secure_headers 6.6.0 → 7.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +7 -6
- data/Gemfile +2 -0
- data/README.md +1 -1
- data/docs/upgrading-to-7-0.md +12 -0
- data/lib/secure_headers/configuration.rb +6 -3
- data/lib/secure_headers/headers/content_security_policy.rb +3 -3
- data/lib/secure_headers/headers/content_security_policy_config.rb +15 -57
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
- data/lib/secure_headers/version.rb +1 -1
- data/secure_headers.gemspec +1 -1
- metadata +4 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: df732bcf03768407849220aa164adc5b05c741d3ffcaea00d80758bd936d4e65
|
4
|
+
data.tar.gz: d979d4a8892a101b2efbeba1fc2fd3fbeffa154d9e429aaf7a5ff73d889bbdac
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: be8e613fe594063d0921ee9e971c43522cf4d434ef1ae958a15a20cb9cf07d74180803323c90cafe9ac1cb9c09377110d3757f4b4a0b91774401fe09dff1da40
|
7
|
+
data.tar.gz: 47471941c3192cfff7e3fc1d2442a2c5106334a192cede9e8aa432ce7c7906eeb369ad528989932e33e6fdae02853c37c90609be47ce1b256634af9d6455d379
|
data/.github/workflows/build.yml
CHANGED
@@ -1,6 +1,9 @@
|
|
1
1
|
name: Build + Test
|
2
2
|
on: [pull_request, push]
|
3
3
|
|
4
|
+
permissions:
|
5
|
+
contents: read
|
6
|
+
|
4
7
|
jobs:
|
5
8
|
build:
|
6
9
|
name: Build + Test
|
@@ -10,15 +13,13 @@ jobs:
|
|
10
13
|
ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
|
11
14
|
|
12
15
|
steps:
|
13
|
-
- uses: actions/checkout@
|
16
|
+
- uses: actions/checkout@v4
|
14
17
|
- name: Set up Ruby ${{ matrix.ruby }}
|
15
|
-
uses: ruby/setup-ruby@v1
|
18
|
+
uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 #v1.190.0 tag
|
16
19
|
with:
|
17
20
|
ruby-version: ${{ matrix.ruby }}
|
21
|
+
bundler-cache: true
|
18
22
|
- name: Build and test with Rake
|
19
23
|
run: |
|
20
|
-
gem install bundler
|
21
|
-
bundle install --jobs 4 --retry 3 --without guard
|
22
|
-
bundle exec rspec spec
|
23
24
|
bundle exec rubocop
|
24
|
-
|
25
|
+
bundle exec rspec spec
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -0,0 +1,12 @@
|
|
1
|
+
## X-Xss-Protection is set to 0 by default
|
2
|
+
|
3
|
+
Version 6 and below of `secure_headers` set the `X-Xss-Protection` to `1; mode=block` by default. This was done to protect against reflected XSS attacks. However, this header is no longer recommended (see https://github.com/github/secure_headers/issues/439 for more information).
|
4
|
+
|
5
|
+
If any functionality in your app depended on this header being set to the previous value, you will need to set it explicitly in your configuration.
|
6
|
+
|
7
|
+
```ruby
|
8
|
+
# config/initializers/secure_headers.rb
|
9
|
+
SecureHeaders::Configuration.default do |config|
|
10
|
+
config.x_xss_protection = "1; mode=block"
|
11
|
+
end
|
12
|
+
```
|
@@ -83,14 +83,17 @@ module SecureHeaders
|
|
83
83
|
# can lead to modifying parent objects.
|
84
84
|
def deep_copy(config)
|
85
85
|
return unless config
|
86
|
-
|
87
|
-
|
88
|
-
|
86
|
+
result = {}
|
87
|
+
config.each_pair do |key, value|
|
88
|
+
result[key] =
|
89
|
+
case value
|
90
|
+
when Array
|
89
91
|
value.dup
|
90
92
|
else
|
91
93
|
value
|
92
94
|
end
|
93
95
|
end
|
96
|
+
result
|
94
97
|
end
|
95
98
|
|
96
99
|
# Private: Returns the internal default configuration. This should only
|
@@ -20,9 +20,9 @@ module SecureHeaders
|
|
20
20
|
config
|
21
21
|
end
|
22
22
|
|
23
|
-
@preserve_schemes = @config
|
24
|
-
@script_nonce = @config
|
25
|
-
@style_nonce = @config
|
23
|
+
@preserve_schemes = @config[:preserve_schemes]
|
24
|
+
@script_nonce = @config[:script_nonce]
|
25
|
+
@style_nonce = @config[:style_nonce]
|
26
26
|
end
|
27
27
|
|
28
28
|
##
|
@@ -1,65 +1,23 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
module SecureHeaders
|
3
3
|
module DynamicConfig
|
4
|
-
def self.included(base)
|
5
|
-
base.send(:attr_reader, *base.attrs)
|
6
|
-
base.attrs.each do |attr|
|
7
|
-
base.send(:define_method, "#{attr}=") do |value|
|
8
|
-
if self.class.attrs.include?(attr)
|
9
|
-
write_attribute(attr, value)
|
10
|
-
else
|
11
|
-
raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
|
12
|
-
end
|
13
|
-
end
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
4
|
def initialize(hash)
|
18
|
-
@
|
19
|
-
@child_src = nil
|
20
|
-
@connect_src = nil
|
21
|
-
@default_src = nil
|
22
|
-
@font_src = nil
|
23
|
-
@form_action = nil
|
24
|
-
@frame_ancestors = nil
|
25
|
-
@frame_src = nil
|
26
|
-
@img_src = nil
|
27
|
-
@manifest_src = nil
|
28
|
-
@media_src = nil
|
29
|
-
@navigate_to = nil
|
30
|
-
@object_src = nil
|
31
|
-
@plugin_types = nil
|
32
|
-
@prefetch_src = nil
|
33
|
-
@preserve_schemes = nil
|
34
|
-
@report_only = nil
|
35
|
-
@report_uri = nil
|
36
|
-
@require_sri_for = nil
|
37
|
-
@require_trusted_types_for = nil
|
38
|
-
@sandbox = nil
|
39
|
-
@script_nonce = nil
|
40
|
-
@script_src = nil
|
41
|
-
@script_src_elem = nil
|
42
|
-
@script_src_attr = nil
|
43
|
-
@style_nonce = nil
|
44
|
-
@style_src = nil
|
45
|
-
@style_src_elem = nil
|
46
|
-
@style_src_attr = nil
|
47
|
-
@trusted_types = nil
|
48
|
-
@worker_src = nil
|
49
|
-
@upgrade_insecure_requests = nil
|
50
|
-
@disable_nonce_backwards_compatibility = nil
|
5
|
+
@config = {}
|
51
6
|
|
52
7
|
from_hash(hash)
|
53
8
|
end
|
54
9
|
|
10
|
+
def initialize_copy(hash)
|
11
|
+
@config = hash.to_h
|
12
|
+
end
|
13
|
+
|
55
14
|
def update_directive(directive, value)
|
56
|
-
|
15
|
+
@config[directive] = value
|
57
16
|
end
|
58
17
|
|
59
18
|
def directive_value(directive)
|
60
|
-
|
61
|
-
|
62
|
-
end
|
19
|
+
# No need to check attrs, as we only assign valid keys
|
20
|
+
@config[directive]
|
63
21
|
end
|
64
22
|
|
65
23
|
def merge(new_hash)
|
@@ -77,10 +35,7 @@ module SecureHeaders
|
|
77
35
|
end
|
78
36
|
|
79
37
|
def to_h
|
80
|
-
|
81
|
-
value = self.send(key)
|
82
|
-
hash[key] = value unless value.nil?
|
83
|
-
end
|
38
|
+
@config.dup
|
84
39
|
end
|
85
40
|
|
86
41
|
def dup
|
@@ -113,8 +68,11 @@ module SecureHeaders
|
|
113
68
|
|
114
69
|
def write_attribute(attr, value)
|
115
70
|
value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
|
116
|
-
|
117
|
-
|
71
|
+
if value.nil?
|
72
|
+
@config.delete(attr)
|
73
|
+
else
|
74
|
+
@config[attr] = value
|
75
|
+
end
|
118
76
|
end
|
119
77
|
end
|
120
78
|
|
@@ -122,7 +80,7 @@ module SecureHeaders
|
|
122
80
|
class ContentSecurityPolicyConfig
|
123
81
|
HEADER_NAME = "Content-Security-Policy".freeze
|
124
82
|
|
125
|
-
ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
|
83
|
+
ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
|
126
84
|
def self.attrs
|
127
85
|
ATTRS
|
128
86
|
end
|
@@ -3,7 +3,7 @@ module SecureHeaders
|
|
3
3
|
class XXssProtectionConfigError < StandardError; end
|
4
4
|
class XXssProtection
|
5
5
|
HEADER_NAME = "X-XSS-Protection".freeze
|
6
|
-
DEFAULT_VALUE = "
|
6
|
+
DEFAULT_VALUE = "0".freeze
|
7
7
|
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
|
8
8
|
|
9
9
|
class << self
|
data/secure_headers.gemspec
CHANGED
@@ -13,7 +13,7 @@ Gem::Specification.new do |gem|
|
|
13
13
|
gem.description = 'Add easily configured security headers to responses
|
14
14
|
including content-security-policy, x-frame-options,
|
15
15
|
strict-transport-security, etc.'
|
16
|
-
gem.homepage = "https://github.com/
|
16
|
+
gem.homepage = "https://github.com/github/secure_headers"
|
17
17
|
gem.license = "MIT"
|
18
18
|
gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
|
19
19
|
gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 7.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-10-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -61,6 +61,7 @@ files:
|
|
61
61
|
- docs/upgrading-to-4-0.md
|
62
62
|
- docs/upgrading-to-5-0.md
|
63
63
|
- docs/upgrading-to-6-0.md
|
64
|
+
- docs/upgrading-to-7-0.md
|
64
65
|
- lib/secure_headers.rb
|
65
66
|
- lib/secure_headers/configuration.rb
|
66
67
|
- lib/secure_headers/hash_helper.rb
|
@@ -101,7 +102,7 @@ files:
|
|
101
102
|
- spec/lib/secure_headers/view_helpers_spec.rb
|
102
103
|
- spec/lib/secure_headers_spec.rb
|
103
104
|
- spec/spec_helper.rb
|
104
|
-
homepage: https://github.com/
|
105
|
+
homepage: https://github.com/github/secure_headers
|
105
106
|
licenses:
|
106
107
|
- MIT
|
107
108
|
metadata: {}
|