secure_headers 6.4.0 → 6.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +2 -2
- data/.ruby-version +1 -1
- data/CHANGELOG.md +4 -0
- data/lib/secure_headers/headers/content_security_policy.rb +1 -19
- data/lib/secure_headers/headers/policy_management.rb +2 -2
- data/lib/secure_headers/version.rb +1 -1
- data/secure_headers.gemspec +3 -3
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +11 -6
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -1
- metadata +12 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bafd5e6390db0f1975599ab34f1293986a5c0a1ced14f6cfeca47fd114ce87d4
|
|
4
|
+
data.tar.gz: 177dc27fa8238fe1a8baa238f6baa244b2c03393f61269e9b417e5ea3a4a4bba
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7a24f853958892e2780dec3cfd8f631d394c959cda6d3f8be5d701792fc1ce57d4141ca88e7b0980fcac979cc855a0c5bc9165a05b314fe281ce092a438f1fe1
|
|
7
|
+
data.tar.gz: c082a3ee192452712f8e9c7ed18d5c21b5b3eb1712c3d9a4df44220093cf1be09a8e5384f5c8a8909820f1e0048c6d3b6915cc29081288bcf13361bf8cf7dbed
|
data/.github/workflows/build.yml
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
name: Build + Test
|
|
2
|
-
on: [pull_request]
|
|
2
|
+
on: [pull_request, push]
|
|
3
3
|
|
|
4
4
|
jobs:
|
|
5
5
|
build:
|
|
@@ -7,7 +7,7 @@ jobs:
|
|
|
7
7
|
runs-on: ubuntu-latest
|
|
8
8
|
strategy:
|
|
9
9
|
matrix:
|
|
10
|
-
ruby: [ '2.
|
|
10
|
+
ruby: [ '2.6', '2.7', '3.0', '3.1' ]
|
|
11
11
|
|
|
12
12
|
steps:
|
|
13
13
|
- uses: actions/checkout@v2
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
|
|
1
|
+
3.1.1
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 6.5.0
|
|
2
|
+
|
|
3
|
+
- CSP: Remove source expression deduplication. (@lgarron) https://github.com/github/secure_headers/pull/499
|
|
4
|
+
|
|
1
5
|
## 6.4.0
|
|
2
6
|
|
|
3
7
|
- CSP: Add support for trusted-types, require-trusted-types-for directive (@JackMc): https://github.com/github/secure_headers/pull/486
|
|
@@ -133,7 +133,7 @@ module SecureHeaders
|
|
|
133
133
|
unless directive == REPORT_URI || @preserve_schemes
|
|
134
134
|
source_list = strip_source_schemes(source_list)
|
|
135
135
|
end
|
|
136
|
-
|
|
136
|
+
source_list.uniq
|
|
137
137
|
end
|
|
138
138
|
end
|
|
139
139
|
|
|
@@ -151,24 +151,6 @@ module SecureHeaders
|
|
|
151
151
|
end
|
|
152
152
|
end
|
|
153
153
|
|
|
154
|
-
# Removes duplicates and sources that already match an existing wild card.
|
|
155
|
-
#
|
|
156
|
-
# e.g. *.github.com asdf.github.com becomes *.github.com
|
|
157
|
-
def dedup_source_list(sources)
|
|
158
|
-
sources = sources.uniq
|
|
159
|
-
wild_sources = sources.select { |source| source =~ STAR_REGEXP }
|
|
160
|
-
|
|
161
|
-
if wild_sources.any?
|
|
162
|
-
schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
|
|
163
|
-
sources.reject do |source|
|
|
164
|
-
!wild_sources.include?(source) &&
|
|
165
|
-
wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
|
|
166
|
-
end
|
|
167
|
-
else
|
|
168
|
-
sources
|
|
169
|
-
end
|
|
170
|
-
end
|
|
171
|
-
|
|
172
154
|
# Private: append a nonce to the script/style directories if script_nonce
|
|
173
155
|
# or style_nonce are provided.
|
|
174
156
|
def populate_nonces(directive, source_list)
|
|
@@ -189,7 +189,7 @@ module SecureHeaders
|
|
|
189
189
|
].freeze
|
|
190
190
|
|
|
191
191
|
REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
|
|
192
|
-
REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w(script))
|
|
192
|
+
REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w('script'))
|
|
193
193
|
|
|
194
194
|
module ClassMethods
|
|
195
195
|
# Public: generate a header name, value array that is user-agent-aware.
|
|
@@ -393,7 +393,7 @@ module SecureHeaders
|
|
|
393
393
|
|
|
394
394
|
# Private: validates that a require trusted types for expression:
|
|
395
395
|
# 1. is an array of strings
|
|
396
|
-
# 2. is a subset of ["script"]
|
|
396
|
+
# 2. is a subset of ["'script'"]
|
|
397
397
|
def validate_require_trusted_types_for_source_expression!(directive, require_trusted_types_for_expression)
|
|
398
398
|
ensure_array_of_strings!(directive, require_trusted_types_for_expression)
|
|
399
399
|
unless require_trusted_types_for_expression.to_set.subset?(REQUIRE_TRUSTED_TYPES_FOR_VALUES)
|
data/secure_headers.gemspec
CHANGED
|
@@ -9,12 +9,12 @@ Gem::Specification.new do |gem|
|
|
|
9
9
|
gem.version = SecureHeaders::VERSION
|
|
10
10
|
gem.authors = ["Neil Matatall"]
|
|
11
11
|
gem.email = ["neil.matatall@gmail.com"]
|
|
12
|
-
gem.
|
|
13
|
-
gem.
|
|
12
|
+
gem.summary = "Manages application of security headers with many safe defaults."
|
|
13
|
+
gem.description = 'Add easily configured security headers to responses
|
|
14
14
|
including content-security-policy, x-frame-options,
|
|
15
15
|
strict-transport-security, etc.'
|
|
16
16
|
gem.homepage = "https://github.com/twitter/secureheaders"
|
|
17
|
-
gem.license = "
|
|
17
|
+
gem.license = "MIT"
|
|
18
18
|
gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
|
|
19
19
|
gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
|
|
20
20
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
|
@@ -48,12 +48,12 @@ module SecureHeaders
|
|
|
48
48
|
expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval' data: blob:")
|
|
49
49
|
end
|
|
50
50
|
|
|
51
|
-
it "
|
|
51
|
+
it "does not minify source expressions based on overlapping wildcards" do
|
|
52
52
|
config = {
|
|
53
53
|
default_src: %w(a.example.org b.example.org *.example.org https://*.example.org)
|
|
54
54
|
}
|
|
55
55
|
csp = ContentSecurityPolicy.new(config)
|
|
56
|
-
expect(csp.value).to eq("default-src *.example.org")
|
|
56
|
+
expect(csp.value).to eq("default-src a.example.org b.example.org *.example.org")
|
|
57
57
|
end
|
|
58
58
|
|
|
59
59
|
it "removes http/s schemes from hosts" do
|
|
@@ -101,8 +101,13 @@ module SecureHeaders
|
|
|
101
101
|
expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
|
|
102
102
|
end
|
|
103
103
|
|
|
104
|
-
it "
|
|
105
|
-
csp = ContentSecurityPolicy.new(default_src: %w(example.org
|
|
104
|
+
it "handles wildcard subdomain with wildcard port" do
|
|
105
|
+
csp = ContentSecurityPolicy.new(default_src: %w(https://*.example.org:*))
|
|
106
|
+
expect(csp.value).to eq("default-src *.example.org:*")
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
it "deduplicates source expressions that match exactly (after scheme stripping)" do
|
|
110
|
+
csp = ContentSecurityPolicy.new(default_src: %w(example.org https://example.org example.org))
|
|
106
111
|
expect(csp.value).to eq("default-src example.org")
|
|
107
112
|
end
|
|
108
113
|
|
|
@@ -197,8 +202,8 @@ module SecureHeaders
|
|
|
197
202
|
end
|
|
198
203
|
|
|
199
204
|
it "supports trusted-types directive with 'none'" do
|
|
200
|
-
csp = ContentSecurityPolicy.new({trusted_types: %w(none)})
|
|
201
|
-
expect(csp.value).to eq("trusted-types none")
|
|
205
|
+
csp = ContentSecurityPolicy.new({trusted_types: %w('none')})
|
|
206
|
+
expect(csp.value).to eq("trusted-types 'none'")
|
|
202
207
|
end
|
|
203
208
|
|
|
204
209
|
it "allows duplicate policy names in trusted-types directive" do
|
|
@@ -45,7 +45,7 @@ module SecureHeaders
|
|
|
45
45
|
plugin_types: %w(application/x-shockwave-flash),
|
|
46
46
|
prefetch_src: %w(fetch.com),
|
|
47
47
|
require_sri_for: %w(script style),
|
|
48
|
-
require_trusted_types_for: %w(script),
|
|
48
|
+
require_trusted_types_for: %w('script'),
|
|
49
49
|
script_src: %w('self'),
|
|
50
50
|
style_src: %w('unsafe-inline'),
|
|
51
51
|
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.
|
|
4
|
+
version: 6.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-10-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -24,7 +24,10 @@ dependencies:
|
|
|
24
24
|
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0'
|
|
27
|
-
description:
|
|
27
|
+
description: |-
|
|
28
|
+
Add easily configured security headers to responses
|
|
29
|
+
including content-security-policy, x-frame-options,
|
|
30
|
+
strict-transport-security, etc.
|
|
28
31
|
email:
|
|
29
32
|
- neil.matatall@gmail.com
|
|
30
33
|
executables: []
|
|
@@ -99,9 +102,9 @@ files:
|
|
|
99
102
|
- spec/spec_helper.rb
|
|
100
103
|
homepage: https://github.com/twitter/secureheaders
|
|
101
104
|
licenses:
|
|
102
|
-
-
|
|
105
|
+
- MIT
|
|
103
106
|
metadata: {}
|
|
104
|
-
post_install_message:
|
|
107
|
+
post_install_message:
|
|
105
108
|
rdoc_options: []
|
|
106
109
|
require_paths:
|
|
107
110
|
- lib
|
|
@@ -116,11 +119,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
116
119
|
- !ruby/object:Gem::Version
|
|
117
120
|
version: '0'
|
|
118
121
|
requirements: []
|
|
119
|
-
rubygems_version: 3.
|
|
120
|
-
signing_key:
|
|
122
|
+
rubygems_version: 3.3.7
|
|
123
|
+
signing_key:
|
|
121
124
|
specification_version: 4
|
|
122
|
-
summary:
|
|
123
|
-
x-frame-options, strict-transport-security, etc.
|
|
125
|
+
summary: Manages application of security headers with many safe defaults.
|
|
124
126
|
test_files:
|
|
125
127
|
- spec/lib/secure_headers/configuration_spec.rb
|
|
126
128
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|