secure_headers 6.6.0 → 7.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/build.yml +7 -6
  3. data/Gemfile +2 -0
  4. data/README.md +1 -1
  5. data/docs/upgrading-to-7-0.md +12 -0
  6. data/lib/secure_headers/configuration.rb +6 -3
  7. data/lib/secure_headers/headers/content_security_policy.rb +3 -3
  8. data/lib/secure_headers/headers/content_security_policy_config.rb +15 -57
  9. data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
  10. data/lib/secure_headers/version.rb +1 -1
  11. data/secure_headers.gemspec +1 -1
  12. metadata +4 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2afd142dc54275ace387af0a964bba3918655513474a14f11959532616108d58
4
- data.tar.gz: f520ab4f191710af2d78bc662319b02ab7819bba57a091c921822984393f18e5
3
+ metadata.gz: df732bcf03768407849220aa164adc5b05c741d3ffcaea00d80758bd936d4e65
4
+ data.tar.gz: d979d4a8892a101b2efbeba1fc2fd3fbeffa154d9e429aaf7a5ff73d889bbdac
5
5
  SHA512:
6
- metadata.gz: 3fe9df12ae44cabd372f84e8eebd47946e6102d8c920cf48752e3f36bcd1db3e429cbc47e54dda8f8194b4ae2cb90c583eec38b0e7906bac8f0fb9337eb7ecad
7
- data.tar.gz: 56a30016b7f290693c89d8f8e2fd4e3d8425962a2dcb0fb75c96bd6b2fc8b85b890373a4ebd160e7cf2896e494697a563dd882f11f7527da9c29234d41bd2b17
6
+ metadata.gz: be8e613fe594063d0921ee9e971c43522cf4d434ef1ae958a15a20cb9cf07d74180803323c90cafe9ac1cb9c09377110d3757f4b4a0b91774401fe09dff1da40
7
+ data.tar.gz: 47471941c3192cfff7e3fc1d2442a2c5106334a192cede9e8aa432ce7c7906eeb369ad528989932e33e6fdae02853c37c90609be47ce1b256634af9d6455d379
data/.github/workflows/build.yml CHANGED
@@ -1,6 +1,9 @@
1
1
  name: Build + Test
2
2
  on: [pull_request, push]
3
3
 
4
+ permissions:
5
+ contents: read
6
+
4
7
  jobs:
5
8
  build:
6
9
  name: Build + Test
@@ -10,15 +13,13 @@ jobs:
10
13
  ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
11
14
 
12
15
  steps:
13
- - uses: actions/checkout@v3
16
+ - uses: actions/checkout@v4
14
17
  - name: Set up Ruby ${{ matrix.ruby }}
15
- uses: ruby/setup-ruby@v1
18
+ uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 #v1.190.0 tag
16
19
  with:
17
20
  ruby-version: ${{ matrix.ruby }}
21
+ bundler-cache: true
18
22
  - name: Build and test with Rake
19
23
  run: |
20
- gem install bundler
21
- bundle install --jobs 4 --retry 3 --without guard
22
- bundle exec rspec spec
23
24
  bundle exec rubocop
24
-
25
+ bundle exec rspec spec
data/Gemfile CHANGED
@@ -3,6 +3,8 @@ source "https://rubygems.org"
3
3
 
4
4
  gemspec
5
5
 
6
+ gem "benchmark-ips"
7
+
6
8
  group :test do
7
9
  gem "coveralls"
8
10
  gem "json"
data/README.md CHANGED
@@ -105,7 +105,7 @@ X-Content-Type-Options: nosniff
105
105
  X-Download-Options: noopen
106
106
  X-Frame-Options: sameorigin
107
107
  X-Permitted-Cross-Domain-Policies: none
108
- X-Xss-Protection: 1; mode=block
108
+ X-Xss-Protection: 0
109
109
  ```
110
110
 
111
111
  ## API configurations
data/docs/upgrading-to-7-0.md ADDED
@@ -0,0 +1,12 @@
1
+ ## X-Xss-Protection is set to 0 by default
2
+
3
+ Version 6 and below of `secure_headers` set the `X-Xss-Protection` to `1; mode=block` by default. This was done to protect against reflected XSS attacks. However, this header is no longer recommended (see https://github.com/github/secure_headers/issues/439 for more information).
4
+
5
+ If any functionality in your app depended on this header being set to the previous value, you will need to set it explicitly in your configuration.
6
+
7
+ ```ruby
8
+ # config/initializers/secure_headers.rb
9
+ SecureHeaders::Configuration.default do |config|
10
+ config.x_xss_protection = "1; mode=block"
11
+ end
12
+ ```
data/lib/secure_headers/configuration.rb CHANGED
@@ -83,14 +83,17 @@ module SecureHeaders
83
83
  # can lead to modifying parent objects.
84
84
  def deep_copy(config)
85
85
  return unless config
86
- config.each_with_object({}) do |(key, value), hash|
87
- hash[key] =
88
- if value.is_a?(Array)
86
+ result = {}
87
+ config.each_pair do |key, value|
88
+ result[key] =
89
+ case value
90
+ when Array
89
91
  value.dup
90
92
  else
91
93
  value
92
94
  end
93
95
  end
96
+ result
94
97
  end
95
98
 
96
99
  # Private: Returns the internal default configuration. This should only
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -20,9 +20,9 @@ module SecureHeaders
20
20
  config
21
21
  end
22
22
 
23
- @preserve_schemes = @config.preserve_schemes
24
- @script_nonce = @config.script_nonce
25
- @style_nonce = @config.style_nonce
23
+ @preserve_schemes = @config[:preserve_schemes]
24
+ @script_nonce = @config[:script_nonce]
25
+ @style_nonce = @config[:style_nonce]
26
26
  end
27
27
 
28
28
  ##
data/lib/secure_headers/headers/content_security_policy_config.rb CHANGED
@@ -1,65 +1,23 @@
1
1
  # frozen_string_literal: true
2
2
  module SecureHeaders
3
3
  module DynamicConfig
4
- def self.included(base)
5
- base.send(:attr_reader, *base.attrs)
6
- base.attrs.each do |attr|
7
- base.send(:define_method, "#{attr}=") do |value|
8
- if self.class.attrs.include?(attr)
9
- write_attribute(attr, value)
10
- else
11
- raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
12
- end
13
- end
14
- end
15
- end
16
-
17
4
  def initialize(hash)
18
- @base_uri = nil
19
- @child_src = nil
20
- @connect_src = nil
21
- @default_src = nil
22
- @font_src = nil
23
- @form_action = nil
24
- @frame_ancestors = nil
25
- @frame_src = nil
26
- @img_src = nil
27
- @manifest_src = nil
28
- @media_src = nil
29
- @navigate_to = nil
30
- @object_src = nil
31
- @plugin_types = nil
32
- @prefetch_src = nil
33
- @preserve_schemes = nil
34
- @report_only = nil
35
- @report_uri = nil
36
- @require_sri_for = nil
37
- @require_trusted_types_for = nil
38
- @sandbox = nil
39
- @script_nonce = nil
40
- @script_src = nil
41
- @script_src_elem = nil
42
- @script_src_attr = nil
43
- @style_nonce = nil
44
- @style_src = nil
45
- @style_src_elem = nil
46
- @style_src_attr = nil
47
- @trusted_types = nil
48
- @worker_src = nil
49
- @upgrade_insecure_requests = nil
50
- @disable_nonce_backwards_compatibility = nil
5
+ @config = {}
51
6
 
52
7
  from_hash(hash)
53
8
  end
54
9
 
10
+ def initialize_copy(hash)
11
+ @config = hash.to_h
12
+ end
13
+
55
14
  def update_directive(directive, value)
56
- self.send("#{directive}=", value)
15
+ @config[directive] = value
57
16
  end
58
17
 
59
18
  def directive_value(directive)
60
- if self.class.attrs.include?(directive)
61
- self.send(directive)
62
- end
19
+ # No need to check attrs, as we only assign valid keys
20
+ @config[directive]
63
21
  end
64
22
 
65
23
  def merge(new_hash)
@@ -77,10 +35,7 @@ module SecureHeaders
77
35
  end
78
36
 
79
37
  def to_h
80
- self.class.attrs.each_with_object({}) do |key, hash|
81
- value = self.send(key)
82
- hash[key] = value unless value.nil?
83
- end
38
+ @config.dup
84
39
  end
85
40
 
86
41
  def dup
@@ -113,8 +68,11 @@ module SecureHeaders
113
68
 
114
69
  def write_attribute(attr, value)
115
70
  value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
116
- attr_variable = "@#{attr}"
117
- self.instance_variable_set(attr_variable, value)
71
+ if value.nil?
72
+ @config.delete(attr)
73
+ else
74
+ @config[attr] = value
75
+ end
118
76
  end
119
77
  end
120
78
 
@@ -122,7 +80,7 @@ module SecureHeaders
122
80
  class ContentSecurityPolicyConfig
123
81
  HEADER_NAME = "Content-Security-Policy".freeze
124
82
 
125
- ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
83
+ ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
126
84
  def self.attrs
127
85
  ATTRS
128
86
  end
data/lib/secure_headers/headers/x_xss_protection.rb CHANGED
@@ -3,7 +3,7 @@ module SecureHeaders
3
3
  class XXssProtectionConfigError < StandardError; end
4
4
  class XXssProtection
5
5
  HEADER_NAME = "X-XSS-Protection".freeze
6
- DEFAULT_VALUE = "1; mode=block"
6
+ DEFAULT_VALUE = "0".freeze
7
7
  VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
8
8
 
9
9
  class << self
data/lib/secure_headers/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.6.0"
4
+ VERSION = "7.0.0"
5
5
  end
data/secure_headers.gemspec CHANGED
@@ -13,7 +13,7 @@ Gem::Specification.new do |gem|
13
13
  gem.description = 'Add easily configured security headers to responses
14
14
  including content-security-policy, x-frame-options,
15
15
  strict-transport-security, etc.'
16
- gem.homepage = "https://github.com/twitter/secureheaders"
16
+ gem.homepage = "https://github.com/github/secure_headers"
17
17
  gem.license = "MIT"
18
18
  gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
19
19
  gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.6.0
4
+ version: 7.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-09 00:00:00.000000000 Z
11
+ date: 2024-10-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -61,6 +61,7 @@ files:
61
61
  - docs/upgrading-to-4-0.md
62
62
  - docs/upgrading-to-5-0.md
63
63
  - docs/upgrading-to-6-0.md
64
+ - docs/upgrading-to-7-0.md
64
65
  - lib/secure_headers.rb
65
66
  - lib/secure_headers/configuration.rb
66
67
  - lib/secure_headers/hash_helper.rb
@@ -101,7 +102,7 @@ files:
101
102
  - spec/lib/secure_headers/view_helpers_spec.rb
102
103
  - spec/lib/secure_headers_spec.rb
103
104
  - spec/spec_helper.rb
104
- homepage: https://github.com/twitter/secureheaders
105
+ homepage: https://github.com/github/secure_headers
105
106
  licenses:
106
107
  - MIT
107
108
  metadata: {}