secure_headers 2.1.0 → 2.2.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +3 -2
  3. data/lib/secure_headers/headers/content_security_policy.rb +1 -1
  4. data/lib/secure_headers/version.rb +1 -1
  5. data/secure_headers.gemspec +1 -0
  6. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +19 -5
  7. metadata +4 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 16e634b2502cd5ee9d87fac9a9d2c6af9bc48fda
4
- data.tar.gz: 1416e09703db75cdf25379a1273477f346080c72
3
+ metadata.gz: 8e454769ab715d2e94e5451190e7ef8679810ec0
4
+ data.tar.gz: 9f0fd48b03bd3e8f5a60b85894492a4a9aee08a0
5
5
  SHA512:
6
- metadata.gz: d1483f86c255f59593766bf3312d0085df5b59281c2daf426c16bf930c92c06ae17c17e07984be696b1719336e89ea7000e19948713b310354c749200e2debd6
7
- data.tar.gz: eaf23b06c98757048b1516d87e429a23b5c70606db476f90eb042250bbd863bd1fddfdbcf12a6fce51e077a0ee3e6332cedcc041514de6a0ce55295d77a4bd65
6
+ metadata.gz: 9ace533baba91512c2d8b15f12ed188d93feda9b20f7e682caaa740d413b1428e9c39deb2c2fbba4aec6462093f54126de9ca8cc5268d5b8d98851c82876fa6d
7
+ data.tar.gz: 9b5e12226b456e4983eb31cd75f48ccadf34d80d125ff0fb67ee84afe56f3ca3a682890213e20e2c24e2c715073c0284b4ab8fc3fc86ad722c7ae6d08c0bb207
data/README.md CHANGED
@@ -8,7 +8,7 @@ The gem will automatically apply several headers that are related to security.
8
8
  - X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
9
9
  - X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
10
10
  - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
11
- - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorites. [Public Key Pinnning Specification](https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21)
11
+ - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorites. [Public Key Pinnning Specification](https://tools.ietf.org/html/rfc7469)
12
12
 
13
13
  ## Usage
14
14
 
@@ -49,6 +49,7 @@ This gem makes a few assumptions about how you will use some features. For exam
49
49
  config.x_permitted_cross_domain_policies = 'none'
50
50
  config.csp = {
51
51
  :default_src => "https: self",
52
+ :enforce => proc {|controller| contoller.current_user.enforce_csp? }
52
53
  :frame_src => "https: http:.twimg.com http://itunes.apple.com",
53
54
  :img_src => "https:",
54
55
  :report_uri => '//example.com/uri-directive'
@@ -418,7 +419,7 @@ end
418
419
 
419
420
  * Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
420
421
  * J2EE Servlet >= 3.0 [highlines](https://github.com/sourceclear/headlines)
421
- * ASP.NET - [NWebsec](http://nwebsec.codeplex.com/)
422
+ * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
422
423
  * Python - [django-csp](https://github.com/mozilla/django-csp/) + [commonware](https://github.com/jsocol/commonware/)
423
424
  * Go - [secureheader](https://github.com/kr/secureheader)
424
425
 
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -106,7 +106,7 @@ module SecureHeaders
106
106
 
107
107
  # Config values can be string, array, or lamdba values
108
108
  @config = config.inject({}) do |hash, (key, value)|
109
- config_val = value.respond_to?(:call) ? value.call : value
109
+ config_val = value.respond_to?(:call) ? value.call(@controller) : value
110
110
 
111
111
  if SOURCE_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
112
112
  config_val = config_val.split if config_val.is_a? String
data/lib/secure_headers/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "2.1.0"
2
+ VERSION = "2.2.0"
3
3
  end
data/secure_headers.gemspec CHANGED
@@ -19,4 +19,5 @@ Gem::Specification.new do |gem|
19
19
  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
20
20
  gem.require_paths = ["lib"]
21
21
  gem.add_development_dependency "rake"
22
+ gem.post_install_message = "Warning: lambda config values will be broken until you add |controller|. e.g. :enforce => lambda { |controller| some_expression }"
22
23
  end
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -76,7 +76,7 @@ module SecureHeaders
76
76
  end
77
77
 
78
78
  it "adds a @enforce and @app_name variables to the report uri" do
79
- opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => lambda { 'twitter' })
79
+ opts = @opts.merge(:tag_report_uri => true, :enforce => true, :app_name => proc { 'twitter' })
80
80
  csp = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
81
81
  expect(csp.value).to include("/csp_report?enforce=true&app_name=twitter")
82
82
  end
@@ -90,7 +90,7 @@ module SecureHeaders
90
90
  it "accepts procs for report-uris" do
91
91
  opts = {
92
92
  :default_src => 'self',
93
- :report_uri => lambda { "http://lambda/result" }
93
+ :report_uri => proc { "http://lambda/result" }
94
94
  }
95
95
 
96
96
  csp = ContentSecurityPolicy.new(opts)
@@ -99,15 +99,29 @@ module SecureHeaders
99
99
 
100
100
  it "accepts procs for other fields" do
101
101
  opts = {
102
- :default_src => lambda { "http://lambda/result" },
103
- :enforce => lambda { true },
104
- :disable_fill_missing => lambda { true }
102
+ :default_src => proc { "http://lambda/result" },
103
+ :enforce => proc { true },
104
+ :disable_fill_missing => proc { true }
105
105
  }
106
106
 
107
107
  csp = ContentSecurityPolicy.new(opts)
108
108
  expect(csp.value).to eq("default-src http://lambda/result; img-src http://lambda/result data:;")
109
109
  expect(csp.name).to match("Content-Security-Policy")
110
110
  end
111
+
112
+ it "passes a reference to the controller to the proc" do
113
+ controller = double
114
+ user = double(:beta_testing? => true)
115
+
116
+ allow(controller).to receive(:current_user).and_return(user)
117
+ opts = {
118
+ :disable_fill_missing => true,
119
+ :default_src => "self",
120
+ :enforce => lambda { |c| c.current_user.beta_testing? }
121
+ }
122
+ csp = ContentSecurityPolicy.new(opts, :controller => controller)
123
+ expect(csp.name).to match("Content-Security-Policy")
124
+ end
111
125
  end
112
126
  end
113
127
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 2.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-05-07 00:00:00.000000000 Z
11
+ date: 2015-06-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -156,7 +156,8 @@ homepage: https://github.com/twitter/secureheaders
156
156
  licenses:
157
157
  - Apache Public License 2.0
158
158
  metadata: {}
159
- post_install_message:
159
+ post_install_message: 'Warning: lambda config values will be broken until you add
160
+ |controller|. e.g. :enforce => lambda { |controller| some_expression }'
160
161
  rdoc_options: []
161
162
  require_paths:
162
163
  - lib