secure_headers 0.4.1 → 0.4.2

data/HISTORY.md

@@ -1,3 +1,9 @@
+0.4.3
+======
+
+- Stupid bug where Fixnums couldn't be used for config values
+- Doc updates
+
 0.4.1
 ======
 

data/README.md

@@ -41,7 +41,7 @@ By default, it will set all of the headers listed in the options section below u
 
 Use the standard `skip_before_filter :filter_name, options` mechanism. e.g. `skip_before_filter :set_csp_header, :only => :tinymce_page`
 
-The following methods are going to be called, unles they are provided in a `skip_before_filter` block.
+The following methods are going to be called, unless they are provided in a `skip_before_filter` block.
 
 * `:set_csp_header`
 * `:set_hsts_header`
@@ -53,10 +53,10 @@ The following methods are going to be called, unles they are provided in a `skip
 
 This gem makes a few assumptions about how you will use some features.  For example:
 
-* It adds 'chrome-extension:' to your CSP directives by default.  This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
-* It fills any blank directives with the value in :default_src  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
+* It adds 'chrome-extension:' to your CSP directives by default.  This helps drastically reduce the amount of reports, but you can also disable this feature by supplying `:disable_chrome_extension => true`.
+* It fills any blank directives with the value in `:default_src`  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying `:disable_fill_missing => true`.
 * It copies the connect\-src value to xhr\-src for AJAX requests when using Firefox.
-* Firefox does not support cross\-origin CSP reports.  If we are using Firefox, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :forward_endpoint without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
+* Firefox does not support cross\-origin CSP reports.  If we are using Firefox, AND the value for `:report_uri` does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if `:report_uri` only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in `:forward_endpoint` without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
 
 
 ## Configuration
@@ -159,6 +159,16 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
       :img_src => 'http://mycdn.example.com'
     }
   }
+  
+  # script-nonce is an experimental feature of CSP 1.1 available in Chrome. It allows
+  # you to whitelist inline script blocks. For more information, see
+  # https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce
+  :script_nonce => { 'abc123' }
+  
+  # you can also use lambdas to use dynamically generated nonces
+  :script_nonce => lambda { @script_nonce] = 'something' } 
+  # which can be used to whitelist a script block:
+  # script_tag :nonce = @script_nonce { inline_script_call() }
 }
 ```
 

data/lib/secure_headers.rb

@@ -72,10 +72,10 @@ module SecureHeaders
       options = self.class.options_for :csp, options
       return if options == false
 
-      header = ContentSecurityPolicy.new(options, :request => request)
+      header = ContentSecurityPolicy.new(options, :request => request, :controller => self)
       set_header(header.name, header.value)
       if options && options[:experimental] && options[:enforce]
-        header = ContentSecurityPolicy.new(options, :experimental => true, :request => request)
+        header = ContentSecurityPolicy.new(options, :experimental => true, :request => request, :controller => self)
         set_header(header.name, header.value)
       end
     end

data/lib/secure_headers/headers/content_security_policy.rb

@@ -36,6 +36,7 @@ module SecureHeaders
     # :report used to determine what :ssl_request, :ua, and :request_uri are set to
     def initialize(config=nil, options={})
       @experimental = !!options.delete(:experimental)
+      @controller = options.delete(:controller)
       if options[:request]
         parse_request(options[:request])
       else
@@ -65,6 +66,7 @@ module SecureHeaders
       end
 
       @report_uri = @config.delete(:report_uri)
+      @script_nonce = @config.delete(:script_nonce)
 
       normalize_csp_options
       normalize_reporting_endpoint
@@ -103,7 +105,8 @@ module SecureHeaders
       header_value = [
         build_impl_specific_directives,
         generic_directives(@config),
-        report_uri_directive
+        report_uri_directive,
+        script_nonce_directive,
       ].join
 
       #store the value for next time
@@ -208,6 +211,18 @@ module SecureHeaders
       "report-uri #{@report_uri};"
     end
 
+    def script_nonce_directive
+      return '' if @script_nonce.nil?
+      nonce_value = if @script_nonce.is_a?(String)
+                      @script_nonce
+                    elsif @controller
+                      @controller.instance_exec(&@script_nonce)
+                    else
+                      @script_nonce.call
+                    end
+      "script-nonce #{nonce_value};"
+    end
+
     def generic_directives(config)
       header_value = ''
       if config[:img_src]

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -29,7 +29,7 @@ module SecureHeaders
       end
 
       max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
-      value = "max-age=" + max_age
+      value = "max-age=" + max_age.to_s
       value += "; includeSubdomains" if @config[:include_subdomains]
 
       value

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "0.4.1"
+  VERSION = "0.4.2"
 end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -397,6 +397,38 @@ module SecureHeaders
           end
         end
       end
+
+      context "when supplying a script nonce callback" do
+        let(:options) {
+          default_opts.merge({
+            :script_nonce => "random",
+          })
+        }
+
+        it "uses the value in the X-Webkit-CSP" do
+          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
+          csp.value.should match "script-nonce random;"
+        end
+
+        it "uses the value in the X-Content-Security-Policy" do
+          csp = ContentSecurityPolicy.new(options, :request => request_for(FIREFOX))
+          csp.value.should match "script-nonce random;"
+        end
+
+        it "runs a dynamic nonce generator" do
+          options[:script_nonce] = lambda { 'something' }
+          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
+          csp.value.should match "script-nonce something;"
+        end
+
+        it "runs against the given controller context" do
+          fake_params = {}
+          options[:script_nonce] = lambda { params[:script_nonce] = 'something' }
+          csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME), :controller => double(:params => fake_params))
+          csp.value.should match "script-nonce something;"
+          fake_params.should == {:script_nonce => 'something'}
+        end
+      end
     end
   end
 end

data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb

@@ -26,6 +26,12 @@ module SecureHeaders
         s.value.should == "max-age=#{age}"
       end
 
+      it "allows you to specify max-age as a Fixnum" do
+        age = 8675309
+        s = StrictTransportSecurity.new(:max_age => age)
+        s.value.should == "max-age=#{age}"
+      end
+
       context "with an invalid configuration" do
         context "with a hash argument" do
           it "should allow string values for max-age" do

metadata

@@ -1,55 +1,62 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: secure_headers
-version: !ruby/object:Gem::Version
-  version: 0.4.1
+version: !ruby/object:Gem::Version 
+  hash: 11
   prerelease: 
+  segments: 
+  - 0
+  - 4
+  - 2
+  version: 0.4.2
 platform: ruby
-authors:
+authors: 
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-10 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2013-05-05 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: brwsr
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.1.1
-  type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 17
+        segments: 
+        - 1
+        - 1
+        - 1
         version: 1.1.1
-- !ruby/object:Gem::Dependency
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: rake
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
 description: Add easily configured browser headers to responses.
-email:
+email: 
 - neil.matatall@gmail.com
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - .gitignore
 - .rvmrc
 - .travis.yml
@@ -170,32 +177,39 @@ files:
 - spec/spec_helper.rb
 - travis.sh
 homepage: https://github.com/twitter/secureheaders
-licenses:
+licenses: 
 - Apache Public License 2.0
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
 rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
-summary: Add easily configured browser headers to responses including content security
-  policy, x-frame-options, strict-transport-security and more.
-test_files:
+summary: Add easily configured browser headers to responses including content security policy, x-frame-options, strict-transport-security and more.
+test_files: 
 - spec/controllers/content_security_policy_controller_spec.rb
 - spec/lib/secure_headers/headers/content_security_policy_spec.rb
 - spec/lib/secure_headers/headers/strict_transport_security_spec.rb