secure_headers 6.3.3 → 6.3.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 19914a6c5043c42b398c52760c39a22b8246815d0dd4d2e7ec2feeec703da6c0
4
- data.tar.gz: f52cf84fe9b6a798fd167be5158c32df83aef8db0887d6c94f8f8a3b53d4427f
3
+ metadata.gz: 3953b8d0c4ce0a01012d4d6475ad94c60ce4b06b9d93994ef14cc2474ced6177
4
+ data.tar.gz: 3aa96804cacf26d4a275b19e870755313a3afd055b598014749d0338e4f0f4af
5
5
  SHA512:
6
- metadata.gz: 043f1bc47f10e8d306debedc2081c9962e5ce5f4768fd75d4af0e092cc5d80947eb128d1f847216ed83124a495dc83df20fafb2ae28a243dd5f6ea23453bcb69
7
- data.tar.gz: a88e51c0a14725479a9746be98495d2fac931e6cc2824fc3f5601d00ef63a292917850a57856d5dc89a654fe9de05230712e1945e1ada4ed50d8561e6f891002
6
+ metadata.gz: b04fd60ff28519273f29d335b81b44ebfe938d4e97d82d31b69d8596dc84e38c812573248e7b70bb142fecebab357c7f34f9f10934edaf354e3174915220580f
7
+ data.tar.gz: 10748a3ff12365fffe42828fe324e0bfbb3f146635b095a9e8a13b5a57b5bdfe17a5463df3b5009d8591dbc88494c45036a12dd061fc6b8e921c4c99a0d523ef
@@ -0,0 +1,28 @@
1
+ name: GitHub Release
2
+
3
+ on:
4
+ push:
5
+ tags:
6
+ - v*
7
+
8
+ jobs:
9
+ Publish:
10
+ permissions:
11
+ contents: write
12
+ runs-on: ubuntu-latest
13
+ if: startsWith(github.ref, 'refs/tags/v')
14
+ steps:
15
+ - name: Calculate release name
16
+ run: |
17
+ GITHUB_REF=${{ github.ref }}
18
+ RELEASE_NAME=${GITHUB_REF#"refs/tags/"}
19
+ echo "RELEASE_NAME=${RELEASE_NAME}" >> $GITHUB_ENV
20
+ - name: Publish release
21
+ uses: actions/create-release@v1
22
+ env:
23
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
24
+ with:
25
+ tag_name: ${{ github.ref }}
26
+ release_name: ${{ env.RELEASE_NAME }}
27
+ draft: false
28
+ prerelease: false
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 6.3.4
2
+
3
+ - CSP: Do not deduplicate alternate schema source expressions (@keithamus): https://github.com/github/secure_headers/pull/478
4
+
1
5
  ## 6.3.3
2
6
 
3
7
  Fix hash generation for indented helper methods (@rahearn)
data/Gemfile CHANGED
@@ -9,7 +9,7 @@ group :test do
9
9
  gem "pry-nav"
10
10
  gem "rack"
11
11
  gem "rspec"
12
- gem "rubocop", "< 0.68"
12
+ gem "rubocop"
13
13
  gem "rubocop-github"
14
14
  gem "rubocop-performance"
15
15
  gem "term-ansicolor"
data/README.md CHANGED
@@ -3,7 +3,7 @@
3
3
  **main branch represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
4
4
 
5
5
  The gem will automatically apply several headers that are related to security. This includes:
6
- - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
6
+ - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](https://www.w3.org/TR/CSP2/)
7
7
  - https://csp.withgoogle.com
8
8
  - https://csp.withgoogle.com/docs/strict-csp.html
9
9
  - https://csp-evaluator.withgoogle.com
@@ -62,7 +62,7 @@ SecureHeaders::Configuration.default do |config|
62
62
  # directive values: these values will directly translate into source directives
63
63
  default_src: %w('none'),
64
64
  base_uri: %w('self'),
65
- block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
65
+ block_all_mixed_content: true, # see https://www.w3.org/TR/mixed-content/
66
66
  child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
67
67
  connect_src: %w(wss:),
68
68
  font_src: %w('self' data:),
@@ -155,9 +155,10 @@ module SecureHeaders
155
155
  wild_sources = sources.select { |source| source =~ STAR_REGEXP }
156
156
 
157
157
  if wild_sources.any?
158
+ schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
158
159
  sources.reject do |source|
159
160
  !wild_sources.include?(source) &&
160
- wild_sources.any? { |pattern| File.fnmatch(pattern, source) }
161
+ wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
161
162
  end
162
163
  else
163
164
  sources
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.3.3"
4
+ VERSION = "6.3.4"
5
5
  end
@@ -106,6 +106,11 @@ module SecureHeaders
106
106
  expect(csp.value).to eq("default-src example.org")
107
107
  end
108
108
 
109
+ it "does not deduplicate non-matching schema source expressions" do
110
+ csp = ContentSecurityPolicy.new(default_src: %w(*.example.org wss://example.example.org))
111
+ expect(csp.value).to eq("default-src *.example.org wss://example.example.org")
112
+ end
113
+
109
114
  it "creates maximally strict sandbox policy when passed no sandbox token values" do
110
115
  csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
111
116
  expect(csp.value).to eq("default-src example.org; sandbox")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.3.3
4
+ version: 6.3.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-09-07 00:00:00.000000000 Z
11
+ date: 2022-06-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -34,6 +34,7 @@ files:
34
34
  - ".github/ISSUE_TEMPLATE.md"
35
35
  - ".github/PULL_REQUEST_TEMPLATE.md"
36
36
  - ".github/workflows/build.yml"
37
+ - ".github/workflows/github-release.yml"
37
38
  - ".gitignore"
38
39
  - ".rspec"
39
40
  - ".rubocop.yml"
@@ -115,7 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
115
116
  - !ruby/object:Gem::Version
116
117
  version: '0'
117
118
  requirements: []
118
- rubygems_version: 3.0.3
119
+ rubygems_version: 3.0.3.1
119
120
  signing_key:
120
121
  specification_version: 4
121
122
  summary: Add easily configured security headers to responses including content-security-policy,