secure_headers 2.2.1 → 2.2.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/README.md +1 -1
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +14 -0
- data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -1
- data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +1 -1
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +10 -9
- data/secure_headers.gemspec +0 -1
- data/spec/spec_helper.rb +4 -1
- metadata +3 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 288faa28dbfd3d98051878c6a14de550cad278c8
|
4
|
+
data.tar.gz: 8a0fb29d2d522ecbfefba832c85fd3a5db5de750
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5cd42475a992e0491c9e503f0c1a236e61ea1e17d7fd972c5178bc58aa2ff5f7e9dab92a0f008e6c61c25478f23317f5c420807db97589ae1c00a85c6c7c5555
|
7
|
+
data.tar.gz: 09c1c571b5c1efd70ea02206403d84b5d85498b323b255f7901f6daf8196f6c922cdae4eea2d73b8c1e74be98b3efce9db53670c477009367b55aeb4be3fa5cf
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -49,7 +49,7 @@ This gem makes a few assumptions about how you will use some features. For exam
|
|
49
49
|
config.x_permitted_cross_domain_policies = 'none'
|
50
50
|
config.csp = {
|
51
51
|
:default_src => "https: self",
|
52
|
-
:enforce => proc {|controller| contoller.current_user.enforce_csp? }
|
52
|
+
:enforce => proc {|controller| contoller.current_user.enforce_csp? },
|
53
53
|
:frame_src => "https: http:.twimg.com http://itunes.apple.com",
|
54
54
|
:img_src => "https:",
|
55
55
|
:report_uri => '//example.com/uri-directive'
|
@@ -3,4 +3,18 @@ class OtherThingsController < ApplicationController
|
|
3
3
|
def index
|
4
4
|
|
5
5
|
end
|
6
|
+
|
7
|
+
def other_action
|
8
|
+
render :text => 'yooooo'
|
9
|
+
end
|
10
|
+
|
11
|
+
def secure_header_options_for(header, options)
|
12
|
+
if params[:action] == "other_action"
|
13
|
+
if header == :csp
|
14
|
+
options.merge(:style_src => 'self')
|
15
|
+
end
|
16
|
+
else
|
17
|
+
options
|
18
|
+
end
|
19
|
+
end
|
6
20
|
end
|
@@ -12,11 +12,17 @@ describe OtherThingsController, :type => :controller do
|
|
12
12
|
expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
|
13
13
|
end
|
14
14
|
|
15
|
-
it "sets the
|
15
|
+
it "sets the CSP header" do
|
16
16
|
get :index
|
17
17
|
expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
|
18
18
|
end
|
19
19
|
|
20
|
+
it "sets per-action values based on secure_header_options_for" do
|
21
|
+
# munges :style_src => self into policy
|
22
|
+
get :other_action
|
23
|
+
expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:; style-src 'self';")
|
24
|
+
end
|
25
|
+
|
20
26
|
#mock ssl
|
21
27
|
it "sets the Strict-Transport-Security header" do
|
22
28
|
request.env['HTTPS'] = 'on'
|
data/lib/secure_headers.rb
CHANGED
@@ -50,12 +50,6 @@ module SecureHeaders
|
|
50
50
|
before_filter :set_x_download_options_header
|
51
51
|
before_filter :set_x_permitted_cross_domain_policies_header
|
52
52
|
end
|
53
|
-
|
54
|
-
# we can't use ||= because I'm overloading false => disable, nil => default
|
55
|
-
# both of which trigger the conditional assignment
|
56
|
-
def options_for(type, options)
|
57
|
-
options.nil? ? ::SecureHeaders::Configuration.send(type) : options
|
58
|
-
end
|
59
53
|
end
|
60
54
|
|
61
55
|
module InstanceMethods
|
@@ -80,7 +74,7 @@ module SecureHeaders
|
|
80
74
|
end
|
81
75
|
|
82
76
|
config = self.class.secure_headers_options[:csp] if config.nil?
|
83
|
-
config =
|
77
|
+
config = secure_header_options_for :csp, config
|
84
78
|
|
85
79
|
return if config == false
|
86
80
|
|
@@ -140,7 +134,7 @@ module SecureHeaders
|
|
140
134
|
|
141
135
|
def set_hpkp_header(options=self.class.secure_headers_options[:hpkp])
|
142
136
|
return unless request.ssl?
|
143
|
-
config =
|
137
|
+
config = secure_header_options_for :hpkp, options
|
144
138
|
|
145
139
|
return if config == false || config.nil?
|
146
140
|
|
@@ -158,8 +152,15 @@ module SecureHeaders
|
|
158
152
|
|
159
153
|
private
|
160
154
|
|
155
|
+
# we can't use ||= because I'm overloading false => disable, nil => default
|
156
|
+
# both of which trigger the conditional assignment
|
157
|
+
def secure_header_options_for(type, options)
|
158
|
+
options.nil? ? ::SecureHeaders::Configuration.send(type) : options
|
159
|
+
end
|
160
|
+
|
161
|
+
|
161
162
|
def set_a_header(name, klass, options=nil)
|
162
|
-
options =
|
163
|
+
options = secure_header_options_for name, options
|
163
164
|
return if options == false
|
164
165
|
|
165
166
|
header = klass.new(options)
|
data/secure_headers.gemspec
CHANGED
@@ -20,5 +20,4 @@ Gem::Specification.new do |gem|
|
|
20
20
|
gem.require_paths = ["lib"]
|
21
21
|
gem.add_development_dependency "rake"
|
22
22
|
gem.add_dependency "user_agent_parser"
|
23
|
-
gem.post_install_message = "Warning: lambda config values will be broken until you add |controller|. e.g. :enforce => lambda { |controller| some_expression }"
|
24
23
|
end
|
data/spec/spec_helper.rb
CHANGED
@@ -3,8 +3,11 @@ require 'rspec'
|
|
3
3
|
|
4
4
|
require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
|
5
5
|
|
6
|
-
|
6
|
+
begin
|
7
|
+
require 'coveralls'
|
7
8
|
Coveralls.wear!
|
9
|
+
rescue LoadError
|
10
|
+
# damn you 1.8.7
|
8
11
|
end
|
9
12
|
|
10
13
|
include ::SecureHeaders::PublicKeyPins::Constants
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.2.
|
4
|
+
version: 2.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-07-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -170,8 +170,7 @@ homepage: https://github.com/twitter/secureheaders
|
|
170
170
|
licenses:
|
171
171
|
- Apache Public License 2.0
|
172
172
|
metadata: {}
|
173
|
-
post_install_message:
|
174
|
-
|controller|. e.g. :enforce => lambda { |controller| some_expression }'
|
173
|
+
post_install_message:
|
175
174
|
rdoc_options: []
|
176
175
|
require_paths:
|
177
176
|
- lib
|