secure_headers 2.4.4 → 2.5.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +1 -0
- data/Gemfile +1 -0
- data/Guardfile +12 -0
- data/lib/secure_headers/headers/content_security_policy.rb +13 -4
- data/lib/secure_headers/headers/strict_transport_security.rb +1 -0
- data/lib/secure_headers/headers/x_content_type_options.rb +1 -0
- data/lib/secure_headers/headers/x_download_options.rb +1 -0
- data/lib/secure_headers/headers/x_frame_options.rb +1 -0
- data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -0
- data/lib/secure_headers/headers/x_xss_protection.rb +1 -0
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers.rb +8 -1
- data/secure_headers.gemspec +1 -0
- data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +2 -0
- data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +2 -0
- data/spec/lib/secure_headers_spec.rb +5 -5
- metadata +7 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 36b98616c83ec1049b8f1bcc25671738da8d8bed
|
4
|
+
data.tar.gz: 730108ec10da36aeeb59049e88122a99987d1dcc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 854d9e8c9de09d5515dad3449726b4b2308b8a25b5dc702ed80da47fd3f94f983119531a4089877b215ee07dccfa8fec2766107891b018bcca376ec16ed95e8f
|
7
|
+
data.tar.gz: f0ec419ac593cdeb556dc852d6e2a3b8f5fcfe83c07b34ac8392fcb912004bbe1117ea9e473c068230a38c44c96a5e036dfde630ae5e7397203c9aed8babd741
|
data/.travis.yml
CHANGED
data/Gemfile
CHANGED
data/Guardfile
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
|
2
|
+
require "guard/rspec/dsl"
|
3
|
+
dsl = Guard::RSpec::Dsl.new(self)
|
4
|
+
|
5
|
+
# RSpec files
|
6
|
+
rspec = dsl.rspec
|
7
|
+
watch(rspec.spec_helper) { rspec.spec_dir }
|
8
|
+
watch(rspec.spec_support) { rspec.spec_dir }
|
9
|
+
watch(rspec.spec_files)
|
10
|
+
|
11
|
+
watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
|
12
|
+
end
|
@@ -137,9 +137,18 @@ module SecureHeaders
|
|
137
137
|
|
138
138
|
# Config values can be string, array, or lamdba values
|
139
139
|
@config = config.inject({}) do |hash, (key, value)|
|
140
|
-
config_val = value.respond_to?(:call)
|
140
|
+
config_val = if value.respond_to?(:call)
|
141
|
+
warn "[DEPRECATION] secure_headers 3.x will not support procs as config values."
|
142
|
+
value.call(@controller)
|
143
|
+
else
|
144
|
+
value
|
145
|
+
end
|
146
|
+
|
141
147
|
if ALL_DIRECTIVES.include?(key.to_sym) # directives need to be normalized to arrays of strings
|
142
|
-
|
148
|
+
if config_val.is_a? String
|
149
|
+
warn "[DEPRECATION] A String was supplied for directive #{key}. secure_headers 3.x will require all directives to be arrays of strings."
|
150
|
+
config_val = config_val.split
|
151
|
+
end
|
143
152
|
if config_val.is_a?(Array)
|
144
153
|
config_val = config_val.map do |val|
|
145
154
|
translate_dir_value(val)
|
@@ -258,10 +267,10 @@ module SecureHeaders
|
|
258
267
|
|
259
268
|
def translate_dir_value val
|
260
269
|
if %w{inline eval}.include?(val)
|
261
|
-
warn "[DEPRECATION] using inline/eval
|
270
|
+
warn "[DEPRECATION] using inline/eval is not suppored in secure_headers 3.x. Instead use 'unsafe-inline'/'unsafe-eval' instead."
|
262
271
|
val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
|
263
272
|
elsif %{self none}.include?(val)
|
264
|
-
warn "[DEPRECATION] using self/none
|
273
|
+
warn "[DEPRECATION] using self/none is not suppored in secure_headers 3.x. Instead use 'self'/'none' instead."
|
265
274
|
"'#{val}'"
|
266
275
|
elsif val == 'nonce'
|
267
276
|
if supports_nonces?
|
@@ -41,6 +41,7 @@ module SecureHeaders
|
|
41
41
|
|
42
42
|
def validate_config
|
43
43
|
if @config.is_a? Hash
|
44
|
+
warn "[DEPRECATION] secure_headers 3.0 will only accept string values for StrictTransportSecurity config"
|
44
45
|
if !@config[:max_age]
|
45
46
|
raise STSBuildError.new("No max-age was supplied.")
|
46
47
|
elsif @config[:max_age].to_s !~ /\A\d+\z/
|
@@ -25,6 +25,7 @@ module SecureHeaders
|
|
25
25
|
when String
|
26
26
|
@config
|
27
27
|
else
|
28
|
+
warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XXssProtection config"
|
28
29
|
value = @config[:value].to_s
|
29
30
|
value += "; mode=#{@config[:mode]}" if @config[:mode]
|
30
31
|
value += "; report=#{@config[:report_uri]}" if @config[:report_uri]
|
data/lib/secure_headers.rb
CHANGED
@@ -33,12 +33,18 @@ module SecureHeaders
|
|
33
33
|
:x_xss_protection, :csp, :x_download_options, :script_hashes,
|
34
34
|
:x_permitted_cross_domain_policies, :hpkp
|
35
35
|
|
36
|
-
|
36
|
+
# For preparation for the secure_headers 3.x change.
|
37
|
+
def default &block
|
37
38
|
instance_eval &block
|
38
39
|
if File.exists?(SCRIPT_HASH_CONFIG_FILE)
|
39
40
|
::SecureHeaders::Configuration.script_hashes = YAML.load(File.open(SCRIPT_HASH_CONFIG_FILE))
|
40
41
|
end
|
41
42
|
end
|
43
|
+
|
44
|
+
def configure &block
|
45
|
+
warn "[DEPRECATION] `configure` is removed in secure_headers 3.x. Instead use `default`."
|
46
|
+
default &block
|
47
|
+
end
|
42
48
|
end
|
43
49
|
end
|
44
50
|
|
@@ -206,6 +212,7 @@ module SecureHeaders
|
|
206
212
|
# we can't use ||= because I'm overloading false => disable, nil => default
|
207
213
|
# both of which trigger the conditional assignment
|
208
214
|
def secure_header_options_for(type, options)
|
215
|
+
warn "[DEPRECATION] secure_header_options_for will not be supported in secure_headers 3.x."
|
209
216
|
options.nil? ? ::SecureHeaders::Configuration.send(type) : options
|
210
217
|
end
|
211
218
|
|
data/secure_headers.gemspec
CHANGED
@@ -20,4 +20,5 @@ Gem::Specification.new do |gem|
|
|
20
20
|
gem.require_paths = ["lib"]
|
21
21
|
gem.add_development_dependency "rake"
|
22
22
|
gem.add_dependency "user_agent_parser"
|
23
|
+
gem.post_install_message = "[DEPRECATION] Development has stopped on the 2.x line of secure_headers. It will be maintained, but new features will be added to the 3.x branch. A lot has changed in secure_headers 3.x. A migration guide can be found in the documentation: https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md."
|
23
24
|
end
|
@@ -20,7 +20,7 @@ describe SecureHeaders do
|
|
20
20
|
end
|
21
21
|
|
22
22
|
def reset_config
|
23
|
-
::SecureHeaders::Configuration.
|
23
|
+
::SecureHeaders::Configuration.default do |config|
|
24
24
|
config.hpkp = nil
|
25
25
|
config.hsts = nil
|
26
26
|
config.x_frame_options = nil
|
@@ -139,7 +139,7 @@ describe SecureHeaders do
|
|
139
139
|
|
140
140
|
context "when disabled by configuration settings" do
|
141
141
|
it "does not set any headers when disabled" do
|
142
|
-
::SecureHeaders::Configuration.
|
142
|
+
::SecureHeaders::Configuration.default do |config|
|
143
143
|
config.hsts = false
|
144
144
|
config.hpkp = false
|
145
145
|
config.x_frame_options = false
|
@@ -179,7 +179,7 @@ describe SecureHeaders do
|
|
179
179
|
end
|
180
180
|
|
181
181
|
it "allows opting out with config" do
|
182
|
-
::SecureHeaders::Configuration.
|
182
|
+
::SecureHeaders::Configuration.default do |config|
|
183
183
|
config.hsts = false
|
184
184
|
config.csp = false
|
185
185
|
end
|
@@ -190,7 +190,7 @@ describe SecureHeaders do
|
|
190
190
|
end
|
191
191
|
|
192
192
|
it "produces a hash with a mix of config values, override values, and default values" do
|
193
|
-
::SecureHeaders::Configuration.
|
193
|
+
::SecureHeaders::Configuration.default do |config|
|
194
194
|
config.hsts = { :max_age => '123456'}
|
195
195
|
config.hpkp = {
|
196
196
|
:enforce => true,
|
@@ -205,7 +205,7 @@ describe SecureHeaders do
|
|
205
205
|
end
|
206
206
|
|
207
207
|
hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
|
208
|
-
::SecureHeaders::Configuration.
|
208
|
+
::SecureHeaders::Configuration.default do |config|
|
209
209
|
config.hsts = nil
|
210
210
|
config.hpkp = nil
|
211
211
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2016-01-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -50,6 +50,7 @@ files:
|
|
50
50
|
- ".ruby-version"
|
51
51
|
- ".travis.yml"
|
52
52
|
- Gemfile
|
53
|
+
- Guardfile
|
53
54
|
- LICENSE
|
54
55
|
- README.md
|
55
56
|
- Rakefile
|
@@ -170,7 +171,10 @@ homepage: https://github.com/twitter/secureheaders
|
|
170
171
|
licenses:
|
171
172
|
- Apache Public License 2.0
|
172
173
|
metadata: {}
|
173
|
-
post_install_message:
|
174
|
+
post_install_message: "[DEPRECATION] Development has stopped on the 2.x line of secure_headers.
|
175
|
+
It will be maintained, but new features will be added to the 3.x branch. A lot has
|
176
|
+
changed in secure_headers 3.x. A migration guide can be found in the documentation:
|
177
|
+
https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md."
|
174
178
|
rdoc_options: []
|
175
179
|
require_paths:
|
176
180
|
- lib
|