secure_headers 1.3.1 → 1.3.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +8 -8
  2. data/HISTORY.md +16 -0
  3. data/README.md +18 -0
  4. data/lib/secure_headers/headers/content_security_policy.rb +10 -3
  5. data/lib/secure_headers/version.rb +1 -1
  6. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -0
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,15 +1,15 @@
1
1
  ---
2
2
  !binary "U0hBMQ==":
3
3
  metadata.gz: !binary |-
4
- NjEwM2NiNzBhMjcxYjEzZjJjMjY2NzVjYzhiYTIwOWNlN2U4ZDYxNA==
4
+ OGRkYjRlNDU4ZTZjMWViMTM0NTlkZDc1ZDNmNjJkMjNlMGIzMDY5OA==
5
5
  data.tar.gz: !binary |-
6
- YTI4M2IwZjI4MzJjZjk1YzI2ZmYwYWI2ZDU0NmM1YzBjMTQ2ZWRjYg==
6
+ Y2Y0OGEwODAwNDZmMzNkNWYzYzJiNDAzZTdlZDE2YmYzNzQ5MDNhMA==
7
7
  SHA512:
8
8
  metadata.gz: !binary |-
9
- NDA0NDk3YmIyMGUzZDM1OWIyNGI2MTEzYjQyM2RhNWMwNmE2MmQzY2ZiNDhi
10
- NDkxNWJlNzQ5Y2E2MTliZjJkZDJlNzFkNjU5YWFlOTUwOTk0ODNkMTcwM2Ux
11
- NmQ2ODE1NzNlZDcyZjRlZWI4NjMwNTViOTI5Y2U3ZjBjY2Q5ZGE=
9
+ NGZmODE5M2ViNWJkZTRhMjRjYzEwNTRkZDkzMzdmOWQzMzdiYWU0OGM3ZGZl
10
+ Yjc0YjJmOTI4MWFiMTE2NGJlMDA4ZjA2YjY3YzAyMWU5ZDExMmEwZWM1ODVl
11
+ ZDllOGFlYTdhNjU1YjRlZjc1MjM4MjM5MDlmY2EwNzljNjU4OTA=
12
12
  data.tar.gz: !binary |-
13
- NTFkNzc1Zjc3OTBlYWZiOWFhYzkxM2ExZjcwODFmOWY0NTQ1ZTcwNWVjNjIw
14
- NDY4ZThlN2QxODNlZWM0MTg4MWRjN2U2YzlkOTJlYmQ2MjQ3NjY0Y2ZmZDg5
15
- YmU1N2YxOGU4ZWU1MzAxYjE0Zjg4NjJhMDU1ZDdhZGY2ZGNmYmQ=
13
+ Y2UzZDgxNWFlMGQ3YmMwODY2OTQyNmVhZDU3YWQ5ODk3MDRjNWQwZTJhODMy
14
+ Njk2ODQyZjQ1MTA1YjZjMmMxZDM2YTcyOWE3ODIxN2Q1ZjQzNDQ3MmM3NGI2
15
+ YWU4NzZkZmQ3NWM1ZTNlZWI4NzIzMDFhZDZjODQ1MzhkMjlkMDk=
data/HISTORY.md CHANGED
@@ -1,3 +1,19 @@
1
+ 1.3.2
2
+ ======
3
+
4
+ Adds the ability to "tag" requests and a new config value: :app_name
5
+
6
+ {
7
+ :tag_report_uri => true,
8
+ :enforce => true,
9
+ :app_name => 'twitter',
10
+ :report_uri => 'csp_reports'
11
+ }
12
+
13
+ Results in
14
+ report-uri csp_reports?enforce=true&app_name=twitter
15
+
16
+
1
17
  1.3.1
2
18
  ======
3
19
 
data/README.md CHANGED
@@ -197,6 +197,24 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
197
197
  "default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
198
198
  ```
199
199
 
200
+ ### Tagging Reuqests
201
+
202
+ It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
203
+
204
+ ```ruby
205
+ {
206
+ :tag_report_uri => true,
207
+ :enforce => true,
208
+ :app_name => 'twitter',
209
+ :report_uri => 'csp_reports'
210
+ }
211
+ ```
212
+
213
+ Results in
214
+ ```
215
+ report-uri csp_reports?enforce=true&app_name=twitter
216
+ ```
217
+
200
218
  ### CSP Level 2 features
201
219
 
202
220
  script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -60,9 +60,9 @@ module SecureHeaders
60
60
  @config.merge!(experimental_config)
61
61
  end
62
62
 
63
- # http_additions will be the only field that still doesn't support
64
- # lambdas because it's an ugly api that's showing it's age.
63
+ # these values don't support lambdas because this needs to be rewritten
65
64
  @http_additions = @config.delete(:http_additions)
65
+ @app_name = @config.delete(:app_name)
66
66
 
67
67
  normalize_csp_options
68
68
 
@@ -70,7 +70,9 @@ module SecureHeaders
70
70
  self.send("#{meta}=", @config.delete(meta))
71
71
  end
72
72
 
73
- @enforce = @config.delete(:enforce)
73
+ @enforce = !!@config.delete(:enforce)
74
+ @tag_report_uri = @config.delete(:tag_report_uri)
75
+
74
76
  normalize_reporting_endpoint
75
77
  fill_directives unless disable_fill_missing?
76
78
  end
@@ -172,6 +174,11 @@ module SecureHeaders
172
174
  @report_uri = FF_CSP_ENDPOINT
173
175
  end
174
176
  end
177
+
178
+ if @tag_report_uri
179
+ @report_uri = "#{@report_uri}?enforce=#{@enforce}"
180
+ @report_uri += "&app_name=#{@app_name}" if @app_name
181
+ end
175
182
  end
176
183
 
177
184
  def same_origin?
data/lib/secure_headers/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "1.3.1"
2
+ VERSION = "1.3.2"
3
3
  end
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -79,6 +79,18 @@ module SecureHeaders
79
79
  expect(csp.value).to include("script-src 'unsafe-inline' 'unsafe-eval' https://* data: 'self' 'none'")
80
80
  end
81
81
 
82
+ it "adds a @enforce and @app_name variables to the report uri" do
83
+ opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => 'twitter')
84
+ csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
85
+ expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
86
+ end
87
+
88
+ it "does not add an empty @app_name variable to the report uri" do
89
+ opts = @opts.merge(:tag_report_uri => true, :enforce => true)
90
+ csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
91
+ expect(csp.value).to include("/csp_report?enforce=true")
92
+ end
93
+
82
94
  it "accepts procs for report-uris" do
83
95
  opts = {
84
96
  :default_src => 'self',
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-08-12 00:00:00.000000000 Z
11
+ date: 2014-08-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake