secure_headers 6.7.0 → 7.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (59) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +13 -13
  3. data/lib/secure_headers/configuration.rb +1 -1
  4. data/lib/secure_headers/headers/clear_site_data.rb +4 -4
  5. data/lib/secure_headers/headers/content_security_policy.rb +2 -2
  6. data/lib/secure_headers/headers/content_security_policy_config.rb +2 -2
  7. data/lib/secure_headers/headers/expect_certificate_transparency.rb +2 -2
  8. data/lib/secure_headers/headers/policy_management.rb +2 -2
  9. data/lib/secure_headers/headers/referrer_policy.rb +1 -1
  10. data/lib/secure_headers/headers/strict_transport_security.rb +1 -1
  11. data/lib/secure_headers/headers/x_content_type_options.rb +1 -1
  12. data/lib/secure_headers/headers/x_download_options.rb +2 -2
  13. data/lib/secure_headers/headers/x_frame_options.rb +1 -1
  14. data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +2 -2
  15. data/lib/secure_headers/headers/x_xss_protection.rb +2 -2
  16. data/lib/secure_headers/railtie.rb +5 -5
  17. data/lib/secure_headers/version.rb +1 -1
  18. data/secure_headers.gemspec +14 -4
  19. metadata +15 -63
  20. data/.github/ISSUE_TEMPLATE.md +0 -41
  21. data/.github/PULL_REQUEST_TEMPLATE.md +0 -20
  22. data/.github/dependabot.yml +0 -6
  23. data/.github/workflows/build.yml +0 -24
  24. data/.github/workflows/github-release.yml +0 -28
  25. data/.gitignore +0 -13
  26. data/.rspec +0 -3
  27. data/.rubocop.yml +0 -4
  28. data/.ruby-gemset +0 -1
  29. data/.ruby-version +0 -1
  30. data/CODE_OF_CONDUCT.md +0 -46
  31. data/CONTRIBUTING.md +0 -41
  32. data/Guardfile +0 -13
  33. data/Rakefile +0 -32
  34. data/docs/cookies.md +0 -65
  35. data/docs/hashes.md +0 -64
  36. data/docs/named_overrides_and_appends.md +0 -104
  37. data/docs/per_action_configuration.md +0 -139
  38. data/docs/sinatra.md +0 -25
  39. data/docs/upgrading-to-3-0.md +0 -42
  40. data/docs/upgrading-to-4-0.md +0 -35
  41. data/docs/upgrading-to-5-0.md +0 -15
  42. data/docs/upgrading-to-6-0.md +0 -50
  43. data/spec/lib/secure_headers/configuration_spec.rb +0 -121
  44. data/spec/lib/secure_headers/headers/clear_site_data_spec.rb +0 -87
  45. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +0 -215
  46. data/spec/lib/secure_headers/headers/cookie_spec.rb +0 -179
  47. data/spec/lib/secure_headers/headers/expect_certificate_transparency_spec.rb +0 -42
  48. data/spec/lib/secure_headers/headers/policy_management_spec.rb +0 -265
  49. data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +0 -91
  50. data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +0 -33
  51. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +0 -31
  52. data/spec/lib/secure_headers/headers/x_download_options_spec.rb +0 -29
  53. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +0 -36
  54. data/spec/lib/secure_headers/headers/x_permitted_cross_domain_policies_spec.rb +0 -48
  55. data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +0 -47
  56. data/spec/lib/secure_headers/middleware_spec.rb +0 -117
  57. data/spec/lib/secure_headers/view_helpers_spec.rb +0 -192
  58. data/spec/lib/secure_headers_spec.rb +0 -516
  59. data/spec/spec_helper.rb +0 -64
@@ -1,265 +0,0 @@
1
- # frozen_string_literal: true
2
- require "spec_helper"
3
-
4
- module SecureHeaders
5
- describe PolicyManagement do
6
- before(:each) do
7
- reset_config
8
- Configuration.default
9
- end
10
-
11
- let (:default_opts) do
12
- {
13
- default_src: %w(https:),
14
- img_src: %w(https: data:),
15
- script_src: %w('unsafe-inline' 'unsafe-eval' https: data:),
16
- style_src: %w('unsafe-inline' https: about:),
17
- report_uri: %w(/csp_report)
18
- }
19
- end
20
-
21
- describe "#validate_config!" do
22
- it "accepts all keys" do
23
- # (pulled from README)
24
- config = {
25
- # "meta" values. these will shape the header, but the values are not included in the header.
26
- report_only: false,
27
- preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
28
-
29
- # directive values: these values will directly translate into source directives
30
- default_src: %w(https: 'self'),
31
-
32
- base_uri: %w('self'),
33
- connect_src: %w(wss:),
34
- child_src: %w('self' *.twimg.com itunes.apple.com),
35
- font_src: %w('self' data:),
36
- form_action: %w('self' github.com),
37
- frame_ancestors: %w('none'),
38
- frame_src: %w('self' *.twimg.com itunes.apple.com),
39
- img_src: %w(mycdn.com data:),
40
- manifest_src: %w(manifest.com),
41
- media_src: %w(utoob.com),
42
- navigate_to: %w(netscape.com),
43
- object_src: %w('self'),
44
- plugin_types: %w(application/x-shockwave-flash),
45
- prefetch_src: %w(fetch.com),
46
- require_sri_for: %w(script style),
47
- require_trusted_types_for: %w('script'),
48
- script_src: %w('self'),
49
- style_src: %w('unsafe-inline'),
50
- upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
51
- worker_src: %w(worker.com),
52
- script_src_elem: %w(example.com),
53
- script_src_attr: %w(example.com),
54
- style_src_elem: %w(example.com),
55
- style_src_attr: %w(example.com),
56
- trusted_types: %w(abcpolicy),
57
-
58
- report_uri: %w(https://example.com/uri-directive),
59
- }
60
-
61
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(config))
62
- end
63
-
64
- it "requires a :default_src value" do
65
- expect do
66
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(script_src: %w('self')))
67
- end.to raise_error(ContentSecurityPolicyConfigError)
68
- end
69
-
70
- it "requires a :script_src value" do
71
- expect do
72
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self')))
73
- end.to raise_error(ContentSecurityPolicyConfigError)
74
- end
75
-
76
- it "accepts OPT_OUT as a script-src value" do
77
- expect do
78
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: OPT_OUT))
79
- end.to_not raise_error
80
- end
81
-
82
- it "requires :report_only to be a truthy value" do
83
- expect do
84
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))
85
- end.to raise_error(ContentSecurityPolicyConfigError)
86
- end
87
-
88
- it "requires :preserve_schemes to be a truthy value" do
89
- expect do
90
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(preserve_schemes: "steve")))
91
- end.to raise_error(ContentSecurityPolicyConfigError)
92
- end
93
-
94
- it "requires :upgrade_insecure_requests to be a boolean value" do
95
- expect do
96
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
97
- end.to raise_error(ContentSecurityPolicyConfigError)
98
- end
99
-
100
- it "requires all source lists to be an array of strings" do
101
- expect do
102
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: "steve"))
103
- end.to raise_error(ContentSecurityPolicyConfigError)
104
- end
105
-
106
- it "allows nil values" do
107
- expect do
108
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: ["https:", nil]))
109
- end.to_not raise_error
110
- end
111
-
112
- it "rejects unknown directives / config" do
113
- expect do
114
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), default_src_totally_mispelled: "steve"))
115
- end.to raise_error(ContentSecurityPolicyConfigError)
116
- end
117
-
118
- it "rejects style for trusted types" do
119
- expect do
120
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(style_src: %w('self'), require_trusted_types_for: %w(script style), trusted_types: %w(abcpolicy))))
121
- end
122
- end
123
-
124
- # this is mostly to ensure people don't use the antiquated shorthands common in other configs
125
- it "performs light validation on source lists" do
126
- expect do
127
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w(self none inline eval), script_src: %w('self')))
128
- end.to raise_error(ContentSecurityPolicyConfigError)
129
- end
130
-
131
- it "rejects anything not of the form allow-* as a sandbox value" do
132
- expect do
133
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["steve"])))
134
- end.to raise_error(ContentSecurityPolicyConfigError)
135
- end
136
-
137
- it "accepts anything of the form allow-* as a sandbox value " do
138
- expect do
139
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: ["allow-foo"])))
140
- end.to_not raise_error
141
- end
142
-
143
- it "accepts true as a sandbox policy" do
144
- expect do
145
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(sandbox: true)))
146
- end.to_not raise_error
147
- end
148
-
149
- it "rejects anything not of the form type/subtype as a plugin-type value" do
150
- expect do
151
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["steve"])))
152
- end.to raise_error(ContentSecurityPolicyConfigError)
153
- end
154
-
155
- it "accepts anything of the form type/subtype as a plugin-type value " do
156
- expect do
157
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(plugin_types: ["application/pdf"])))
158
- end.to_not raise_error
159
- end
160
-
161
- it "doesn't allow report_only to be set in a non-report-only config" do
162
- expect do
163
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: true)))
164
- end.to raise_error(ContentSecurityPolicyConfigError)
165
- end
166
-
167
- it "allows report_only to be set in a report-only config" do
168
- expect do
169
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyReportOnlyConfig.new(default_opts.merge(report_only: true)))
170
- end.to_not raise_error
171
- end
172
- end
173
-
174
- describe "#combine_policies" do
175
- before(:each) do
176
- reset_config
177
- end
178
- it "combines the default-src value with the override if the directive was unconfigured" do
179
- Configuration.default do |config|
180
- config.csp = {
181
- default_src: %w(https:),
182
- script_src: %w('self'),
183
- }
184
- end
185
- default_policy = Configuration.dup
186
- combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, style_src: %w(anothercdn.com))
187
- csp = ContentSecurityPolicy.new(combined_config)
188
- expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
189
- expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
190
- end
191
-
192
- it "combines directives where the original value is nil and the hash is frozen" do
193
- Configuration.default do |config|
194
- config.csp = {
195
- default_src: %w('self'),
196
- script_src: %w('self'),
197
- report_only: false
198
- }.freeze
199
- end
200
- report_uri = "https://report-uri.io/asdf"
201
- default_policy = Configuration.dup
202
- combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_uri: [report_uri])
203
- csp = ContentSecurityPolicy.new(combined_config)
204
- expect(csp.value).to include("report-uri #{report_uri}")
205
- end
206
-
207
- it "does not combine the default-src value for directives that don't fall back to default sources" do
208
- Configuration.default do |config|
209
- config.csp = {
210
- default_src: %w('self'),
211
- script_src: %w('self'),
212
- report_only: false
213
- }.freeze
214
- end
215
- non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
216
- hash[directive] = %w("http://example.org)
217
- end
218
- default_policy = Configuration.dup
219
- combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, non_default_source_additions)
220
-
221
- ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
222
- expect(combined_config[directive]).to eq(%w("http://example.org))
223
- end
224
- end
225
-
226
- it "overrides the report_only flag" do
227
- Configuration.default do |config|
228
- config.csp = {
229
- default_src: %w('self'),
230
- script_src: %w('self'),
231
- report_only: false
232
- }
233
- end
234
- default_policy = Configuration.dup
235
- combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, report_only: true)
236
- csp = ContentSecurityPolicy.new(combined_config)
237
- expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
238
- end
239
-
240
- it "overrides the :upgrade_insecure_requests flag" do
241
- Configuration.default do |config|
242
- config.csp = {
243
- default_src: %w(https:),
244
- script_src: %w('self'),
245
- upgrade_insecure_requests: false
246
- }
247
- end
248
- default_policy = Configuration.dup
249
- combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, upgrade_insecure_requests: true)
250
- csp = ContentSecurityPolicy.new(combined_config)
251
- expect(csp.value).to eq("default-src https:; script-src 'self'; upgrade-insecure-requests")
252
- end
253
-
254
- it "raises an error if appending to a OPT_OUT policy" do
255
- Configuration.default do |config|
256
- config.csp = OPT_OUT
257
- end
258
- default_policy = Configuration.dup
259
- expect do
260
- ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, script_src: %w(anothercdn.com))
261
- end.to raise_error(ContentSecurityPolicyConfigError)
262
- end
263
- end
264
- end
265
- end
@@ -1,91 +0,0 @@
1
- # frozen_string_literal: true
2
- require "spec_helper"
3
-
4
- module SecureHeaders
5
- describe ReferrerPolicy do
6
- specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
7
- specify { expect(ReferrerPolicy.make_header("no-referrer")).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
8
- specify { expect(ReferrerPolicy.make_header(%w(origin-when-cross-origin strict-origin-when-cross-origin))).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin, strict-origin-when-cross-origin"]) }
9
-
10
- context "valid configuration values" do
11
- it "accepts 'no-referrer'" do
12
- expect do
13
- ReferrerPolicy.validate_config!("no-referrer")
14
- end.not_to raise_error
15
- end
16
-
17
- it "accepts 'no-referrer-when-downgrade'" do
18
- expect do
19
- ReferrerPolicy.validate_config!("no-referrer-when-downgrade")
20
- end.not_to raise_error
21
- end
22
-
23
- it "accepts 'same-origin'" do
24
- expect do
25
- ReferrerPolicy.validate_config!("same-origin")
26
- end.not_to raise_error
27
- end
28
-
29
- it "accepts 'strict-origin'" do
30
- expect do
31
- ReferrerPolicy.validate_config!("strict-origin")
32
- end.not_to raise_error
33
- end
34
-
35
- it "accepts 'strict-origin-when-cross-origin'" do
36
- expect do
37
- ReferrerPolicy.validate_config!("strict-origin-when-cross-origin")
38
- end.not_to raise_error
39
- end
40
-
41
- it "accepts 'origin'" do
42
- expect do
43
- ReferrerPolicy.validate_config!("origin")
44
- end.not_to raise_error
45
- end
46
-
47
- it "accepts 'origin-when-cross-origin'" do
48
- expect do
49
- ReferrerPolicy.validate_config!("origin-when-cross-origin")
50
- end.not_to raise_error
51
- end
52
-
53
- it "accepts 'unsafe-url'" do
54
- expect do
55
- ReferrerPolicy.validate_config!("unsafe-url")
56
- end.not_to raise_error
57
- end
58
-
59
- it "accepts nil" do
60
- expect do
61
- ReferrerPolicy.validate_config!(nil)
62
- end.not_to raise_error
63
- end
64
-
65
- it "accepts array of policy values" do
66
- expect do
67
- ReferrerPolicy.validate_config!(
68
- %w(
69
- origin-when-cross-origin
70
- strict-origin-when-cross-origin
71
- )
72
- )
73
- end.not_to raise_error
74
- end
75
- end
76
-
77
- context "invalid configuration values" do
78
- it "doesn't accept invalid values" do
79
- expect do
80
- ReferrerPolicy.validate_config!("open")
81
- end.to raise_error(ReferrerPolicyConfigError)
82
- end
83
-
84
- it "doesn't accept invalid types" do
85
- expect do
86
- ReferrerPolicy.validate_config!({})
87
- end.to raise_error(TypeError)
88
- end
89
- end
90
- end
91
- end
@@ -1,33 +0,0 @@
1
- # frozen_string_literal: true
2
- require "spec_helper"
3
-
4
- module SecureHeaders
5
- describe StrictTransportSecurity do
6
- describe "#value" do
7
- specify { expect(StrictTransportSecurity.make_header).to eq([StrictTransportSecurity::HEADER_NAME, StrictTransportSecurity::DEFAULT_VALUE]) }
8
- specify { expect(StrictTransportSecurity.make_header("max-age=1234; includeSubdomains; preload")).to eq([StrictTransportSecurity::HEADER_NAME, "max-age=1234; includeSubdomains; preload"]) }
9
-
10
- context "with an invalid configuration" do
11
- context "with a string argument" do
12
- it "raises an exception with an invalid max-age" do
13
- expect do
14
- StrictTransportSecurity.validate_config!("max-age=abc123")
15
- end.to raise_error(STSConfigError)
16
- end
17
-
18
- it "raises an exception if max-age is not supplied" do
19
- expect do
20
- StrictTransportSecurity.validate_config!("includeSubdomains")
21
- end.to raise_error(STSConfigError)
22
- end
23
-
24
- it "raises an exception with an invalid format" do
25
- expect do
26
- StrictTransportSecurity.validate_config!("max-age=123includeSubdomains")
27
- end.to raise_error(STSConfigError)
28
- end
29
- end
30
- end
31
- end
32
- end
33
- end
@@ -1,31 +0,0 @@
1
- # frozen_string_literal: true
2
- require "spec_helper"
3
-
4
- module SecureHeaders
5
- describe XContentTypeOptions do
6
- describe "#value" do
7
- specify { expect(XContentTypeOptions.make_header).to eq([XContentTypeOptions::HEADER_NAME, XContentTypeOptions::DEFAULT_VALUE]) }
8
- specify { expect(XContentTypeOptions.make_header("nosniff")).to eq([XContentTypeOptions::HEADER_NAME, "nosniff"]) }
9
-
10
- context "invalid configuration values" do
11
- it "accepts nosniff" do
12
- expect do
13
- XContentTypeOptions.validate_config!("nosniff")
14
- end.not_to raise_error
15
- end
16
-
17
- it "accepts nil" do
18
- expect do
19
- XContentTypeOptions.validate_config!(nil)
20
- end.not_to raise_error
21
- end
22
-
23
- it "doesn't accept anything besides no-sniff" do
24
- expect do
25
- XContentTypeOptions.validate_config!("donkey")
26
- end.to raise_error(XContentTypeOptionsConfigError)
27
- end
28
- end
29
- end
30
- end
31
- end
@@ -1,29 +0,0 @@
1
- # frozen_string_literal: true
2
- require "spec_helper"
3
-
4
- module SecureHeaders
5
- describe XDownloadOptions do
6
- specify { expect(XDownloadOptions.make_header).to eq([XDownloadOptions::HEADER_NAME, XDownloadOptions::DEFAULT_VALUE]) }
7
- specify { expect(XDownloadOptions.make_header("noopen")).to eq([XDownloadOptions::HEADER_NAME, "noopen"]) }
8
-
9
- context "invalid configuration values" do
10
- it "accepts noopen" do
11
- expect do
12
- XDownloadOptions.validate_config!("noopen")
13
- end.not_to raise_error
14
- end
15
-
16
- it "accepts nil" do
17
- expect do
18
- XDownloadOptions.validate_config!(nil)
19
- end.not_to raise_error
20
- end
21
-
22
- it "doesn't accept anything besides noopen" do
23
- expect do
24
- XDownloadOptions.validate_config!("open")
25
- end.to raise_error(XDOConfigError)
26
- end
27
- end
28
- end
29
- end
@@ -1,36 +0,0 @@
1
- # frozen_string_literal: true
2
- require "spec_helper"
3
-
4
- module SecureHeaders
5
- describe XFrameOptions do
6
- describe "#value" do
7
- specify { expect(XFrameOptions.make_header).to eq([XFrameOptions::HEADER_NAME, XFrameOptions::DEFAULT_VALUE]) }
8
- specify { expect(XFrameOptions.make_header("DENY")).to eq([XFrameOptions::HEADER_NAME, "DENY"]) }
9
-
10
- context "with invalid configuration" do
11
- it "allows SAMEORIGIN" do
12
- expect do
13
- XFrameOptions.validate_config!("SAMEORIGIN")
14
- end.not_to raise_error
15
- end
16
-
17
- it "allows DENY" do
18
- expect do
19
- XFrameOptions.validate_config!("DENY")
20
- end.not_to raise_error
21
- end
22
-
23
- it "allows ALLOW-FROM*" do
24
- expect do
25
- XFrameOptions.validate_config!("ALLOW-FROM: example.com")
26
- end.not_to raise_error
27
- end
28
- it "does not allow garbage" do
29
- expect do
30
- XFrameOptions.validate_config!("I like turtles")
31
- end.to raise_error(XFOConfigError)
32
- end
33
- end
34
- end
35
- end
36
- end
@@ -1,48 +0,0 @@
1
- # frozen_string_literal: true
2
- require "spec_helper"
3
-
4
- module SecureHeaders
5
- describe XPermittedCrossDomainPolicies do
6
- specify { expect(XPermittedCrossDomainPolicies.make_header).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, "none"]) }
7
- specify { expect(XPermittedCrossDomainPolicies.make_header("master-only")).to eq([XPermittedCrossDomainPolicies::HEADER_NAME, "master-only"]) }
8
-
9
- context "valid configuration values" do
10
- it "accepts 'all'" do
11
- expect do
12
- XPermittedCrossDomainPolicies.validate_config!("all")
13
- end.not_to raise_error
14
- end
15
-
16
- it "accepts 'by-ftp-filename'" do
17
- expect do
18
- XPermittedCrossDomainPolicies.validate_config!("by-ftp-filename")
19
- end.not_to raise_error
20
- end
21
-
22
- it "accepts 'by-content-type'" do
23
- expect do
24
- XPermittedCrossDomainPolicies.validate_config!("by-content-type")
25
- end.not_to raise_error
26
- end
27
- it "accepts 'master-only'" do
28
- expect do
29
- XPermittedCrossDomainPolicies.validate_config!("master-only")
30
- end.not_to raise_error
31
- end
32
-
33
- it "accepts nil" do
34
- expect do
35
- XPermittedCrossDomainPolicies.validate_config!(nil)
36
- end.not_to raise_error
37
- end
38
- end
39
-
40
- context "invlaid configuration values" do
41
- it "doesn't accept invalid values" do
42
- expect do
43
- XPermittedCrossDomainPolicies.validate_config!("open")
44
- end.to raise_error(XPCDPConfigError)
45
- end
46
- end
47
- end
48
- end
@@ -1,47 +0,0 @@
1
- # frozen_string_literal: true
2
- require "spec_helper"
3
-
4
- module SecureHeaders
5
- describe XXssProtection do
6
- specify { expect(XXssProtection.make_header).to eq([XXssProtection::HEADER_NAME, XXssProtection::DEFAULT_VALUE]) }
7
- specify { expect(XXssProtection.make_header("1; mode=block; report=https://www.secure.com/reports")).to eq([XXssProtection::HEADER_NAME, "1; mode=block; report=https://www.secure.com/reports"]) }
8
-
9
- context "with invalid configuration" do
10
- it "should raise an error when providing a string that is not valid" do
11
- expect do
12
- XXssProtection.validate_config!("asdf")
13
- end.to raise_error(XXssProtectionConfigError)
14
-
15
- expect do
16
- XXssProtection.validate_config!("asdf; mode=donkey")
17
- end.to raise_error(XXssProtectionConfigError)
18
- end
19
-
20
- context "when using a hash value" do
21
- it "should allow string values ('1' or '0' are the only valid strings)" do
22
- expect do
23
- XXssProtection.validate_config!("1")
24
- end.not_to raise_error
25
- end
26
-
27
- it "should raise an error if no value key is supplied" do
28
- expect do
29
- XXssProtection.validate_config!("mode=block")
30
- end.to raise_error(XXssProtectionConfigError)
31
- end
32
-
33
- it "should raise an error if an invalid key is supplied" do
34
- expect do
35
- XXssProtection.validate_config!("123")
36
- end.to raise_error(XXssProtectionConfigError)
37
- end
38
-
39
- it "should raise an error if mode != block" do
40
- expect do
41
- XXssProtection.validate_config!("1; mode=donkey")
42
- end.to raise_error(XXssProtectionConfigError)
43
- end
44
- end
45
- end
46
- end
47
- end