RubyGems - secure_headers - Versions diffs - 0.1.0 → 0.1.1 - Mend

secure_headers 0.1.0 → 0.1.1

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (5) hide show

data/HISTORY.md +7 -2
data/README.md +10 -12
data/lib/secure_headers/headers/content_security_policy.rb +1 -1
data/lib/secure_headers/version.rb +1 -1
metadata +1 -1

data/HISTORY.md CHANGED Viewed

@@ -1,3 +1,8 @@
+0.1.1
+=======
+Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
 0.1.0
 =======
@@ -9,7 +14,7 @@ Notes:
 Features:
 ------
-- ability to apply two headers, one in enforce mode, on in "experimental" mode https://github.com/twitter/secureheaders/pull/11
+- ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11
 - Rails 3.0 support https://github.com/twitter/secureheaders/pull/28
 Bug fixes, misc:
@@ -19,4 +24,4 @@ Bug fixes, misc:
 - Better support for other frameworks, including docs from @achui, @bmaland
 - Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13
 - data: automatically whitelisted for img-src
-- Doc updates from @ming13, @theverything, @dcollazo
+- Doc updates from @ming13, @theverything, @dcollazo

data/README.md CHANGED Viewed

@@ -44,7 +44,7 @@ This gem makes a few assumptions about how you will use some features.  For exam
 * It adds 'chrome-extension:' to your CSP directives by default.  This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
 * It fills any blank directives with the value in :default_src  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
 * It copies the connect\-src value to xhr\-src for AJAX requests.
-* Mozilla does not support cross\-origin CSP reports.  If we are using Mozilla, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :report_uri without restriction. More information can be found in the "Note on Mozilla handling of CSP" section.
+* Firefox does not support cross\-origin CSP reports.  If we are using Firefox, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :report_uri without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
 ## Configuration
@@ -97,7 +97,7 @@ header will be constructed using the supplied options.
 ### Content Security Policy (CSP)
-All browsers will receive the webkit csp header except Mozilla, which gets its own header.
+All browsers will receive the webkit csp header except Firefox, which gets its own header.
 See [WebKit specification](http://www.w3.org/TR/CSP/)
 and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification)
@@ -169,7 +169,7 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 }
 # Chrome
 > "default-src 'unsafe-inline' 'unsafe-eval' https://* chrome-extension:; report-uri /uri-directive;"
-# Mozilla
+# Firefox
 > "options inline-script eval-script; allow https://*; report-uri /uri-directive;"
 # turn off inline scripting/eval
@@ -179,7 +179,7 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 }
 # Chrome
 > "default-src  https://*; report-uri /uri-directive;"
-# Mozilla
+# Firefox
 > "allow https://*; report-uri /uri-directive;"
 # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
@@ -192,21 +192,19 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
 }
 # Chrome
 "default-src  'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
-# Mozilla
+# Firefox
 "allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
 ```
-## Note on Mozilla handling of CSP
+## Note on Firefox handling of CSP
-Currently, Mozilla does not support the w3c draft standard.  So there are a few steps taken to make the two interchangeable.
+Currently, Firefox does not support the w3c draft standard.  So there are a few steps taken to make the two interchangeable.
-Mozilla > 18 partially supports the standard via using the default\-src directive over allow/options, but the following inconsistencies remain.
-* inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Mozilla \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879.
+* inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Firefox \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879.
 * CSP reports will not POST cross\-origin.  This sets up an internal endpoint in the application that will forward the request. Set the `forward_endpoint` value in the CSP section if you need to post cross origin for firefox. The internal endpoint that receives the initial request will forward the request to `forward_endpoint`
-* Mozilla adds port numbers to each /https?/ value which can make local development tricky with mocked services. Add environment specific code to configure this.
+* Ffirefox adds port numbers to each /https?/ value which can make local development tricky with mocked services. Add environment specific code to configure this.
-### Adding the Mozilla report forwarding endpoint
+### Adding the Firefox report forwarding endpoint
 **You need to add the following line to the TOP of confib/routes.rb**
 **This is an unauthenticated, unauthorized endpoint. Only do this if your report\-uri is not on the same origin as your application!!!**

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -192,7 +192,7 @@ module SecureHeaders
     end
     def supports_standard?
-      !browser.firefox? || (browser.firefox? && browser.version.to_i >= 18)
+      !browser.firefox?
     end
     def build_impl_specific_directives

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
   prerelease:
 platform: ruby
 authors: