secure_headers 6.3.1 → 7.1.0

data/lib/secure_headers/headers/x_frame_options.rb

@@ -2,7 +2,7 @@
 module SecureHeaders
   class XFOConfigError < StandardError; end
   class XFrameOptions
-    HEADER_NAME = "X-Frame-Options".freeze
+    HEADER_NAME = "x-frame-options".freeze
     SAMEORIGIN = "sameorigin"
     DENY = "deny"
     ALLOW_FROM = "allow-from"

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb

@@ -2,12 +2,12 @@
 module SecureHeaders
   class XPCDPConfigError < StandardError; end
   class XPermittedCrossDomainPolicies
-    HEADER_NAME = "X-Permitted-Cross-Domain-Policies".freeze
+    HEADER_NAME = "x-permitted-cross-domain-policies".freeze
     DEFAULT_VALUE = "none"
     VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
 
     class << self
-      # Public: generate an X-Permitted-Cross-Domain-Policies header.
+      # Public: generate an x-permitted-cross-domain-policies header.
       #
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -2,8 +2,8 @@
 module SecureHeaders
   class XXssProtectionConfigError < StandardError; end
   class XXssProtection
-    HEADER_NAME = "X-XSS-Protection".freeze
-    DEFAULT_VALUE = "1; mode=block"
+    HEADER_NAME = "x-xss-protection".freeze
+    DEFAULT_VALUE = "0".freeze
     VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
 
     class << self

data/lib/secure_headers/railtie.rb

@@ -4,11 +4,11 @@ if defined?(Rails::Railtie)
   module SecureHeaders
     class Railtie < Rails::Railtie
       isolate_namespace SecureHeaders if defined? isolate_namespace # rails 3.0
-      conflicting_headers = ["X-Frame-Options", "X-XSS-Protection",
-                             "X-Permitted-Cross-Domain-Policies", "X-Download-Options",
-                             "X-Content-Type-Options", "Strict-Transport-Security",
-                             "Content-Security-Policy", "Content-Security-Policy-Report-Only",
-                             "Public-Key-Pins", "Public-Key-Pins-Report-Only", "Referrer-Policy"]
+      conflicting_headers = ["x-frame-options", "x-xss-protection",
+                             "x-permitted-cross-domain-policies", "x-download-options",
+                             "x-content-type-options", "strict-transport-security",
+                             "content-security-policy", "content-security-policy-report-only",
+                             "public-key-pins", "public-key-pins-report-only", "referrer-policy"]
 
       initializer "secure_headers.middleware" do
         Rails.application.config.middleware.insert_before 0, SecureHeaders::Middleware

data/lib/secure_headers/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureHeaders
-  VERSION = "6.3.1"
+  VERSION = "7.1.0"
 end

data/lib/secure_headers/view_helper.rb

@@ -147,12 +147,13 @@ module SecureHeaders
 
     def nonced_tag(type, content_or_options, block)
       options = {}
-      content = if block
-        options = content_or_options
-        capture(&block)
-      else
-        content_or_options.html_safe # :'(
-      end
+      content =
+        if block
+          options = content_or_options
+          capture(&block)
+        else
+          content_or_options.html_safe # :'(
+        end
       content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
     end
 

data/lib/tasks/tasks.rake

@@ -20,10 +20,11 @@ namespace :secure_headers do
       (is_erb?(filename) && inline_script =~ /<%.*%>/)
   end
 
-  def find_inline_content(filename, regex, hashes)
+  def find_inline_content(filename, regex, hashes, strip_trailing_whitespace)
     file = File.read(filename)
     file.scan(regex) do # TODO don't use gsub
       inline_script = Regexp.last_match.captures.last
+      inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
       if dynamic_content?(filename, inline_script)
         puts "Looks like there's some dynamic content inside of a tag :-/"
         puts "That pretty much means the hash value will never match."
@@ -38,9 +39,8 @@ namespace :secure_headers do
   def generate_inline_script_hashes(filename)
     hashes = []
 
-    [INLINE_SCRIPT_REGEX, INLINE_HASH_SCRIPT_HELPER_REGEX].each do |regex|
-      find_inline_content(filename, regex, hashes)
-    end
+    find_inline_content(filename, INLINE_SCRIPT_REGEX, hashes, false)
+    find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, hashes, true)
 
     hashes
   end
@@ -48,9 +48,8 @@ namespace :secure_headers do
   def generate_inline_style_hashes(filename)
     hashes = []
 
-    [INLINE_STYLE_REGEX, INLINE_HASH_STYLE_HELPER_REGEX].each do |regex|
-      find_inline_content(filename, regex, hashes)
-    end
+    find_inline_content(filename, INLINE_STYLE_REGEX, hashes, false)
+    find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, hashes, true)
 
     hashes
   end

data/secure_headers.gemspec

@@ -9,15 +9,25 @@ Gem::Specification.new do |gem|
   gem.version       = SecureHeaders::VERSION
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
-  gem.description   = "Manages application of security headers with many safe defaults."
-  gem.summary       = 'Add easily configured security headers to responses
+  gem.summary       = "Manages application of security headers with many safe defaults."
+  gem.description   = 'Add easily configured security headers to responses
     including content-security-policy, x-frame-options,
     strict-transport-security, etc.'
-  gem.homepage      = "https://github.com/twitter/secureheaders"
-  gem.license       = "Apache Public License 2.0"
-  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
-  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
-  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.homepage      = "https://github.com/github/secure_headers"
+  gem.metadata      = {
+    "bug_tracker_uri"   => "https://github.com/github/secure_headers/issues",
+    "changelog_uri"     => "https://github.com/github/secure_headers/blob/master/CHANGELOG.md",
+    "documentation_uri" => "https://rubydoc.info/gems/secure_headers",
+    "homepage_uri"      => gem.homepage,
+    "source_code_uri"   => "https://github.com/github/secure_headers",
+    "rubygems_mfa_required" => "true",
+  }
+  gem.license       = "MIT"
+
+  gem.files         = Dir["bin/**/*", "lib/**/*", "README.md", "CHANGELOG.md", "LICENSE", "Gemfile", "secure_headers.gemspec"]
   gem.require_paths = ["lib"]
+
+  gem.extra_rdoc_files = Dir["README.md", "CHANGELOG.md", "LICENSE"]
+
   gem.add_development_dependency "rake"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.3.1
+  version: 7.1.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-26 00:00:00.000000000 Z
+date: 2024-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -24,39 +24,23 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Manages application of security headers with many safe defaults.
+description: |-
+  Add easily configured security headers to responses
+      including content-security-policy, x-frame-options,
+      strict-transport-security, etc.
 email:
 - neil.matatall@gmail.com
 executables: []
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- README.md
+- CHANGELOG.md
+- LICENSE
 files:
-- ".github/ISSUE_TEMPLATE.md"
-- ".github/PULL_REQUEST_TEMPLATE.md"
-- ".github/workflows/build.yml"
-- ".github/workflows/sync.yml"
-- ".gitignore"
-- ".rspec"
-- ".rubocop.yml"
-- ".ruby-gemset"
-- ".ruby-version"
 - CHANGELOG.md
-- CODE_OF_CONDUCT.md
-- CONTRIBUTING.md
 - Gemfile
-- Guardfile
 - LICENSE
 - README.md
-- Rakefile
-- docs/cookies.md
-- docs/hashes.md
-- docs/named_overrides_and_appends.md
-- docs/per_action_configuration.md
-- docs/sinatra.md
-- docs/upgrading-to-3-0.md
-- docs/upgrading-to-4-0.md
-- docs/upgrading-to-5-0.md
-- docs/upgrading-to-6-0.md
 - lib/secure_headers.rb
 - lib/secure_headers/configuration.rb
 - lib/secure_headers/hash_helper.rb
@@ -80,27 +64,16 @@ files:
 - lib/secure_headers/view_helper.rb
 - lib/tasks/tasks.rake
 - secure_headers.gemspec
-- spec/lib/secure_headers/configuration_spec.rb
-- spec/lib/secure_headers/headers/clear_site_data_spec.rb
-- spec/lib/secure_headers/headers/content_security_policy_spec.rb
-- spec/lib/secure_headers/headers/cookie_spec.rb
-- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
-- spec/lib/secure_headers/headers/policy_management_spec.rb
-- spec/lib/secure_headers/headers/referrer_policy_spec.rb
-- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
-- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
-- spec/lib/secure_headers/headers/x_download_options_spec.rb
-- spec/lib/secure_headers/headers/x_frame_options_spec.rb
-- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
-- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
-- spec/lib/secure_headers/middleware_spec.rb
-- spec/lib/secure_headers/view_helpers_spec.rb
-- spec/lib/secure_headers_spec.rb
-- spec/spec_helper.rb
-homepage: https://github.com/twitter/secureheaders
+homepage: https://github.com/github/secure_headers
 licenses:
-- Apache Public License 2.0
-metadata: {}
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/github/secure_headers/issues
+  changelog_uri: https://github.com/github/secure_headers/blob/master/CHANGELOG.md
+  documentation_uri: https://rubydoc.info/gems/secure_headers
+  homepage_uri: https://github.com/github/secure_headers
+  source_code_uri: https://github.com/github/secure_headers
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -116,26 +89,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
-summary: Add easily configured security headers to responses including content-security-policy,
-  x-frame-options, strict-transport-security, etc.
-test_files:
-- spec/lib/secure_headers/configuration_spec.rb
-- spec/lib/secure_headers/headers/clear_site_data_spec.rb
-- spec/lib/secure_headers/headers/content_security_policy_spec.rb
-- spec/lib/secure_headers/headers/cookie_spec.rb
-- spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb
-- spec/lib/secure_headers/headers/policy_management_spec.rb
-- spec/lib/secure_headers/headers/referrer_policy_spec.rb
-- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
-- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
-- spec/lib/secure_headers/headers/x_download_options_spec.rb
-- spec/lib/secure_headers/headers/x_frame_options_spec.rb
-- spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb
-- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
-- spec/lib/secure_headers/middleware_spec.rb
-- spec/lib/secure_headers/view_helpers_spec.rb
-- spec/lib/secure_headers_spec.rb
-- spec/spec_helper.rb
+summary: Manages application of security headers with many safe defaults.
+test_files: []

data/.github/ISSUE_TEMPLATE.md

@@ -1,41 +0,0 @@
-# Feature Requests
-
-## Adding a new header
-
-Generally, adding a new header is always OK. 
-
-* Is the header supported by any user agent? If so, which?
-* What does it do?
-* What are the valid values for the header?
-* Where does the specification live?
-
-## Adding a new CSP directive
-
-* Is the directive supported by any user agent? If so, which?
-* What does it do?
-* What are the valid values for the directive?
-
----
-
-# Bugs
-
-Console errors and deprecation warnings are considered bugs that should be addressed with more precise UA sniffing. Bugs caused by incorrect or invalid UA sniffing are also bugs.
-
-### Expected outcome
-
-Describe what you expected to happen 
-
-1. I configure CSP to do X
-1. When I inspect the response headers, the CSP should have included X
-
-### Actual outcome
-
-1. The generated policy did not include X
-
-### Config
-
-Please provide the configuration (`SecureHeaders::Configuration.default`) you are using including any overrides (`SecureHeaders::Configuration.override`).
-
-### Generated headers
-
-Provide a sample response containing the headers

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -1,20 +0,0 @@
-## All PRs:
-
-* [ ] Has tests
-* [ ] Documentation updated
-
-## Adding a new header
-
-Generally, adding a new header is always OK.
-
-* Is the header supported by any user agent? If so, which?
-* What does it do?
-* What are the valid values for the header?
-* Where does the specification live?
-
-## Adding a new CSP directive
-
-* Is the directive supported by any user agent? If so, which?
-* What does it do?
-* What are the valid values for the directive?
-

data/.github/workflows/build.yml

@@ -1,24 +0,0 @@
-name: Build + Test
-on: [pull_request]
-
-jobs:
-  build:
-    name: Build + Test
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        ruby: [ '2.4', '2.5', '2.6', '2.7' ]
-
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby ${{ matrix.ruby }}
-      uses: actions/setup-ruby@v1
-      with:
-        ruby-version: ${{ matrix.ruby }}
-    - name: Build and test with Rake
-      run: |
-        gem install bundler
-        bundle install --jobs 4 --retry 3 --without guard
-        bundle exec rspec spec
-        bundle exec rubocop
-

data/.github/workflows/sync.yml

@@ -1,20 +0,0 @@
-# This workflow ensures the "master" branch is always up-to-date with the
-# "main" branch (our default one)
-name: sync_main_branch
-on:
-  push:
-    branches: [ main ]
-jobs:
-  catch_up:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out the repository
-        uses: actions/checkout@v2
-        with:
-         fetch-depth: 0
-      - name: Merge development into master, then push it
-        run: |
-          git pull
-          git checkout master
-          git merge main
-          git push

data/.gitignore

@@ -1,13 +0,0 @@
-*.gem
-*.DS_STORE
-*.rbc
-.bundle
-.config
-.yardoc
-*.log
-Gemfile.lock
-_yardoc
-coverage
-pkg
-rdoc
-spec/reports

data/.rspec

@@ -1,3 +0,0 @@
---order rand
---warnings
---format progress

data/.rubocop.yml

@@ -1,4 +0,0 @@
-inherit_gem:
-  rubocop-github:
-    - config/default.yml
-require: rubocop-performance

data/.ruby-gemset

@@ -1 +0,0 @@
-secureheaders

data/.ruby-version

@@ -1 +0,0 @@
-2.6.6

data/CODE_OF_CONDUCT.md

@@ -1,46 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment include:
-
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery and unwelcome sexual attention or advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at neil.matatall@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
-
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/

data/CONTRIBUTING.md

@@ -1,41 +0,0 @@
-## Contributing
-
-[fork]: https://github.com/twitter/secureheaders/fork
-[pr]: https://github.com/twitter/secureheaders/compare
-[style]: https://github.com/styleguide/ruby
-[code-of-conduct]: CODE_OF_CONDUCT.md
-
-Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
-
-Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
-
-## Submitting a pull request
-
-0. [Fork][fork] and clone the repository
-0. Configure and install the dependencies: `bundle install`
-0. Make sure the tests pass on your machine: `bundle exec rspec spec`
-0. Create a new branch: `git checkout -b my-branch-name`
-0. Make your change, add tests, and make sure the tests still pass and that no warnings are raised
-0. Push to your fork and [submit a pull request][pr]
-0. Pat your self on the back and wait for your pull request to be reviewed and merged.
-
-Here are a few things you can do that will increase the likelihood of your pull request being accepted:
-
-- Write tests.
-- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
-- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
-
-## Releasing
-
-0. Ensure CI is green
-0. Pull the latest code
-0. Increment the version
-0. Run `gem build secure_headers.gemspec`
-0. Bump the Gemfile and Gemfile.lock versions for an app which relies on this gem
-0. Test behavior locally, branch deploy, whatever needs to happen
-0. Run `bundle exec rake release`
-
-## Resources
-
-- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
-- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)

data/Guardfile

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
-  require "guard/rspec/dsl"
-  dsl = Guard::RSpec::Dsl.new(self)
-
-  # RSpec files
-  rspec = dsl.rspec
-  watch(rspec.spec_helper) { rspec.spec_dir }
-  watch(rspec.spec_support) { rspec.spec_dir }
-  watch(rspec.spec_files)
-
-  watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
-end

data/Rakefile

@@ -1,32 +0,0 @@
-#!/usr/bin/env rake
-# frozen_string_literal: true
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
-require "net/http"
-require "net/https"
-
-RSpec::Core::RakeTask.new
-
-begin
-  require "rdoc/task"
-rescue LoadError
-  require "rdoc/rdoc"
-  require "rake/rdoctask"
-  RDoc::Task = Rake::RDocTask
-end
-
-begin
-  require "rubocop/rake_task"
-  RuboCop::RakeTask.new
-rescue LoadError
-  task(:rubocop) { $stderr.puts "RuboCop is disabled" }
-end
-
-RDoc::Task.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = "rdoc"
-  rdoc.title    = "SecureHeaders"
-  rdoc.options << "--line-numbers"
-  rdoc.rdoc_files.include("lib/**/*.rb")
-end
-
-task default: [:spec, :rubocop]

data/docs/cookies.md

@@ -1,65 +0,0 @@
-## Cookies
-
-SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.org/html/draft-west-first-party-cookies-07) cookies. These can be defined in the form of a boolean, or as a Hash for more refined configuration.
-
-__Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
-
-#### Defaults
-
-By default, all cookies will get both `Secure`, `HttpOnly`, and `SameSite=Lax`.
-
-```ruby
-config.cookies = {
-  secure: true, # defaults to true but will be a no op on non-HTTPS requests
-  httponly: true, # defaults to true
-  samesite: {  # defaults to set `SameSite=Lax`
-    lax: true
-  }
-}
-```
-
-#### Boolean-based configuration
-
-Boolean-based configuration is intended to globally enable or disable a specific cookie attribute. *Note: As of 4.0, you must use OPT_OUT rather than false to opt out of the defaults.*
-
-```ruby
-config.cookies = {
-  secure: true, # mark all cookies as Secure
-  httponly: SecureHeaders::OPT_OUT, # do not mark any cookies as HttpOnly
-}
-```
-
-#### Hash-based configuration
-
-Hash-based configuration allows for fine-grained control.
-
-```ruby
-config.cookies = {
-  secure: { except: ['_guest'] }, # mark all but the `_guest` cookie as Secure
-  httponly: { only: ['_rails_session'] }, # only mark the `_rails_session` cookie as HttpOnly
-}
-```
-
-#### SameSite cookie configuration
-
-SameSite cookies permit either `Strict` or `Lax` enforcement mode options.
-
-```ruby
-config.cookies = {
-  samesite: {
-    strict: true # mark all cookies as SameSite=Strict
-  }
-}
-```
-
-`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
-
-```ruby
-config.cookies = {
-  samesite: {
-    strict: { only: ['session_id_duplicate'] },
-    lax: { only: ['_guest', '_rails_session', 'device_id'] },
-    none: { only: ['_tracking', 'saml_cookie', 'session_id'] },
-  }
-}
-```