RubyGems - secure_headers - Versions diffs - 2.2.1 → 2.2.2 - Mend

secure_headers 2.2.1 → 2.2.2

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (11) hide show

checksums.yaml +4 -4
data/Gemfile +1 -1
data/README.md +1 -1
data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +14 -0
data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb +7 -1
data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb +1 -1
data/lib/secure_headers/version.rb +1 -1
data/lib/secure_headers.rb +10 -9
data/secure_headers.gemspec +0 -1
data/spec/spec_helper.rb +4 -1
metadata +3 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8505e6e7242a976db378e97869dd8690e49fbe54
-  data.tar.gz: 32b1d9c752c03f66987f007c41c795c7f57d8e6a
+  metadata.gz: 288faa28dbfd3d98051878c6a14de550cad278c8
+  data.tar.gz: 8a0fb29d2d522ecbfefba832c85fd3a5db5de750
 SHA512:
-  metadata.gz: 989eaa8a180a9d8f5172305eb2d0cb6df13e37a8ba49587c8d1596f8cd4864838982b127a9a26e74d441fd0236cd165b9299bf8206fa32ebfcd4d05d234b55a5
-  data.tar.gz: 7437baa6edae3a38c3f5023b8a94cc58aa563b9aed732db10767b7996eaaf53f5b2f7af6d872ad0775ce7a02e547353238d36a118bb3b6f3e734e6ed37d75dd7
+  metadata.gz: 5cd42475a992e0491c9e503f0c1a236e61ea1e17d7fd972c5178bc58aa2ff5f7e9dab92a0f008e6c61c25478f23317f5c420807db97589ae1c00a85c6c7c5555
+  data.tar.gz: 09c1c571b5c1efd70ea02206403d84b5d85498b323b255f7901f6daf8196f6c922cdae4eea2d73b8c1e74be98b3efce9db53670c477009367b55aeb4be3fa5cf

data/Gemfile CHANGED Viewed

@@ -10,6 +10,6 @@ group :test do
   gem 'rspec', '>= 3.1'
   gem 'growl'
   gem 'rb-fsevent'
-  gem 'coveralls', :platforms => [:ruby_19]
+  gem 'coveralls', :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_21]
   gem 'i18n', '< 0.7.0', :platforms => [:ruby_18]
 end

data/README.md CHANGED Viewed

@@ -49,7 +49,7 @@ This gem makes a few assumptions about how you will use some features.  For exam
   config.x_permitted_cross_domain_policies = 'none'
   config.csp = {
     :default_src => "https: self",
-    :enforce => proc {|controller| contoller.current_user.enforce_csp? }
+    :enforce => proc {|controller| contoller.current_user.enforce_csp? },
     :frame_src => "https: http:.twimg.com http://itunes.apple.com",
     :img_src => "https:",
     :report_uri => '//example.com/uri-directive'

data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb CHANGED Viewed

@@ -3,4 +3,18 @@ class OtherThingsController < ApplicationController
   def index
   end
+  def other_action
+    render :text => 'yooooo'
+  end
+  def secure_header_options_for(header, options)
+    if params[:action] == "other_action"
+      if header == :csp
+        options.merge(:style_src => 'self')
+      end
+    else
+      options
+    end
+  end
 end

data/fixtures/rails_3_2_12_no_init/spec/controllers/other_things_controller_spec.rb CHANGED Viewed

@@ -12,11 +12,17 @@ describe OtherThingsController, :type => :controller do
       expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
     end
-    it "sets the X-WebKit-CSP header" do
+    it "sets the CSP header" do
       get :index
       expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
     end
+    it "sets per-action values based on secure_header_options_for" do
+      # munges :style_src => self into policy
+      get :other_action
+      expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:; style-src 'self';")
+    end
     #mock ssl
     it "sets the Strict-Transport-Security header" do
       request.env['HTTPS'] = 'on'

data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb CHANGED Viewed

@@ -2,4 +2,4 @@ class OtherThingsController < ApplicationController
   def index
   end
-end
+end

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.2.1"
+  VERSION = "2.2.2"
 end

data/lib/secure_headers.rb CHANGED Viewed

@@ -50,12 +50,6 @@ module SecureHeaders
       before_filter :set_x_download_options_header
       before_filter :set_x_permitted_cross_domain_policies_header
     end
-    # we can't use ||= because I'm overloading false => disable, nil => default
-    # both of which trigger the conditional assignment
-    def options_for(type, options)
-      options.nil? ? ::SecureHeaders::Configuration.send(type) : options
-    end
   end
   module InstanceMethods
@@ -80,7 +74,7 @@ module SecureHeaders
       end
       config = self.class.secure_headers_options[:csp] if config.nil?
-      config = self.class.options_for :csp, config
+      config = secure_header_options_for :csp, config
       return if config == false
@@ -140,7 +134,7 @@ module SecureHeaders
     def set_hpkp_header(options=self.class.secure_headers_options[:hpkp])
       return unless request.ssl?
-      config = self.class.options_for :hpkp, options
+      config = secure_header_options_for :hpkp, options
       return if config == false || config.nil?
@@ -158,8 +152,15 @@ module SecureHeaders
     private
+    # we can't use ||= because I'm overloading false => disable, nil => default
+    # both of which trigger the conditional assignment
+    def secure_header_options_for(type, options)
+      options.nil? ? ::SecureHeaders::Configuration.send(type) : options
+    end
     def set_a_header(name, klass, options=nil)
-      options = self.class.options_for name, options
+      options = secure_header_options_for name, options
       return if options == false
       header = klass.new(options)

data/secure_headers.gemspec CHANGED Viewed

@@ -20,5 +20,4 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
   gem.add_dependency "user_agent_parser"
-  gem.post_install_message = "Warning: lambda config values will be broken until you add |controller|. e.g. :enforce => lambda { |controller| some_expression }"
 end

data/spec/spec_helper.rb CHANGED Viewed

@@ -3,8 +3,11 @@ require 'rspec'
 require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
-if defined?(Coveralls)
+begin
+  require 'coveralls'
   Coveralls.wear!
+rescue LoadError
+  # damn you 1.8.7
 end
 include ::SecureHeaders::PublicKeyPins::Constants

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.2.2
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-06-24 00:00:00.000000000 Z
+date: 2015-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -170,8 +170,7 @@ homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
 metadata: {}
-post_install_message: 'Warning: lambda config values will be broken until you add
-  |controller|. e.g. :enforce => lambda { |controller| some_expression }'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib