %w('self'),
+    script_src_attr: %w('self'),
     style_src: %w('unsafe-inline'),
+    style_src_elem: %w('unsafe-inline'),
+    style_src_attr: %w('unsafe-inline'),
     worker_src: %w('self'),
     upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
     report_uri: %w(https://report-uri.io/example-csp)
@@ -165,7 +169,6 @@ If you've made a contribution and see your name missing from the list, make a PR
 * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)
 * Node.js (express) [helmet](https://github.com/helmetjs/helmet) and [hood](https://github.com/seanmonstar/hood)
 * Node.js (hapi) [blankie](https://github.com/nlf/blankie)
-* J2EE Servlet >= 3.0 [headlines](https://github.com/sourceclear/headlines)
 * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
 * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
 * Go - [secureheader](https://github.com/kr/secureheader)

data/docs/upgrading-to-6-0.md

@@ -29,7 +29,7 @@ Prior to 6.0.0, the response would NOT include a `X-Frame-Options` header since
 
 ## `ContentSecurityPolicyConfig#merge` and `ContentSecurityPolicyReportOnlyConfig#merge` work more like `Hash#merge`
 
-These classes are typically not directly instantiated by users of SecureHeaders. But, if you access `config.csp` you end up accessing one of these objects. Prior to 6.0.0, `#merge` worked more like `#append` in that it would combine policies (i.e. if both policies contained the same key the values would be combined rather than overwritten). This was not consistent with `#merge!`, which worked more like ruby's `Hash#merge!` (overwriting duplicate keys). As of 6.0.0, `#merge` works the same as `#merge!`, but returns a new object instead of mutating `self`.
+These classes are typically not directly instantiated by users of SecureHeaders. But, if you access `config.csp` you end up accessing one of these objects. Prior to 6.0.0, `#merge` worked more like `#append` in that it would combine policies (i.e. if both policies contained the same key the values would be combined rather than overwritten). This was not consistent with `#merge!`, which worked more like Ruby's `Hash#merge!` (overwriting duplicate keys). As of 6.0.0, `#merge` works the same as `#merge!`, but returns a new object instead of mutating `self`.
 
 ## `Configuration#get` has been removed
 
@@ -39,7 +39,7 @@ This method is not typically directly called by users of SecureHeaders. Given th
 
 Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded to the default configuration. The same was also done for named overrides. However, now that named overrides are applied dynamically, those can no longer be cached. As a result, caching has been removed in the name of simplicity. Some micro-benchmarks indicate this shouldn't be a performance problem and will help to eliminate a class of bugs entirely.
 
-## Configuration the default configuration more than once will result in an Exception
+## Calling the default configuration more than once will result in an Exception
 
 Prior to 6.0.0 you could conceivably, though unlikely, have `Configure#default` called more than once. Because configurations are dynamic, configuring more than once could result in unexpected behavior. So, as of 6.0.0 we raise `AlreadyConfiguredError` if the default configuration is setup more than once.
 
@@ -47,4 +47,4 @@ Prior to 6.0.0 you could conceivably, though unlikely, have `Configure#default`
 
 The policy configured is the policy that is delivered in terms of which directives are sent. We still dedup, strip schemes, and look for other optimizations but we will not e.g. conditionally send `frame-src` / `child-src` or apply `nonce`s / `unsafe-inline`.
 
-The primary reason for these per-browser customization was to reduce console warnings. This has lead to many bugs and results inc confusing behavior. Also, console logs are incredibly noisy today and increasingly warn you about perfectly valid things (like sending `X-Frame-Options` and `frame-ancestors` together).
+The primary reason for these per-browser customization was to reduce console warnings. This has lead to many bugs and results in confusing behavior. Also, console logs are incredibly noisy today and increasingly warn you about perfectly valid things (like sending `X-Frame-Options` and `frame-ancestors` together).

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -38,8 +38,12 @@ module SecureHeaders
       @sandbox = nil
       @script_nonce = nil
       @script_src = nil
+      @script_src_elem = nil
+      @script_src_attr = nil
       @style_nonce = nil
       @style_src = nil
+      @style_src_elem = nil
+      @style_src_attr = nil
       @worker_src = nil
       @upgrade_insecure_requests = nil
       @disable_nonce_backwards_compatibility = nil

data/lib/secure_headers/headers/policy_management.rb

@@ -78,6 +78,10 @@ module SecureHeaders
     REQUIRE_SRI_FOR = :require_sri_for
     UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
     WORKER_SRC = :worker_src
+    SCRIPT_SRC_ELEM = :script_src_elem
+    SCRIPT_SRC_ATTR = :script_src_attr
+    STYLE_SRC_ELEM = :style_src_elem
+    STYLE_SRC_ATTR = :style_src_attr
 
     DIRECTIVES_3_0 = [
       DIRECTIVES_2_0,
@@ -87,7 +91,11 @@ module SecureHeaders
       PREFETCH_SRC,
       REQUIRE_SRI_FOR,
       WORKER_SRC,
-      UPGRADE_INSECURE_REQUESTS
+      UPGRADE_INSECURE_REQUESTS,
+      SCRIPT_SRC_ELEM,
+      SCRIPT_SRC_ATTR,
+      STYLE_SRC_ELEM,
+      STYLE_SRC_ATTR
     ].flatten.freeze
 
     ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0).uniq.sort
@@ -117,7 +125,11 @@ module SecureHeaders
       PREFETCH_SRC              => :source_list,
       SANDBOX                   => :sandbox_list,
       SCRIPT_SRC                => :source_list,
+      SCRIPT_SRC_ELEM           => :source_list,
+      SCRIPT_SRC_ATTR           => :source_list,
       STYLE_SRC                 => :source_list,
+      STYLE_SRC_ELEM            => :source_list,
+      STYLE_SRC_ATTR            => :source_list,
       WORKER_SRC                => :source_list,
       UPGRADE_INSECURE_REQUESTS => :boolean,
     }.freeze

data/lib/secure_headers/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureHeaders
-  VERSION = "6.3.1"
+  VERSION = "6.3.2"
 end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -160,6 +160,26 @@ module SecureHeaders
         csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456, disable_nonce_backwards_compatibility: true })
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
       end
+
+      it "supports script-src-elem directive" do
+        csp = ContentSecurityPolicy.new({script_src: %w('self'), script_src_elem: %w('self')})
+        expect(csp.value).to eq("script-src 'self'; script-src-elem 'self'")
+      end
+
+      it "supports script-src-attr directive" do
+        csp = ContentSecurityPolicy.new({script_src: %w('self'), script_src_attr: %w('self')})
+        expect(csp.value).to eq("script-src 'self'; script-src-attr 'self'")
+      end
+
+      it "supports style-src-elem directive" do
+        csp = ContentSecurityPolicy.new({style_src: %w('self'), style_src_elem: %w('self')})
+        expect(csp.value).to eq("style-src 'self'; style-src-elem 'self'")
+      end
+
+      it "supports style-src-attr directive" do
+        csp = ContentSecurityPolicy.new({style_src: %w('self'), style_src_attr: %w('self')})
+        expect(csp.value).to eq("style-src 'self'; style-src-attr 'self'")
+      end
     end
   end
 end

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -49,6 +49,10 @@ module SecureHeaders
           style_src: %w('unsafe-inline'),
           upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
           worker_src: %w(worker.com),
+          script_src_elem: %w(example.com),
+          script_src_attr: %w(example.com),
+          style_src_elem: %w(example.com),
+          style_src_attr: %w(example.com),
 
           report_uri: %w(https://example.com/uri-directive),
         }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.3.1
+  version: 6.3.2
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-26 00:00:00.000000000 Z
+date: 2021-02-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake