secure_headers 0.4.3 → 0.5.0

data/HISTORY.md

@@ -1,3 +1,8 @@
+0.5.0
+======
+
+X-Content-Type-Options also applied to Chrome requests
+
 0.4.3
 ======
 

data/README.md

@@ -3,7 +3,7 @@
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
 - HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks.  [HSTS Specification](https://tools.ietf.org/html/rfc6797)
-- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00)
+- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
 - X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
 - X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
 
@@ -101,7 +101,7 @@ header will be constructed using the supplied options.
 ### Widely supported
 
 ```ruby
-:hsts             => {:max_age => 631138519, :include_subdomain => true}
+:hsts             => {:max_age => 631138519, :include_subdomains => true}
 :x_frame_options  => {:value => 'SAMEORIGIN'}
 :x_xss_protection => {:value => 1, :mode => false}  # set the :mode option to 'block' to enforce the browser's xss filter
 ```

data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb

@@ -2,7 +2,7 @@
   config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
   config.x_frame_options = 'SAMEORIGIN'
   config.x_content_type_options = "nosniff"
-  config.x_xss_protection = {:value => 1, :mode => 'BLOCK'}
+  config.x_xss_protection = {:value => 1, :mode => 'block'}
   csp = {
     :default_src => "self",
     :disable_chrome_extension => true,
@@ -12,4 +12,4 @@
   }
 
   config.csp = csp
-end
+end

data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb

@@ -7,14 +7,14 @@ describe OtherThingsController do
       request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
     end
 
-    it "sets the X-XSS-PROTECTION header" do
+    it "sets the X-XSS-Protection header" do
       get :index
-      response.headers['X-XSS-Protection'].should == '1; mode=BLOCK'
+      response.headers['X-XSS-Protection'].should == '1; mode=block'
     end
 
-    it "sets the X-FRAME-OPTIONS header" do
+    it "sets the X-Frame-Options header" do
       get :index
-      response.headers['X-FRAME-OPTIONS'].should == 'SAMEORIGIN'
+      response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
     end
 
     it "sets the X-WebKit-CSP header" do
@@ -23,14 +23,19 @@ describe OtherThingsController do
     end
 
     #mock ssl
-    it "sets the STRICT-TRANSPORT-SECURITY header" do
+    it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index
       response.headers['Strict-Transport-Security'].should == "max-age=315576000"
     end
 
+    it "sets the X-Content-Type-Options header" do
+      get :index
+      response.headers['X-Content-Type-Options'].should == "nosniff"
+    end
+
     context "using IE" do
-      it "sets the X-CONTENT-TYPE-OPTIONS header" do
+      it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
         response.headers['X-Content-Type-Options'].should == "nosniff"

data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb

@@ -11,14 +11,14 @@ describe ThingsController do
         request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
     end
 
-    it "sets the X-XSS-PROTECTION header" do
+    it "sets the X-XSS-Protection header" do
       get :index
-      response.headers['X-XSS-Protection'].should == '1; mode=BLOCK'
+      response.headers['X-XSS-Protection'].should == '1; mode=block'
     end
 
-    it "sets the X-FRAME-OPTIONS header" do
+    it "sets the X-Frame-Options header" do
       get :index
-      response.headers['X-FRAME-OPTIONS'].should == 'SAMEORIGIN'
+      response.headers['X-Frame-Options'].should == 'SAMEORIGIN'
     end
 
     it "sets the X-WebKit-CSP header" do
@@ -27,14 +27,19 @@ describe ThingsController do
     end
 
     #mock ssl
-    it "sets the STRICT-TRANSPORT-SECURITY header" do
+    it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index
       response.headers['Strict-Transport-Security'].should == "max-age=315576000"
     end
 
+    it "sets the X-Content-Type-Options header" do
+      get :index
+      response.headers['X-Content-Type-Options'].should == "nosniff"
+    end
+
     context "using IE" do
-      it "sets the X-CONTENT-TYPE-OPTIONS header" do
+      it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
         response.headers['X-Content-Type-Options'].should == "nosniff"
@@ -44,4 +49,4 @@ describe ThingsController do
 end
 
 
-# response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"
+# response.headers['X-WebKit-CSP-Report-Only'].should == "default-src 'self'; report-uri somewhere"

data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb

@@ -7,14 +7,14 @@ describe OtherThingsController do
       request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
     end
 
-    it "sets the X-XSS-PROTECTION header" do
+    it "sets the X-XSS-Protection header" do
       get :index
       response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
     end
 
-    it "sets the X-FRAME-OPTIONS header" do
+    it "sets the X-Frame-Options header" do
       get :index
-      response.headers['X-FRAME-OPTIONS'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
+      response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
     end
 
     it "sets the X-WebKit-CSP header" do
@@ -23,17 +23,22 @@ describe OtherThingsController do
     end
 
     #mock ssl
-    it "sets the STRICT-TRANSPORT-SECURITY header" do
+    it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index
       response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
     end
 
+    it "sets the X-Content-Type-Options header" do
+      get :index
+      response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
+    end
+
     context "using IE" do
-      it "sets the X-CONTENT-TYPE-OPTIONS header" do
+      it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
-        response.headers['X-Content-Type-Options'].should == "nosniff"
+        response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
       end
     end
   end

data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb

@@ -11,14 +11,14 @@ describe ThingsController do
         request.env['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5'
     end
 
-    it "sets the X-XSS-PROTECTION header" do
+    it "sets the X-XSS-Protection header" do
       get :index
       response.headers['X-XSS-Protection'].should == SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE
     end
 
-    it "sets the X-FRAME-OPTIONS header" do
+    it "sets the X-Frame-Options header" do
       get :index
-      response.headers['X-FRAME-OPTIONS'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
+      response.headers['X-Frame-Options'].should == SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE
     end
 
     it "sets the X-WebKit-CSP header" do
@@ -27,17 +27,22 @@ describe ThingsController do
     end
 
     #mock ssl
-    it "sets the STRICT-TRANSPORT-SECURITY header" do
+    it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'
       get :index
       response.headers['Strict-Transport-Security'].should == SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE
     end
 
+    it "sets the X-Content-Type-Options header" do
+      get :index
+      response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
+    end
+
     context "using IE" do
-      it "sets the X-CONTENT-TYPE-OPTIONS header" do
+      it "sets the X-Content-Type-Options header" do
         request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
         get :index
-        response.headers['X-Content-Type-Options'].should == "nosniff"
+        response.headers['X-Content-Type-Options'].should == SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE
       end
     end
   end

data/lib/secure_headers.rb

@@ -85,7 +85,7 @@ module SecureHeaders
     end
 
     def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
-      return unless brwsr.ie?
+      return unless brwsr.ie? || brwsr.chrome?
       set_a_header(:x_content_type_options, XContentTypeOptions, options)
     end
 
@@ -113,7 +113,6 @@ module SecureHeaders
     end
 
     def broken_implementation?(browser)
-      #IOS 5 sometimes refuses to load external resources even when whitelisted with CSP
       return browser.ios5? || (browser.safari? && browser.version == 5)
     end
   end

data/lib/secure_headers/headers/x_frame_options.rb

@@ -2,9 +2,9 @@ module SecureHeaders
   class XFOBuildError < StandardError; end
   class XFrameOptions
     module Constants
-      XFO_HEADER_NAME = "X-FRAME-OPTIONS"
+      XFO_HEADER_NAME = "X-Frame-Options"
       DEFAULT_VALUE = 'SAMEORIGIN'
-      VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM:)/i
+      VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM[:\s])/i
     end
     include Constants
 
@@ -37,4 +37,4 @@ module SecureHeaders
       end
     end
   end
-end
+end

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -1,6 +1,5 @@
 module SecureHeaders
   class XXssProtectionBuildError < StandardError; end
-  # IE only
   class XXssProtection
     module Constants
       X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
@@ -51,4 +50,4 @@ module SecureHeaders
       end
     end
   end
-end
+end

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "0.4.3"
+  VERSION = "0.5.0"
 end

data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb

@@ -5,32 +5,11 @@ module SecureHeaders
     specify{ StrictTransportSecurity.new.name.should == "Strict-Transport-Security" }
 
     describe "#value" do
-      it "sets Strict Transport Security headers" do
-        s = StrictTransportSecurity.new
-        s.value.should == StrictTransportSecurity::Constants::DEFAULT_VALUE
-      end
-
-      it "allows you to specify includeSubdomains" do
-        s = StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
-        s.value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"
-      end
-
-      it "accepts a string value and returns verbatim" do
-        s = StrictTransportSecurity.new('max-age=1234')
-        s.value.should == "max-age=1234"
-      end
-
-      it "allows you to specify max-age" do
-        age = '8675309'
-        s = StrictTransportSecurity.new(:max_age => age)
-        s.value.should == "max-age=#{age}"
-      end
-
-      it "allows you to specify max-age as a Fixnum" do
-        age = 8675309
-        s = StrictTransportSecurity.new(:max_age => age)
-        s.value.should == "max-age=#{age}"
-      end
+      specify { StrictTransportSecurity.new.value.should == StrictTransportSecurity::Constants::DEFAULT_VALUE}
+      specify { StrictTransportSecurity.new("max-age=1234").value.should == "max-age=1234"}
+      specify { StrictTransportSecurity.new(:max_age => '1234').value.should == "max-age=1234"}
+      specify { StrictTransportSecurity.new(:max_age => 1234).value.should == "max-age=1234"}
+      specify { StrictTransportSecurity.new(:max_age => HSTS_MAX_AGE, :include_subdomains => true).value.should == "max-age=#{HSTS_MAX_AGE}; includeSubdomains"}
 
       context "with an invalid configuration" do
         context "with a hash argument" do

data/spec/lib/secure_headers/headers/x_frame_options_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 module SecureHeaders
   describe XFrameOptions do
-    specify{ XFrameOptions.new.name.should == "X-FRAME-OPTIONS" }
+    specify{ XFrameOptions.new.name.should == "X-Frame-Options" }
 
     describe "#value" do
       specify { XFrameOptions.new.value.should == XFrameOptions::Constants::DEFAULT_VALUE}

data/spec/lib/secure_headers_spec.rb

@@ -80,10 +80,8 @@ describe SecureHeaders do
       it "sets all default headers for #{name} (smoke test)" do
         stub_user_agent(useragent)
         number_of_headers = case name
-        when :ie
+        when :ie, :chrome
           5
-        when :opera
-          4
         when :ios5, :safari5
           3 # csp breaks these browsers
         else
@@ -99,29 +97,28 @@ describe SecureHeaders do
       end
     end
 
-    it "does not set the X-Content-Type-Options when disabled" do
+    it "does not set the X-Content-Type-Options header if disabled" do
       stub_user_agent(USER_AGENTS[:ie])
       should_not_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME)
       subject.set_x_content_type_options_header(false)
     end
 
-    it "does not set the X-XSS-PROTECTION when disabled" do
-      stub_user_agent(USER_AGENTS[:ie])
+    it "does not set the X-XSS-Protection header if disabled" do
       should_not_assign_header(X_XSS_PROTECTION_HEADER_NAME)
       subject.set_x_xss_protection_header(false)
     end
 
-    it "does not set the X-FRAME-OPTIONS header if disabled" do
+    it "does not set the X-Frame-Options header if disabled" do
       should_not_assign_header(XFO_HEADER_NAME)
       subject.set_x_frame_options_header(false)
     end
 
-    it "does not set the hsts header if disabled" do
+    it "does not set the HSTS header if disabled" do
       should_not_assign_header(HSTS_HEADER_NAME)
       subject.set_hsts_header(false)
     end
 
-    it "does not set the hsts header the request is over HTTP" do
+    it "does not set the HSTS header if request is over HTTP" do
       subject.stub_chain(:request, :ssl?).and_return(false)
       should_not_assign_header(HSTS_HEADER_NAME)
       subject.set_hsts_header({:include_subdomains => true})
@@ -142,7 +139,7 @@ describe SecureHeaders do
     end
 
     context "when disabled by configuration settings" do
-      it "does not set the X-Content-Type-Options when disabled" do
+      it "does not set any headers when disabled" do
         ::SecureHeaders::Configuration.configure do |config|
           config.hsts = false
           config.x_frame_options = false
@@ -158,48 +155,67 @@ describe SecureHeaders do
   end
 
   describe "#set_x_frame_options_header" do
-    it "sets the X-FRAME-OPTIONS header" do
+    it "sets the X-Frame-Options header" do
       should_assign_header(XFO_HEADER_NAME, SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
       subject.set_x_frame_options_header
     end
 
-    it "allows a custom X-FRAME-OPTIONS header" do
+    it "allows a custom X-Frame-Options header" do
       should_assign_header(XFO_HEADER_NAME, "DENY")
       subject.set_x_frame_options_header(:value => 'DENY')
     end
   end
 
-  context "when using IE" do
-    before(:each) do
-      stub_user_agent(USER_AGENTS[:ie])
+  describe "#set_strict_transport_security" do
+    it "sets the Strict-Transport-Security header" do
+      should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
+      subject.set_hsts_header
     end
 
-    describe "#set_x_xss_protection" do
-      it "sets the XSS protection header" do
-        should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1')
-        subject.set_x_xss_protection_header
-      end
+    it "allows you to specific a custom max-age value" do
+      should_assign_header(HSTS_HEADER_NAME, 'max-age=1234')
+      subject.set_hsts_header(:max_age => 1234)
+    end
 
-      it "sets a custom X-XSS-PROTECTION header" do
-        should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
-        subject.set_x_xss_protection_header("0")
-      end
+    it "allows you to specify includeSubdomains" do
+      should_assign_header(HSTS_HEADER_NAME, "max-age=#{HSTS_MAX_AGE}; includeSubdomains")
+      subject.set_hsts_header(:max_age => HSTS_MAX_AGE, :include_subdomains => true)
+    end
+  end
 
-      it "sets the block flag" do
-        should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
-        subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
-      end
+  describe "#set_x_xss_protection" do
+    it "sets the X-XSS-Protection header" do
+      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
+      subject.set_x_xss_protection_header
     end
 
-    describe "#set_x_content_type_options" do
-      it "sets the X-Content-Type-Options" do
-        should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
-        subject.set_x_content_type_options_header
-      end
+    it "sets a custom X-XSS-Protection header" do
+      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '0')
+      subject.set_x_xss_protection_header("0")
+    end
+
+    it "sets the block flag" do
+      should_assign_header(X_XSS_PROTECTION_HEADER_NAME, '1; mode=block')
+      subject.set_x_xss_protection_header(:mode => 'block', :value => 1)
+    end
+  end
 
-      it "lets you override X-Content-Type-Options" do
-        should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
-        subject.set_x_content_type_options_header(:value => 'nosniff')
+  describe "#set_x_content_type_options" do
+    [:ie, :chrome].each do |useragent|
+      context "when using #{useragent}" do
+        before(:each) do
+          stub_user_agent(USER_AGENTS[useragent])
+        end
+
+        it "sets the X-Content-Type-Options header" do
+          should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
+          subject.set_x_content_type_options_header
+        end
+
+        it "lets you override X-Content-Type-Options" do
+          should_assign_header(X_CONTENT_TYPE_OPTIONS_HEADER_NAME, 'nosniff')
+          subject.set_x_content_type_options_header(:value => 'nosniff')
+        end
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.5.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-07 00:00:00.000000000 Z
+date: 2013-05-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: brwsr
@@ -190,7 +190,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: Add easily configured browser headers to responses including content security