secure_headers 6.6.0 → 7.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2afd142dc54275ace387af0a964bba3918655513474a14f11959532616108d58
4
- data.tar.gz: f520ab4f191710af2d78bc662319b02ab7819bba57a091c921822984393f18e5
3
+ metadata.gz: df732bcf03768407849220aa164adc5b05c741d3ffcaea00d80758bd936d4e65
4
+ data.tar.gz: d979d4a8892a101b2efbeba1fc2fd3fbeffa154d9e429aaf7a5ff73d889bbdac
5
5
  SHA512:
6
- metadata.gz: 3fe9df12ae44cabd372f84e8eebd47946e6102d8c920cf48752e3f36bcd1db3e429cbc47e54dda8f8194b4ae2cb90c583eec38b0e7906bac8f0fb9337eb7ecad
7
- data.tar.gz: 56a30016b7f290693c89d8f8e2fd4e3d8425962a2dcb0fb75c96bd6b2fc8b85b890373a4ebd160e7cf2896e494697a563dd882f11f7527da9c29234d41bd2b17
6
+ metadata.gz: be8e613fe594063d0921ee9e971c43522cf4d434ef1ae958a15a20cb9cf07d74180803323c90cafe9ac1cb9c09377110d3757f4b4a0b91774401fe09dff1da40
7
+ data.tar.gz: 47471941c3192cfff7e3fc1d2442a2c5106334a192cede9e8aa432ce7c7906eeb369ad528989932e33e6fdae02853c37c90609be47ce1b256634af9d6455d379
@@ -1,6 +1,9 @@
1
1
  name: Build + Test
2
2
  on: [pull_request, push]
3
3
 
4
+ permissions:
5
+ contents: read
6
+
4
7
  jobs:
5
8
  build:
6
9
  name: Build + Test
@@ -10,15 +13,13 @@ jobs:
10
13
  ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
11
14
 
12
15
  steps:
13
- - uses: actions/checkout@v3
16
+ - uses: actions/checkout@v4
14
17
  - name: Set up Ruby ${{ matrix.ruby }}
15
- uses: ruby/setup-ruby@v1
18
+ uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 #v1.190.0 tag
16
19
  with:
17
20
  ruby-version: ${{ matrix.ruby }}
21
+ bundler-cache: true
18
22
  - name: Build and test with Rake
19
23
  run: |
20
- gem install bundler
21
- bundle install --jobs 4 --retry 3 --without guard
22
- bundle exec rspec spec
23
24
  bundle exec rubocop
24
-
25
+ bundle exec rspec spec
data/Gemfile CHANGED
@@ -3,6 +3,8 @@ source "https://rubygems.org"
3
3
 
4
4
  gemspec
5
5
 
6
+ gem "benchmark-ips"
7
+
6
8
  group :test do
7
9
  gem "coveralls"
8
10
  gem "json"
data/README.md CHANGED
@@ -105,7 +105,7 @@ X-Content-Type-Options: nosniff
105
105
  X-Download-Options: noopen
106
106
  X-Frame-Options: sameorigin
107
107
  X-Permitted-Cross-Domain-Policies: none
108
- X-Xss-Protection: 1; mode=block
108
+ X-Xss-Protection: 0
109
109
  ```
110
110
 
111
111
  ## API configurations
@@ -0,0 +1,12 @@
1
+ ## X-Xss-Protection is set to 0 by default
2
+
3
+ Version 6 and below of `secure_headers` set the `X-Xss-Protection` to `1; mode=block` by default. This was done to protect against reflected XSS attacks. However, this header is no longer recommended (see https://github.com/github/secure_headers/issues/439 for more information).
4
+
5
+ If any functionality in your app depended on this header being set to the previous value, you will need to set it explicitly in your configuration.
6
+
7
+ ```ruby
8
+ # config/initializers/secure_headers.rb
9
+ SecureHeaders::Configuration.default do |config|
10
+ config.x_xss_protection = "1; mode=block"
11
+ end
12
+ ```
@@ -83,14 +83,17 @@ module SecureHeaders
83
83
  # can lead to modifying parent objects.
84
84
  def deep_copy(config)
85
85
  return unless config
86
- config.each_with_object({}) do |(key, value), hash|
87
- hash[key] =
88
- if value.is_a?(Array)
86
+ result = {}
87
+ config.each_pair do |key, value|
88
+ result[key] =
89
+ case value
90
+ when Array
89
91
  value.dup
90
92
  else
91
93
  value
92
94
  end
93
95
  end
96
+ result
94
97
  end
95
98
 
96
99
  # Private: Returns the internal default configuration. This should only
@@ -20,9 +20,9 @@ module SecureHeaders
20
20
  config
21
21
  end
22
22
 
23
- @preserve_schemes = @config.preserve_schemes
24
- @script_nonce = @config.script_nonce
25
- @style_nonce = @config.style_nonce
23
+ @preserve_schemes = @config[:preserve_schemes]
24
+ @script_nonce = @config[:script_nonce]
25
+ @style_nonce = @config[:style_nonce]
26
26
  end
27
27
 
28
28
  ##
@@ -1,65 +1,23 @@
1
1
  # frozen_string_literal: true
2
2
  module SecureHeaders
3
3
  module DynamicConfig
4
- def self.included(base)
5
- base.send(:attr_reader, *base.attrs)
6
- base.attrs.each do |attr|
7
- base.send(:define_method, "#{attr}=") do |value|
8
- if self.class.attrs.include?(attr)
9
- write_attribute(attr, value)
10
- else
11
- raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
12
- end
13
- end
14
- end
15
- end
16
-
17
4
  def initialize(hash)
18
- @base_uri = nil
19
- @child_src = nil
20
- @connect_src = nil
21
- @default_src = nil
22
- @font_src = nil
23
- @form_action = nil
24
- @frame_ancestors = nil
25
- @frame_src = nil
26
- @img_src = nil
27
- @manifest_src = nil
28
- @media_src = nil
29
- @navigate_to = nil
30
- @object_src = nil
31
- @plugin_types = nil
32
- @prefetch_src = nil
33
- @preserve_schemes = nil
34
- @report_only = nil
35
- @report_uri = nil
36
- @require_sri_for = nil
37
- @require_trusted_types_for = nil
38
- @sandbox = nil
39
- @script_nonce = nil
40
- @script_src = nil
41
- @script_src_elem = nil
42
- @script_src_attr = nil
43
- @style_nonce = nil
44
- @style_src = nil
45
- @style_src_elem = nil
46
- @style_src_attr = nil
47
- @trusted_types = nil
48
- @worker_src = nil
49
- @upgrade_insecure_requests = nil
50
- @disable_nonce_backwards_compatibility = nil
5
+ @config = {}
51
6
 
52
7
  from_hash(hash)
53
8
  end
54
9
 
10
+ def initialize_copy(hash)
11
+ @config = hash.to_h
12
+ end
13
+
55
14
  def update_directive(directive, value)
56
- self.send("#{directive}=", value)
15
+ @config[directive] = value
57
16
  end
58
17
 
59
18
  def directive_value(directive)
60
- if self.class.attrs.include?(directive)
61
- self.send(directive)
62
- end
19
+ # No need to check attrs, as we only assign valid keys
20
+ @config[directive]
63
21
  end
64
22
 
65
23
  def merge(new_hash)
@@ -77,10 +35,7 @@ module SecureHeaders
77
35
  end
78
36
 
79
37
  def to_h
80
- self.class.attrs.each_with_object({}) do |key, hash|
81
- value = self.send(key)
82
- hash[key] = value unless value.nil?
83
- end
38
+ @config.dup
84
39
  end
85
40
 
86
41
  def dup
@@ -113,8 +68,11 @@ module SecureHeaders
113
68
 
114
69
  def write_attribute(attr, value)
115
70
  value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
116
- attr_variable = "@#{attr}"
117
- self.instance_variable_set(attr_variable, value)
71
+ if value.nil?
72
+ @config.delete(attr)
73
+ else
74
+ @config[attr] = value
75
+ end
118
76
  end
119
77
  end
120
78
 
@@ -122,7 +80,7 @@ module SecureHeaders
122
80
  class ContentSecurityPolicyConfig
123
81
  HEADER_NAME = "Content-Security-Policy".freeze
124
82
 
125
- ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
83
+ ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
126
84
  def self.attrs
127
85
  ATTRS
128
86
  end
@@ -3,7 +3,7 @@ module SecureHeaders
3
3
  class XXssProtectionConfigError < StandardError; end
4
4
  class XXssProtection
5
5
  HEADER_NAME = "X-XSS-Protection".freeze
6
- DEFAULT_VALUE = "1; mode=block"
6
+ DEFAULT_VALUE = "0".freeze
7
7
  VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
8
8
 
9
9
  class << self
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.6.0"
4
+ VERSION = "7.0.0"
5
5
  end
@@ -13,7 +13,7 @@ Gem::Specification.new do |gem|
13
13
  gem.description = 'Add easily configured security headers to responses
14
14
  including content-security-policy, x-frame-options,
15
15
  strict-transport-security, etc.'
16
- gem.homepage = "https://github.com/twitter/secureheaders"
16
+ gem.homepage = "https://github.com/github/secure_headers"
17
17
  gem.license = "MIT"
18
18
  gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
19
19
  gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.6.0
4
+ version: 7.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-09 00:00:00.000000000 Z
11
+ date: 2024-10-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -61,6 +61,7 @@ files:
61
61
  - docs/upgrading-to-4-0.md
62
62
  - docs/upgrading-to-5-0.md
63
63
  - docs/upgrading-to-6-0.md
64
+ - docs/upgrading-to-7-0.md
64
65
  - lib/secure_headers.rb
65
66
  - lib/secure_headers/configuration.rb
66
67
  - lib/secure_headers/hash_helper.rb
@@ -101,7 +102,7 @@ files:
101
102
  - spec/lib/secure_headers/view_helpers_spec.rb
102
103
  - spec/lib/secure_headers_spec.rb
103
104
  - spec/spec_helper.rb
104
- homepage: https://github.com/twitter/secureheaders
105
+ homepage: https://github.com/github/secure_headers
105
106
  licenses:
106
107
  - MIT
107
108
  metadata: {}