RubyGems - secure_headers - Versions diffs - 2.2.0 → 2.2.1 - Mend

secure_headers 2.2.0 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (8) hide show

checksums.yaml +4 -4
data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +1 -1
data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb +1 -1
data/lib/secure_headers/headers/content_security_policy.rb +12 -2
data/lib/secure_headers/version.rb +1 -1
data/secure_headers.gemspec +1 -0
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +25 -2
metadata +16 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8e454769ab715d2e94e5451190e7ef8679810ec0
-  data.tar.gz: 9f0fd48b03bd3e8f5a60b85894492a4a9aee08a0
+  metadata.gz: 8505e6e7242a976db378e97869dd8690e49fbe54
+  data.tar.gz: 32b1d9c752c03f66987f007c41c795c7f57d8e6a
 SHA512:
-  metadata.gz: 9ace533baba91512c2d8b15f12ed188d93feda9b20f7e682caaa740d413b1428e9c39deb2c2fbba4aec6462093f54126de9ca8cc5268d5b8d98851c82876fa6d
-  data.tar.gz: 9b5e12226b456e4983eb31cd75f48ccadf34d80d125ff0fb67ee84afe56f3ca3a682890213e20e2c24e2c715073c0284b4ab8fc3fc86ad722c7ae6d08c0bb207
+  metadata.gz: 989eaa8a180a9d8f5172305eb2d0cb6df13e37a8ba49587c8d1596f8cd4864838982b127a9a26e74d441fd0236cd165b9299bf8206fa32ebfcd4d05d234b55a5
+  data.tar.gz: 7437baa6edae3a38c3f5023b8a94cc58aa563b9aed732db10767b7996eaaf53f5b2f7af6d872ad0775ce7a02e547353238d36a118bb3b6f3e734e6ed37d75dd7

data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb CHANGED Viewed

@@ -13,7 +13,7 @@ describe OtherThingsController, :type => :controller do
     options = opts.merge(
       {
         'HTTPS' => 'on',
-        'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
+        'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
       }
     )

data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb CHANGED Viewed

@@ -13,7 +13,7 @@ describe OtherThingsController, :type => :controller do
     options = opts.merge(
       {
         'HTTPS' => 'on',
-        'HTTP_USER_AGENT' => "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
+        'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
       }
     )

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 require 'uri'
 require 'base64'
 require 'securerandom'
+require 'user_agent_parser'
 module SecureHeaders
   class ContentSecurityPolicyBuildError < StandardError; end
@@ -205,8 +206,12 @@ module SecureHeaders
       elsif %{self none}.include?(val)
         "'#{val}'"
       elsif val == 'nonce'
-        self.class.set_nonce(@controller, nonce)
-        ["'nonce-#{nonce}'", "'unsafe-inline'"]
+        if supports_nonces?(@ua)
+          self.class.set_nonce(@controller, nonce)
+          ["'nonce-#{nonce}'", "'unsafe-inline'"]
+        else
+          "'unsafe-inline'"
+        end
       else
         val
       end
@@ -258,5 +263,10 @@ module SecureHeaders
     def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end
+    def supports_nonces?(user_agent)
+      parsed_ua = UserAgentParser.parse(user_agent)
+      ["Chrome", "Opera", "Firefox"].include?(parsed_ua.family)
+    end
   end
 end

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.2.0"
+  VERSION = "2.2.1"
 end

data/secure_headers.gemspec CHANGED Viewed

@@ -19,5 +19,6 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
+  gem.add_dependency "user_agent_parser"
   gem.post_install_message = "Warning: lambda config values will be broken until you add |controller|. e.g. :enforce => lambda { |controller| some_expression }"
 end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -17,7 +17,8 @@ module SecureHeaders
     FIREFOX_23 = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0"
     CHROME = "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
     CHROME_25 = "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
+    SAFARI = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
+    OPERA = "Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16"
     def request_for user_agent, request_uri=nil, options={:ssl => false}
       double(:ssl? => options[:ssl], :env => {'HTTP_USER_AGENT' => user_agent}, :url => (request_uri || 'http://areallylongdomainexample.com') )
@@ -184,11 +185,33 @@ module SecureHeaders
       end
       context "when using a nonce" do
-        it "adds a nonce and unsafe-inline to the script-src value" do
+        it "adds a nonce and unsafe-inline to the script-src value when using chrome" do
           header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(CHROME))
           expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
         end
+        it "adds a nonce and unsafe-inline to the script-src value when using firefox" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(FIREFOX))
+          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
+        end
+        it "adds a nonce and unsafe-inline to the script-src value when using opera" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(OPERA))
+          expect(header.value).to include("script-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")
+        end
+        it "does not add a nonce and unsafe-inline to the script-src value when using Safari" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(SAFARI))
+          expect(header.value).to include("script-src 'self' 'unsafe-inline'")
+          expect(header.value).not_to include("nonce")
+        end
+        it "does not add a nonce and unsafe-inline to the script-src value when using IE" do
+          header = ContentSecurityPolicy.new(default_opts.merge(:script_src => "self nonce"), :request => request_for(IE))
+          expect(header.value).to include("script-src 'self' 'unsafe-inline'")
+          expect(header.value).not_to include("nonce")
+        end
         it "adds a nonce and unsafe-inline to the style-src value" do
           header = ContentSecurityPolicy.new(default_opts.merge(:style_src => "self nonce"), :request => request_for(CHROME))
           expect(header.value).to include("style-src 'self' 'nonce-#{header.nonce}' 'unsafe-inline'")

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-06-18 00:00:00.000000000 Z
+date: 2015-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: user_agent_parser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Security related headers all in one gem.
 email:
 - neil.matatall@gmail.com