secure_headers 1.3.3 → 1.3.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +15 -0
- data/HISTORY.md +7 -0
- data/fixtures/rails_3_2_12/Gemfile +0 -1
- data/fixtures/rails_3_2_12/app/views/things/index.html.erb +1 -21
- data/fixtures/rails_3_2_12/config/application.rb +4 -4
- data/fixtures/rails_3_2_12/config/environments/development.rb +3 -3
- data/fixtures/rails_3_2_12/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12_no_init/Gemfile +0 -1
- data/fixtures/rails_3_2_12_no_init/config/application.rb +1 -4
- data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +3 -3
- data/fixtures/rails_3_2_12_no_init/config/environments/test.rb +2 -2
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +5 -0
- data/fixtures/rails_3_2_12_no_init/spec/controllers/things_controller_spec.rb +5 -0
- data/lib/secure_headers/headers/x_download_options.rb +39 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +2 -1
- data/lib/secure_headers/railtie.rb +6 -2
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +8 -1
- data/spec/lib/secure_headers/headers/x_download_options_spec.rb +32 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -1
- data/spec/lib/secure_headers_spec.rb +23 -2
- data/spec/spec_helper.rb +1 -0
- metadata +8 -17
- data/fixtures/rails_3_2_12/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12/config/database.yml +0 -25
- data/fixtures/rails_3_2_12/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12/db/seeds.rb +0 -7
- data/fixtures/rails_3_2_12_no_init/app/models/thing.rb +0 -3
- data/fixtures/rails_3_2_12_no_init/config/database.yml +0 -25
- data/fixtures/rails_3_2_12_no_init/db/schema.rb +0 -16
- data/fixtures/rails_3_2_12_no_init/db/seeds.rb +0 -7
checksums.yaml
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
!binary "U0hBMQ==":
|
3
|
+
metadata.gz: !binary |-
|
4
|
+
NzcxMzdhM2IwMTAxN2IyNTc5OTg5OGY1MmJlZGFlNWJmNjBjM2MzMw==
|
5
|
+
data.tar.gz: !binary |-
|
6
|
+
ODNmNjA1YmY1ODEzMWIxYTU2YWYzYmY3NGFjM2Y1ZDU4MDQ0ODkwMQ==
|
7
|
+
SHA512:
|
8
|
+
metadata.gz: !binary |-
|
9
|
+
NGEwNTVlZjBmMTcwN2QxYjI5YjVkZGJhZmJiYTJlY2M3YzEyM2JiN2Q3MzY0
|
10
|
+
NzdmNWNhMDIzMmVhNzNkZWRmZTZiYmQ1OWE5MjMwYTY2MDE1NGVhMWU3Mjg4
|
11
|
+
OTdmZTZiOGI0N2NhNGYzZThkMjc3ZWYxMjU5YzhiYTNjNmFmZjE=
|
12
|
+
data.tar.gz: !binary |-
|
13
|
+
MTI1NTNhYzExYjVmYjMwNjNjMGUzMDlmYmVmZTk1YjJiN2UwODM4MzYwNzhj
|
14
|
+
Y2ZhMzYxNTNkM2Y0MWY1YTQ1ZWMyYmQ4NDA3NjJhOGViNTU0MmEwYWY4MTNm
|
15
|
+
MTczMzNjOTliYWYzODFiY2RiNDZmOGQ2ZWU4ZjdiNWJhMTZlMzA=
|
data/HISTORY.md
CHANGED
@@ -1,21 +1 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
<table>
|
4
|
-
<tr>
|
5
|
-
<th></th>
|
6
|
-
<th></th>
|
7
|
-
<th></th>
|
8
|
-
</tr>
|
9
|
-
|
10
|
-
<% @things.each do |thing| %>
|
11
|
-
<tr>
|
12
|
-
<td><%= link_to 'Show', thing %></td>
|
13
|
-
<td><%= link_to 'Edit', edit_thing_path(thing) %></td>
|
14
|
-
<td><%= link_to 'Destroy', thing, method: :delete, data: { confirm: 'Are you sure?' } %></td>
|
15
|
-
</tr>
|
16
|
-
<% end %>
|
17
|
-
</table>
|
18
|
-
|
19
|
-
<br />
|
20
|
-
|
21
|
-
<%= link_to 'New Thing', new_thing_path %>
|
1
|
+
things
|
@@ -1,10 +1,10 @@
|
|
1
1
|
require File.expand_path('../boot', __FILE__)
|
2
2
|
|
3
3
|
# Pick the frameworks you want:
|
4
|
-
require "active_record/railtie"
|
4
|
+
# require "active_record/railtie"
|
5
5
|
require "action_controller/railtie"
|
6
|
-
require "action_mailer/railtie"
|
7
|
-
require "active_resource/railtie"
|
6
|
+
# require "action_mailer/railtie"
|
7
|
+
# require "active_resource/railtie"
|
8
8
|
require "sprockets/railtie"
|
9
9
|
# require "rails/test_unit/railtie"
|
10
10
|
|
@@ -57,7 +57,7 @@ module Rails3212
|
|
57
57
|
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
58
58
|
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
59
59
|
# parameters by using an attr_accessible or attr_protected declaration.
|
60
|
-
config.active_record.whitelist_attributes = true
|
60
|
+
# config.active_record.whitelist_attributes = true
|
61
61
|
|
62
62
|
# Enable the asset pipeline
|
63
63
|
config.assets.enabled = true
|
@@ -14,7 +14,7 @@ Rails3212::Application.configure do
|
|
14
14
|
config.action_controller.perform_caching = false
|
15
15
|
|
16
16
|
# Don't care if the mailer can't send
|
17
|
-
config.action_mailer.raise_delivery_errors = false
|
17
|
+
# config.action_mailer.raise_delivery_errors = false
|
18
18
|
|
19
19
|
# Print deprecation notices to the Rails logger
|
20
20
|
config.active_support.deprecation = :log
|
@@ -23,11 +23,11 @@ Rails3212::Application.configure do
|
|
23
23
|
config.action_dispatch.best_standards_support = :builtin
|
24
24
|
|
25
25
|
# Raise exception on mass assignment protection for Active Record models
|
26
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
26
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
27
27
|
|
28
28
|
# Log the query plan for queries taking more than this (works
|
29
29
|
# with SQLite, MySQL, and PostgreSQL)
|
30
|
-
config.active_record.auto_explain_threshold_in_seconds = 0.5
|
30
|
+
# config.active_record.auto_explain_threshold_in_seconds = 0.5
|
31
31
|
|
32
32
|
# Do not compress assets
|
33
33
|
config.assets.compress = false
|
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
|
|
27
27
|
# Tell Action Mailer not to deliver emails to the real world.
|
28
28
|
# The :test delivery method accumulates sent emails in the
|
29
29
|
# ActionMailer::Base.deliveries array.
|
30
|
-
config.action_mailer.delivery_method = :test
|
30
|
+
# config.action_mailer.delivery_method = :test
|
31
31
|
|
32
32
|
# Raise exception on mass assignment protection for Active Record models
|
33
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
33
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
34
34
|
|
35
35
|
# Print deprecation notices to the stderr
|
36
36
|
config.active_support.deprecation = :stderr
|
@@ -25,6 +25,11 @@ describe OtherThingsController, :type => :controller do
|
|
25
25
|
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
26
26
|
end
|
27
27
|
|
28
|
+
it "sets the X-Download-Options header" do
|
29
|
+
get :index
|
30
|
+
expect(response.headers['X-Download-Options']).to eq('noopen')
|
31
|
+
end
|
32
|
+
|
28
33
|
it "sets the X-Content-Type-Options header" do
|
29
34
|
get :index
|
30
35
|
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
@@ -28,6 +28,11 @@ describe ThingsController, :type => :controller do
|
|
28
28
|
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
29
29
|
end
|
30
30
|
|
31
|
+
it "sets the X-Download-Options header" do
|
32
|
+
get :index
|
33
|
+
expect(response.headers['X-Download-Options']).to eq('noopen')
|
34
|
+
end
|
35
|
+
|
31
36
|
it "sets the X-Content-Type-Options header" do
|
32
37
|
get :index
|
33
38
|
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
@@ -1,10 +1,7 @@
|
|
1
1
|
require File.expand_path('../boot', __FILE__)
|
2
2
|
|
3
3
|
# Pick the frameworks you want:
|
4
|
-
require "active_record/railtie"
|
5
4
|
require "action_controller/railtie"
|
6
|
-
require "action_mailer/railtie"
|
7
|
-
require "active_resource/railtie"
|
8
5
|
require "sprockets/railtie"
|
9
6
|
# require "rails/test_unit/railtie"
|
10
7
|
|
@@ -57,7 +54,7 @@ module Rails3212
|
|
57
54
|
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
58
55
|
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
59
56
|
# parameters by using an attr_accessible or attr_protected declaration.
|
60
|
-
config.active_record.whitelist_attributes = true
|
57
|
+
# config.active_record.whitelist_attributes = true
|
61
58
|
|
62
59
|
# Enable the asset pipeline
|
63
60
|
config.assets.enabled = true
|
@@ -14,7 +14,7 @@ Rails3212::Application.configure do
|
|
14
14
|
config.action_controller.perform_caching = false
|
15
15
|
|
16
16
|
# Don't care if the mailer can't send
|
17
|
-
config.action_mailer.raise_delivery_errors = false
|
17
|
+
# config.action_mailer.raise_delivery_errors = false
|
18
18
|
|
19
19
|
# Print deprecation notices to the Rails logger
|
20
20
|
config.active_support.deprecation = :log
|
@@ -23,11 +23,11 @@ Rails3212::Application.configure do
|
|
23
23
|
config.action_dispatch.best_standards_support = :builtin
|
24
24
|
|
25
25
|
# Raise exception on mass assignment protection for Active Record models
|
26
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
26
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
27
27
|
|
28
28
|
# Log the query plan for queries taking more than this (works
|
29
29
|
# with SQLite, MySQL, and PostgreSQL)
|
30
|
-
config.active_record.auto_explain_threshold_in_seconds = 0.5
|
30
|
+
# config.active_record.auto_explain_threshold_in_seconds = 0.5
|
31
31
|
|
32
32
|
# Do not compress assets
|
33
33
|
config.assets.compress = false
|
@@ -27,10 +27,10 @@ Rails3212::Application.configure do
|
|
27
27
|
# Tell Action Mailer not to deliver emails to the real world.
|
28
28
|
# The :test delivery method accumulates sent emails in the
|
29
29
|
# ActionMailer::Base.deliveries array.
|
30
|
-
config.action_mailer.delivery_method = :test
|
30
|
+
# config.action_mailer.delivery_method = :test
|
31
31
|
|
32
32
|
# Raise exception on mass assignment protection for Active Record models
|
33
|
-
config.active_record.mass_assignment_sanitizer = :strict
|
33
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
34
34
|
|
35
35
|
# Print deprecation notices to the stderr
|
36
36
|
config.active_support.deprecation = :stderr
|
@@ -24,6 +24,11 @@ describe OtherThingsController, :type => :controller do
|
|
24
24
|
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
25
25
|
end
|
26
26
|
|
27
|
+
it "sets the X-Download-Options header" do
|
28
|
+
get :index
|
29
|
+
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
30
|
+
end
|
31
|
+
|
27
32
|
it "sets the X-Content-Type-Options header" do
|
28
33
|
get :index
|
29
34
|
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
@@ -28,6 +28,11 @@ describe ThingsController, :type => :controller do
|
|
28
28
|
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
29
29
|
end
|
30
30
|
|
31
|
+
it "sets the X-Download-Options header" do
|
32
|
+
get :index
|
33
|
+
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
34
|
+
end
|
35
|
+
|
31
36
|
it "sets the X-Content-Type-Options header" do
|
32
37
|
get :index
|
33
38
|
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
@@ -0,0 +1,39 @@
|
|
1
|
+
module SecureHeaders
|
2
|
+
class XDOBuildError < StandardError; end
|
3
|
+
class XDownloadOptions < Header
|
4
|
+
module Constants
|
5
|
+
XDO_HEADER_NAME = "X-Download-Options"
|
6
|
+
DEFAULT_VALUE = 'noopen'
|
7
|
+
end
|
8
|
+
include Constants
|
9
|
+
|
10
|
+
def initialize(config = nil)
|
11
|
+
@config = config
|
12
|
+
validate_config unless @config.nil?
|
13
|
+
end
|
14
|
+
|
15
|
+
def name
|
16
|
+
XDO_HEADER_NAME
|
17
|
+
end
|
18
|
+
|
19
|
+
def value
|
20
|
+
case @config
|
21
|
+
when NilClass
|
22
|
+
DEFAULT_VALUE
|
23
|
+
when String
|
24
|
+
@config
|
25
|
+
else
|
26
|
+
@config[:value]
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def validate_config
|
33
|
+
value = @config.is_a?(Hash) ? @config[:value] : @config
|
34
|
+
unless value.casecmp(DEFAULT_VALUE) == 0
|
35
|
+
raise XDOBuildError.new("Value can only be nil or 'noopen'")
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
@@ -4,7 +4,7 @@ module SecureHeaders
|
|
4
4
|
module Constants
|
5
5
|
X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
|
6
6
|
DEFAULT_VALUE = "1"
|
7
|
-
VALID_X_XSS_HEADER = /\A[01](; mode=block)?\z/i
|
7
|
+
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
|
8
8
|
end
|
9
9
|
include Constants
|
10
10
|
|
@@ -26,6 +26,7 @@ module SecureHeaders
|
|
26
26
|
else
|
27
27
|
value = @config[:value].to_s
|
28
28
|
value += "; mode=#{@config[:mode]}" if @config[:mode]
|
29
|
+
value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
|
29
30
|
value
|
30
31
|
end
|
31
32
|
end
|
@@ -3,7 +3,11 @@ if defined?(Rails::Railtie)
|
|
3
3
|
module SecureHeaders
|
4
4
|
class Railtie < Rails::Engine
|
5
5
|
isolate_namespace ::SecureHeaders if defined? isolate_namespace # rails 3.0
|
6
|
-
|
6
|
+
initializer "secure_headers.action_controller" do
|
7
|
+
ActiveSupport.on_load(:action_controller) do
|
8
|
+
include ::SecureHeaders
|
9
|
+
end
|
10
|
+
end
|
7
11
|
end
|
8
12
|
end
|
9
13
|
else
|
@@ -34,4 +38,4 @@ else
|
|
34
38
|
if defined? ActionController::Routing
|
35
39
|
ActionController::Routing::RouteSet::Mapper.send :include, ::SecureHeaders::Routing::MapperExtensions
|
36
40
|
end
|
37
|
-
end
|
41
|
+
end
|
data/lib/secure_headers.rb
CHANGED
@@ -2,7 +2,7 @@ module SecureHeaders
|
|
2
2
|
module Configuration
|
3
3
|
class << self
|
4
4
|
attr_accessor :hsts, :x_frame_options, :x_content_type_options,
|
5
|
-
:x_xss_protection, :csp
|
5
|
+
:x_xss_protection, :csp, :x_download_options
|
6
6
|
|
7
7
|
def configure &block
|
8
8
|
instance_eval &block
|
@@ -38,6 +38,7 @@ module SecureHeaders
|
|
38
38
|
before_filter :set_csp_header
|
39
39
|
before_filter :set_x_xss_protection_header
|
40
40
|
before_filter :set_x_content_type_options_header
|
41
|
+
before_filter :set_x_download_options_header
|
41
42
|
end
|
42
43
|
|
43
44
|
# we can't use ||= because I'm overloading false => disable, nil => default
|
@@ -55,6 +56,7 @@ module SecureHeaders
|
|
55
56
|
set_x_frame_options_header(options[:x_frame_options])
|
56
57
|
set_x_xss_protection_header(options[:x_xss_protection])
|
57
58
|
set_x_content_type_options_header(options[:x_content_type_options])
|
59
|
+
set_x_download_options_header(options[:x_download_options])
|
58
60
|
end
|
59
61
|
|
60
62
|
# backwards compatibility jank, to be removed in 1.0. Old API required a request
|
@@ -99,6 +101,10 @@ module SecureHeaders
|
|
99
101
|
set_a_header(:hsts, StrictTransportSecurity, options)
|
100
102
|
end
|
101
103
|
|
104
|
+
def set_x_download_options_header(options=self.class.secure_headers_options[:x_download_options])
|
105
|
+
set_a_header(:x_download_options, XDownloadOptions, options)
|
106
|
+
end
|
107
|
+
|
102
108
|
private
|
103
109
|
|
104
110
|
def set_a_header(name, klass, options=nil)
|
@@ -128,4 +134,5 @@ require "secure_headers/headers/x_frame_options"
|
|
128
134
|
require "secure_headers/headers/strict_transport_security"
|
129
135
|
require "secure_headers/headers/x_xss_protection"
|
130
136
|
require "secure_headers/headers/x_content_type_options"
|
137
|
+
require "secure_headers/headers/x_download_options"
|
131
138
|
require "secure_headers/railtie"
|
@@ -0,0 +1,32 @@
|
|
1
|
+
module SecureHeaders
|
2
|
+
describe XDownloadOptions do
|
3
|
+
specify { expect(XDownloadOptions.new.name).to eq(XDO_HEADER_NAME)}
|
4
|
+
specify { expect(XDownloadOptions.new.value).to eq("noopen")}
|
5
|
+
specify { expect(XDownloadOptions.new('noopen').value).to eq('noopen')}
|
6
|
+
specify { expect(XDownloadOptions.new(:value => 'noopen').value).to eq('noopen') }
|
7
|
+
|
8
|
+
context "invalid configuration values" do
|
9
|
+
it "accepts noopen" do
|
10
|
+
expect {
|
11
|
+
XDownloadOptions.new("noopen")
|
12
|
+
}.not_to raise_error
|
13
|
+
|
14
|
+
expect {
|
15
|
+
XDownloadOptions.new(:value => "noopen")
|
16
|
+
}.not_to raise_error
|
17
|
+
end
|
18
|
+
|
19
|
+
it "accepts nil" do
|
20
|
+
expect {
|
21
|
+
XDownloadOptions.new
|
22
|
+
}.not_to raise_error
|
23
|
+
end
|
24
|
+
|
25
|
+
it "doesn't accept anything besides noopen" do
|
26
|
+
expect {
|
27
|
+
XContentTypeOptions.new("open")
|
28
|
+
}.to raise_error
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -4,6 +4,7 @@ module SecureHeaders
|
|
4
4
|
specify { expect(XXssProtection.new.value).to eq("1")}
|
5
5
|
specify { expect(XXssProtection.new("0").value).to eq("0")}
|
6
6
|
specify { expect(XXssProtection.new(:value => 1, :mode => 'block').value).to eq('1; mode=block') }
|
7
|
+
specify { expect(XXssProtection.new(:value => 1, :mode => 'block', :report_uri => 'https://www.secure.com/reports').value).to eq('1; mode=block; report=https://www.secure.com/reports') }
|
7
8
|
|
8
9
|
context "with invalid configuration" do
|
9
10
|
it "should raise an error when providing a string that is not valid" do
|
@@ -50,4 +51,4 @@ module SecureHeaders
|
|
50
51
|
|
51
52
|
end
|
52
53
|
end
|
53
|
-
end
|
54
|
+
end
|
@@ -54,6 +54,7 @@ describe SecureHeaders do
|
|
54
54
|
config.x_content_type_options = nil
|
55
55
|
config.x_xss_protection = nil
|
56
56
|
config.csp = nil
|
57
|
+
config.x_download_options = nil
|
57
58
|
end
|
58
59
|
end
|
59
60
|
|
@@ -63,12 +64,13 @@ describe SecureHeaders do
|
|
63
64
|
subject.set_x_frame_options_header
|
64
65
|
subject.set_x_content_type_options_header
|
65
66
|
subject.set_x_xss_protection_header
|
67
|
+
subject.set_x_download_options_header
|
66
68
|
end
|
67
69
|
|
68
70
|
describe "#ensure_security_headers" do
|
69
71
|
it "sets a before filter" do
|
70
72
|
options = {}
|
71
|
-
expect(DummyClass).to receive(:before_filter).exactly(
|
73
|
+
expect(DummyClass).to receive(:before_filter).exactly(6).times
|
72
74
|
DummyClass.ensure_security_headers(options)
|
73
75
|
end
|
74
76
|
end
|
@@ -92,13 +94,14 @@ describe SecureHeaders do
|
|
92
94
|
USER_AGENTS.each do |name, useragent|
|
93
95
|
it "sets all default headers for #{name} (smoke test)" do
|
94
96
|
stub_user_agent(useragent)
|
95
|
-
number_of_headers =
|
97
|
+
number_of_headers = 6
|
96
98
|
expect(subject).to receive(:set_header).exactly(number_of_headers).times # a request for a given header
|
97
99
|
subject.set_csp_header
|
98
100
|
subject.set_x_frame_options_header
|
99
101
|
subject.set_hsts_header
|
100
102
|
subject.set_x_xss_protection_header
|
101
103
|
subject.set_x_content_type_options_header
|
104
|
+
subject.set_x_download_options_header
|
102
105
|
end
|
103
106
|
end
|
104
107
|
|
@@ -113,6 +116,11 @@ describe SecureHeaders do
|
|
113
116
|
subject.set_x_xss_protection_header(false)
|
114
117
|
end
|
115
118
|
|
119
|
+
it "does not set the X-Download-Options header if disabled" do
|
120
|
+
should_not_assign_header(XDO_HEADER_NAME)
|
121
|
+
subject.set_x_download_options_header(false)
|
122
|
+
end
|
123
|
+
|
116
124
|
it "does not set the X-Frame-Options header if disabled" do
|
117
125
|
should_not_assign_header(XFO_HEADER_NAME)
|
118
126
|
subject.set_x_frame_options_header(false)
|
@@ -143,6 +151,7 @@ describe SecureHeaders do
|
|
143
151
|
config.x_content_type_options = false
|
144
152
|
config.x_xss_protection = false
|
145
153
|
config.csp = false
|
154
|
+
config.x_download_options = false
|
146
155
|
end
|
147
156
|
expect(subject).not_to receive(:set_header)
|
148
157
|
set_security_headers(subject)
|
@@ -163,6 +172,18 @@ describe SecureHeaders do
|
|
163
172
|
end
|
164
173
|
end
|
165
174
|
|
175
|
+
describe "#set_x_download_options_header" do
|
176
|
+
it "sets the X-Download-Options header" do
|
177
|
+
should_assign_header(XDO_HEADER_NAME, SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
178
|
+
subject.set_x_download_options_header
|
179
|
+
end
|
180
|
+
|
181
|
+
it "allows a custom X-Download-Options header" do
|
182
|
+
should_assign_header(XDO_HEADER_NAME, "noopen")
|
183
|
+
subject.set_x_download_options_header(:value => 'noopen')
|
184
|
+
end
|
185
|
+
end
|
186
|
+
|
166
187
|
describe "#set_strict_transport_security" do
|
167
188
|
it "sets the Strict-Transport-Security header" do
|
168
189
|
should_assign_header(HSTS_HEADER_NAME, SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
data/spec/spec_helper.rb
CHANGED
@@ -8,3 +8,4 @@ include ::SecureHeaders::ContentSecurityPolicy::Constants
|
|
8
8
|
include ::SecureHeaders::XFrameOptions::Constants
|
9
9
|
include ::SecureHeaders::XXssProtection::Constants
|
10
10
|
include ::SecureHeaders::XContentTypeOptions::Constants
|
11
|
+
include ::SecureHeaders::XDownloadOptions::Constants
|
metadata
CHANGED
@@ -1,20 +1,18 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
5
|
-
prerelease:
|
4
|
+
version: 1.3.4
|
6
5
|
platform: ruby
|
7
6
|
authors:
|
8
7
|
- Neil Matatall
|
9
8
|
autorequire:
|
10
9
|
bindir: bin
|
11
10
|
cert_chain: []
|
12
|
-
date: 2014-
|
11
|
+
date: 2014-10-13 00:00:00.000000000 Z
|
13
12
|
dependencies:
|
14
13
|
- !ruby/object:Gem::Dependency
|
15
14
|
name: rake
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
17
|
-
none: false
|
18
16
|
requirements:
|
19
17
|
- - ! '>='
|
20
18
|
- !ruby/object:Gem::Version
|
@@ -22,7 +20,6 @@ dependencies:
|
|
22
20
|
type: :development
|
23
21
|
prerelease: false
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
-
none: false
|
26
23
|
requirements:
|
27
24
|
- - ! '>='
|
28
25
|
- !ruby/object:Gem::Version
|
@@ -55,14 +52,12 @@ files:
|
|
55
52
|
- fixtures/rails_3_2_12/app/controllers/other_things_controller.rb
|
56
53
|
- fixtures/rails_3_2_12/app/controllers/things_controller.rb
|
57
54
|
- fixtures/rails_3_2_12/app/models/.gitkeep
|
58
|
-
- fixtures/rails_3_2_12/app/models/thing.rb
|
59
55
|
- fixtures/rails_3_2_12/app/views/layouts/application.html.erb
|
60
56
|
- fixtures/rails_3_2_12/app/views/other_things/index.html.erb
|
61
57
|
- fixtures/rails_3_2_12/app/views/things/index.html.erb
|
62
58
|
- fixtures/rails_3_2_12/config.ru
|
63
59
|
- fixtures/rails_3_2_12/config/application.rb
|
64
60
|
- fixtures/rails_3_2_12/config/boot.rb
|
65
|
-
- fixtures/rails_3_2_12/config/database.yml
|
66
61
|
- fixtures/rails_3_2_12/config/environment.rb
|
67
62
|
- fixtures/rails_3_2_12/config/environments/development.rb
|
68
63
|
- fixtures/rails_3_2_12/config/environments/production.rb
|
@@ -76,8 +71,6 @@ files:
|
|
76
71
|
- fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb
|
77
72
|
- fixtures/rails_3_2_12/config/locales/en.yml
|
78
73
|
- fixtures/rails_3_2_12/config/routes.rb
|
79
|
-
- fixtures/rails_3_2_12/db/schema.rb
|
80
|
-
- fixtures/rails_3_2_12/db/seeds.rb
|
81
74
|
- fixtures/rails_3_2_12/lib/assets/.gitkeep
|
82
75
|
- fixtures/rails_3_2_12/lib/tasks/.gitkeep
|
83
76
|
- fixtures/rails_3_2_12/log/.gitkeep
|
@@ -95,7 +88,6 @@ files:
|
|
95
88
|
- fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb
|
96
89
|
- fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb
|
97
90
|
- fixtures/rails_3_2_12_no_init/app/models/.gitkeep
|
98
|
-
- fixtures/rails_3_2_12_no_init/app/models/thing.rb
|
99
91
|
- fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb
|
100
92
|
- fixtures/rails_3_2_12_no_init/app/views/other_things/index.html.erb
|
101
93
|
- fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb
|
@@ -106,7 +98,6 @@ files:
|
|
106
98
|
- fixtures/rails_3_2_12_no_init/config.ru
|
107
99
|
- fixtures/rails_3_2_12_no_init/config/application.rb
|
108
100
|
- fixtures/rails_3_2_12_no_init/config/boot.rb
|
109
|
-
- fixtures/rails_3_2_12_no_init/config/database.yml
|
110
101
|
- fixtures/rails_3_2_12_no_init/config/environment.rb
|
111
102
|
- fixtures/rails_3_2_12_no_init/config/environments/development.rb
|
112
103
|
- fixtures/rails_3_2_12_no_init/config/environments/production.rb
|
@@ -119,8 +110,6 @@ files:
|
|
119
110
|
- fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb
|
120
111
|
- fixtures/rails_3_2_12_no_init/config/locales/en.yml
|
121
112
|
- fixtures/rails_3_2_12_no_init/config/routes.rb
|
122
|
-
- fixtures/rails_3_2_12_no_init/db/schema.rb
|
123
|
-
- fixtures/rails_3_2_12_no_init/db/seeds.rb
|
124
113
|
- fixtures/rails_3_2_12_no_init/lib/assets/.gitkeep
|
125
114
|
- fixtures/rails_3_2_12_no_init/lib/tasks/.gitkeep
|
126
115
|
- fixtures/rails_3_2_12_no_init/log/.gitkeep
|
@@ -135,6 +124,7 @@ files:
|
|
135
124
|
- lib/secure_headers/headers/content_security_policy.rb
|
136
125
|
- lib/secure_headers/headers/strict_transport_security.rb
|
137
126
|
- lib/secure_headers/headers/x_content_type_options.rb
|
127
|
+
- lib/secure_headers/headers/x_download_options.rb
|
138
128
|
- lib/secure_headers/headers/x_frame_options.rb
|
139
129
|
- lib/secure_headers/headers/x_xss_protection.rb
|
140
130
|
- lib/secure_headers/padrino.rb
|
@@ -145,6 +135,7 @@ files:
|
|
145
135
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
146
136
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
147
137
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
138
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
148
139
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
149
140
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
150
141
|
- spec/lib/secure_headers_spec.rb
|
@@ -153,27 +144,26 @@ files:
|
|
153
144
|
homepage: https://github.com/twitter/secureheaders
|
154
145
|
licenses:
|
155
146
|
- Apache Public License 2.0
|
147
|
+
metadata: {}
|
156
148
|
post_install_message:
|
157
149
|
rdoc_options: []
|
158
150
|
require_paths:
|
159
151
|
- lib
|
160
152
|
required_ruby_version: !ruby/object:Gem::Requirement
|
161
|
-
none: false
|
162
153
|
requirements:
|
163
154
|
- - ! '>='
|
164
155
|
- !ruby/object:Gem::Version
|
165
156
|
version: '0'
|
166
157
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
167
|
-
none: false
|
168
158
|
requirements:
|
169
159
|
- - ! '>='
|
170
160
|
- !ruby/object:Gem::Version
|
171
161
|
version: '0'
|
172
162
|
requirements: []
|
173
163
|
rubyforge_project:
|
174
|
-
rubygems_version: 1.
|
164
|
+
rubygems_version: 2.1.1
|
175
165
|
signing_key:
|
176
|
-
specification_version:
|
166
|
+
specification_version: 4
|
177
167
|
summary: Add easily configured browser headers to responses including content security
|
178
168
|
policy, x-frame-options, strict-transport-security and more.
|
179
169
|
test_files:
|
@@ -181,6 +171,7 @@ test_files:
|
|
181
171
|
- spec/lib/secure_headers/headers/content_security_policy_spec.rb
|
182
172
|
- spec/lib/secure_headers/headers/strict_transport_security_spec.rb
|
183
173
|
- spec/lib/secure_headers/headers/x_content_type_options_spec.rb
|
174
|
+
- spec/lib/secure_headers/headers/x_download_options_spec.rb
|
184
175
|
- spec/lib/secure_headers/headers/x_frame_options_spec.rb
|
185
176
|
- spec/lib/secure_headers/headers/x_xss_protection_spec.rb
|
186
177
|
- spec/lib/secure_headers_spec.rb
|
@@ -1,25 +0,0 @@
|
|
1
|
-
# SQLite version 3.x
|
2
|
-
# gem install sqlite3
|
3
|
-
#
|
4
|
-
# Ensure the SQLite 3 gem is defined in your Gemfile
|
5
|
-
# gem 'sqlite3'
|
6
|
-
development:
|
7
|
-
adapter: sqlite3
|
8
|
-
database: db/development.sqlite3
|
9
|
-
pool: 5
|
10
|
-
timeout: 5000
|
11
|
-
|
12
|
-
# Warning: The database defined as "test" will be erased and
|
13
|
-
# re-generated from your development database when you run "rake".
|
14
|
-
# Do not set this db to the same as development or production.
|
15
|
-
test:
|
16
|
-
adapter: sqlite3
|
17
|
-
database: db/test.sqlite3
|
18
|
-
pool: 5
|
19
|
-
timeout: 5000
|
20
|
-
|
21
|
-
production:
|
22
|
-
adapter: sqlite3
|
23
|
-
database: db/production.sqlite3
|
24
|
-
pool: 5
|
25
|
-
timeout: 5000
|
@@ -1,16 +0,0 @@
|
|
1
|
-
# encoding: UTF-8
|
2
|
-
# This file is auto-generated from the current state of the database. Instead
|
3
|
-
# of editing this file, please use the migrations feature of Active Record to
|
4
|
-
# incrementally modify your database, and then regenerate this schema definition.
|
5
|
-
#
|
6
|
-
# Note that this schema.rb definition is the authoritative source for your
|
7
|
-
# database schema. If you need to create the application database on another
|
8
|
-
# system, you should be using db:schema:load, not running all the migrations
|
9
|
-
# from scratch. The latter is a flawed and unsustainable approach (the more migrations
|
10
|
-
# you'll amass, the slower it'll run and the greater likelihood for issues).
|
11
|
-
#
|
12
|
-
# It's strongly recommended to check this file into your version control system.
|
13
|
-
|
14
|
-
ActiveRecord::Schema.define(:version => 0) do
|
15
|
-
|
16
|
-
end
|
@@ -1,7 +0,0 @@
|
|
1
|
-
# This file should contain all the record creation needed to seed the database with its default values.
|
2
|
-
# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
|
3
|
-
#
|
4
|
-
# Examples:
|
5
|
-
#
|
6
|
-
# cities = City.create([{ name: 'Chicago' }, { name: 'Copenhagen' }])
|
7
|
-
# Mayor.create(name: 'Emanuel', city: cities.first)
|
@@ -1,25 +0,0 @@
|
|
1
|
-
# SQLite version 3.x
|
2
|
-
# gem install sqlite3
|
3
|
-
#
|
4
|
-
# Ensure the SQLite 3 gem is defined in your Gemfile
|
5
|
-
# gem 'sqlite3'
|
6
|
-
development:
|
7
|
-
adapter: sqlite3
|
8
|
-
database: db/development.sqlite3
|
9
|
-
pool: 5
|
10
|
-
timeout: 5000
|
11
|
-
|
12
|
-
# Warning: The database defined as "test" will be erased and
|
13
|
-
# re-generated from your development database when you run "rake".
|
14
|
-
# Do not set this db to the same as development or production.
|
15
|
-
test:
|
16
|
-
adapter: sqlite3
|
17
|
-
database: db/test.sqlite3
|
18
|
-
pool: 5
|
19
|
-
timeout: 5000
|
20
|
-
|
21
|
-
production:
|
22
|
-
adapter: sqlite3
|
23
|
-
database: db/production.sqlite3
|
24
|
-
pool: 5
|
25
|
-
timeout: 5000
|
@@ -1,16 +0,0 @@
|
|
1
|
-
# encoding: UTF-8
|
2
|
-
# This file is auto-generated from the current state of the database. Instead
|
3
|
-
# of editing this file, please use the migrations feature of Active Record to
|
4
|
-
# incrementally modify your database, and then regenerate this schema definition.
|
5
|
-
#
|
6
|
-
# Note that this schema.rb definition is the authoritative source for your
|
7
|
-
# database schema. If you need to create the application database on another
|
8
|
-
# system, you should be using db:schema:load, not running all the migrations
|
9
|
-
# from scratch. The latter is a flawed and unsustainable approach (the more migrations
|
10
|
-
# you'll amass, the slower it'll run and the greater likelihood for issues).
|
11
|
-
#
|
12
|
-
# It's strongly recommended to check this file into your version control system.
|
13
|
-
|
14
|
-
ActiveRecord::Schema.define(:version => 0) do
|
15
|
-
|
16
|
-
end
|
@@ -1,7 +0,0 @@
|
|
1
|
-
# This file should contain all the record creation needed to seed the database with its default values.
|
2
|
-
# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
|
3
|
-
#
|
4
|
-
# Examples:
|
5
|
-
#
|
6
|
-
# cities = City.create([{ name: 'Chicago' }, { name: 'Copenhagen' }])
|
7
|
-
# Mayor.create(name: 'Emanuel', city: cities.first)
|