secure_headers 1.3.1 → 1.3.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
checksums.yaml
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
!binary "U0hBMQ==":
|
3
3
|
metadata.gz: !binary |-
|
4
|
-
|
4
|
+
OGRkYjRlNDU4ZTZjMWViMTM0NTlkZDc1ZDNmNjJkMjNlMGIzMDY5OA==
|
5
5
|
data.tar.gz: !binary |-
|
6
|
-
|
6
|
+
Y2Y0OGEwODAwNDZmMzNkNWYzYzJiNDAzZTdlZDE2YmYzNzQ5MDNhMA==
|
7
7
|
SHA512:
|
8
8
|
metadata.gz: !binary |-
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
NGZmODE5M2ViNWJkZTRhMjRjYzEwNTRkZDkzMzdmOWQzMzdiYWU0OGM3ZGZl
|
10
|
+
Yjc0YjJmOTI4MWFiMTE2NGJlMDA4ZjA2YjY3YzAyMWU5ZDExMmEwZWM1ODVl
|
11
|
+
ZDllOGFlYTdhNjU1YjRlZjc1MjM4MjM5MDlmY2EwNzljNjU4OTA=
|
12
12
|
data.tar.gz: !binary |-
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
Y2UzZDgxNWFlMGQ3YmMwODY2OTQyNmVhZDU3YWQ5ODk3MDRjNWQwZTJhODMy
|
14
|
+
Njk2ODQyZjQ1MTA1YjZjMmMxZDM2YTcyOWE3ODIxN2Q1ZjQzNDQ3MmM3NGI2
|
15
|
+
YWU4NzZkZmQ3NWM1ZTNlZWI4NzIzMDFhZDZjODQ1MzhkMjlkMDk=
|
data/HISTORY.md
CHANGED
@@ -1,3 +1,19 @@
|
|
1
|
+
1.3.2
|
2
|
+
======
|
3
|
+
|
4
|
+
Adds the ability to "tag" requests and a new config value: :app_name
|
5
|
+
|
6
|
+
{
|
7
|
+
:tag_report_uri => true,
|
8
|
+
:enforce => true,
|
9
|
+
:app_name => 'twitter',
|
10
|
+
:report_uri => 'csp_reports'
|
11
|
+
}
|
12
|
+
|
13
|
+
Results in
|
14
|
+
report-uri csp_reports?enforce=true&app_name=twitter
|
15
|
+
|
16
|
+
|
1
17
|
1.3.1
|
2
18
|
======
|
3
19
|
|
data/README.md
CHANGED
@@ -197,6 +197,24 @@ and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
|
|
197
197
|
"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
|
198
198
|
```
|
199
199
|
|
200
|
+
### Tagging Reuqests
|
201
|
+
|
202
|
+
It's often valuable to send extra information in the report uri that is not available in the reports themselves. Namely, "was the policy enforced" and "where did the report come from"
|
203
|
+
|
204
|
+
```ruby
|
205
|
+
{
|
206
|
+
:tag_report_uri => true,
|
207
|
+
:enforce => true,
|
208
|
+
:app_name => 'twitter',
|
209
|
+
:report_uri => 'csp_reports'
|
210
|
+
}
|
211
|
+
```
|
212
|
+
|
213
|
+
Results in
|
214
|
+
```
|
215
|
+
report-uri csp_reports?enforce=true&app_name=twitter
|
216
|
+
```
|
217
|
+
|
200
218
|
### CSP Level 2 features
|
201
219
|
|
202
220
|
script/style-nonce can be used to whitelist inline content. To do this, add "nonce" to your script/style-src configuration, then set the nonce attributes on the various tags.
|
@@ -60,9 +60,9 @@ module SecureHeaders
|
|
60
60
|
@config.merge!(experimental_config)
|
61
61
|
end
|
62
62
|
|
63
|
-
#
|
64
|
-
# lambdas because it's an ugly api that's showing it's age.
|
63
|
+
# these values don't support lambdas because this needs to be rewritten
|
65
64
|
@http_additions = @config.delete(:http_additions)
|
65
|
+
@app_name = @config.delete(:app_name)
|
66
66
|
|
67
67
|
normalize_csp_options
|
68
68
|
|
@@ -70,7 +70,9 @@ module SecureHeaders
|
|
70
70
|
self.send("#{meta}=", @config.delete(meta))
|
71
71
|
end
|
72
72
|
|
73
|
-
@enforce =
|
73
|
+
@enforce = !!@config.delete(:enforce)
|
74
|
+
@tag_report_uri = @config.delete(:tag_report_uri)
|
75
|
+
|
74
76
|
normalize_reporting_endpoint
|
75
77
|
fill_directives unless disable_fill_missing?
|
76
78
|
end
|
@@ -172,6 +174,11 @@ module SecureHeaders
|
|
172
174
|
@report_uri = FF_CSP_ENDPOINT
|
173
175
|
end
|
174
176
|
end
|
177
|
+
|
178
|
+
if @tag_report_uri
|
179
|
+
@report_uri = "#{@report_uri}?enforce=#{@enforce}"
|
180
|
+
@report_uri += "&app_name=#{@app_name}" if @app_name
|
181
|
+
end
|
175
182
|
end
|
176
183
|
|
177
184
|
def same_origin?
|
@@ -79,6 +79,18 @@ module SecureHeaders
|
|
79
79
|
expect(csp.value).to include("script-src 'unsafe-inline' 'unsafe-eval' https://* data: 'self' 'none'")
|
80
80
|
end
|
81
81
|
|
82
|
+
it "adds a @enforce and @app_name variables to the report uri" do
|
83
|
+
opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => 'twitter')
|
84
|
+
csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
|
85
|
+
expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
|
86
|
+
end
|
87
|
+
|
88
|
+
it "does not add an empty @app_name variable to the report uri" do
|
89
|
+
opts = @opts.merge(:tag_report_uri => true, :enforce => true)
|
90
|
+
csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
|
91
|
+
expect(csp.value).to include("/csp_report?enforce=true")
|
92
|
+
end
|
93
|
+
|
82
94
|
it "accepts procs for report-uris" do
|
83
95
|
opts = {
|
84
96
|
:default_src => 'self',
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
4
|
+
version: 1.3.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-08-
|
11
|
+
date: 2014-08-13 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|