secure_headers 0.1.0 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- data/HISTORY.md +7 -2
- data/README.md +10 -12
- data/lib/secure_headers/headers/content_security_policy.rb +1 -1
- data/lib/secure_headers/version.rb +1 -1
- metadata +1 -1
data/HISTORY.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
0.1.1
|
2
|
+
=======
|
3
|
+
|
4
|
+
Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
|
5
|
+
|
1
6
|
0.1.0
|
2
7
|
=======
|
3
8
|
|
@@ -9,7 +14,7 @@ Notes:
|
|
9
14
|
Features:
|
10
15
|
------
|
11
16
|
|
12
|
-
- ability to apply two headers, one in enforce mode,
|
17
|
+
- ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
|
13
18
|
- Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
|
14
19
|
|
15
20
|
Bug fixes, misc:
|
@@ -19,4 +24,4 @@ Bug fixes, misc:
|
|
19
24
|
- Better support for other frameworks, including docs from @achui, @bmaland
|
20
25
|
- Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
|
21
26
|
- data: automatically whitelisted for img-src
|
22
|
-
- Doc updates from @ming13, @theverything, @dcollazo
|
27
|
+
- Doc updates from @ming13, @theverything, @dcollazo
|
data/README.md
CHANGED
@@ -44,7 +44,7 @@ This gem makes a few assumptions about how you will use some features. For exam
|
|
44
44
|
* It adds 'chrome-extension:' to your CSP directives by default. This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
|
45
45
|
* It fills any blank directives with the value in :default_src Getting a default\-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
|
46
46
|
* It copies the connect\-src value to xhr\-src for AJAX requests.
|
47
|
-
*
|
47
|
+
* Firefox does not support cross\-origin CSP reports. If we are using Firefox, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`). This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :report_uri without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
|
48
48
|
|
49
49
|
|
50
50
|
## Configuration
|
@@ -97,7 +97,7 @@ header will be constructed using the supplied options.
|
|
97
97
|
|
98
98
|
### Content Security Policy (CSP)
|
99
99
|
|
100
|
-
All browsers will receive the webkit csp header except
|
100
|
+
All browsers will receive the webkit csp header except Firefox, which gets its own header.
|
101
101
|
See [WebKit specification](http://www.w3.org/TR/CSP/)
|
102
102
|
and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification)
|
103
103
|
|
@@ -169,7 +169,7 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
169
169
|
}
|
170
170
|
# Chrome
|
171
171
|
> "default-src 'unsafe-inline' 'unsafe-eval' https://* chrome-extension:; report-uri /uri-directive;"
|
172
|
-
#
|
172
|
+
# Firefox
|
173
173
|
> "options inline-script eval-script; allow https://*; report-uri /uri-directive;"
|
174
174
|
|
175
175
|
# turn off inline scripting/eval
|
@@ -179,7 +179,7 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
179
179
|
}
|
180
180
|
# Chrome
|
181
181
|
> "default-src https://*; report-uri /uri-directive;"
|
182
|
-
#
|
182
|
+
# Firefox
|
183
183
|
> "allow https://*; report-uri /uri-directive;"
|
184
184
|
|
185
185
|
# Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
|
@@ -192,21 +192,19 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
192
192
|
}
|
193
193
|
# Chrome
|
194
194
|
"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
195
|
-
#
|
195
|
+
# Firefox
|
196
196
|
"allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
197
197
|
```
|
198
198
|
|
199
|
-
## Note on
|
199
|
+
## Note on Firefox handling of CSP
|
200
200
|
|
201
|
-
Currently,
|
201
|
+
Currently, Firefox does not support the w3c draft standard. So there are a few steps taken to make the two interchangeable.
|
202
202
|
|
203
|
-
|
204
|
-
|
205
|
-
* inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Mozilla \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879.
|
203
|
+
* inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Firefox \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879.
|
206
204
|
* CSP reports will not POST cross\-origin. This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
|
207
|
-
*
|
205
|
+
* Ffirefox adds port numbers to each /https?/ value which can make local development tricky with mocked services. Add environment specific code to configure this.
|
208
206
|
|
209
|
-
### Adding the
|
207
|
+
### Adding the Firefox report forwarding endpoint
|
210
208
|
|
211
209
|
**You need to add the following line to the TOP of confib/routes.rb**
|
212
210
|
**This is an unauthenticated, unauthorized endpoint. Only do this if your report\-uri is not on the same origin as your application!!!**
|