secure_headers 3.0.0.pre → 3.0.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 54b745f9955363c185766acb0a39ebf913a88151
|
4
|
+
data.tar.gz: 315ec9e43586e58f76c359b51c9ed3cdc83eb51e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6842017c4fe05a04c391f8fb447fb524b77ec8577348b5f44c062a772565a32032a71801529ed24e918570a1b55defb4a273240c9c6edbfcd9eb222836c95428
|
7
|
+
data.tar.gz: c54f33d09186b27857246371a0af1a3d4f7699dc0d0796b532255aa0513c848810570271a78263b59f57a510fb00a9529b3454ddddea7a118dad088b574ff188
|
@@ -13,6 +13,7 @@ module SecureHeaders
|
|
13
13
|
REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
|
14
14
|
HEADER_NAMES = [HEADER_NAME, REPORT_ONLY]
|
15
15
|
DATA_PROTOCOL = "data:".freeze
|
16
|
+
BLOB_PROTOCOL = "blob:".freeze
|
16
17
|
SELF = "'self'".freeze
|
17
18
|
NONE = "'none'".freeze
|
18
19
|
STAR = "*".freeze
|
@@ -141,7 +142,9 @@ module SecureHeaders
|
|
141
142
|
WILDCARD_SOURCES = [
|
142
143
|
UNSAFE_EVAL,
|
143
144
|
UNSAFE_INLINE,
|
144
|
-
STAR
|
145
|
+
STAR,
|
146
|
+
DATA_PROTOCOL,
|
147
|
+
BLOB_PROTOCOL
|
145
148
|
]
|
146
149
|
|
147
150
|
class << self
|
@@ -243,11 +246,11 @@ module SecureHeaders
|
|
243
246
|
# Does not validate the invididual values of the source expression (e.g.
|
244
247
|
# script_src => h*t*t*p: will not raise an exception)
|
245
248
|
def validate_source_expression!(key, value)
|
246
|
-
# source expressions
|
247
249
|
unless ContentSecurityPolicy::ALL_DIRECTIVES.include?(key)
|
248
250
|
raise ContentSecurityPolicyConfigError.new("Unknown directive #{key}")
|
249
251
|
end
|
250
|
-
|
252
|
+
|
253
|
+
unless value.is_a?(Array) && value.compact.all? { |v| v.is_a?(String) }
|
251
254
|
raise ContentSecurityPolicyConfigError.new("#{key} must be an array of strings")
|
252
255
|
end
|
253
256
|
|
@@ -317,7 +320,7 @@ module SecureHeaders
|
|
317
320
|
else
|
318
321
|
build_directive(directive_name)
|
319
322
|
end
|
320
|
-
end.join("; ")
|
323
|
+
end.compact.join("; ")
|
321
324
|
end
|
322
325
|
|
323
326
|
# Private: builds a string that represents one directive in a minified form.
|
@@ -330,6 +333,7 @@ module SecureHeaders
|
|
330
333
|
# Returns a string representing a directive.
|
331
334
|
def build_directive(directive_name)
|
332
335
|
source_list = @config[directive_name].compact
|
336
|
+
return if source_list.empty?
|
333
337
|
|
334
338
|
value = if source_list.include?(STAR)
|
335
339
|
# Discard trailing entries (excluding unsafe-*) since * accomplishes the same.
|
data/secure_headers.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "secure_headers"
|
4
|
-
gem.version = "3.0.0.
|
4
|
+
gem.version = "3.0.0.pre1"
|
5
5
|
gem.authors = ["Neil Matatall"]
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
@@ -47,6 +47,12 @@ module SecureHeaders
|
|
47
47
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
48
48
|
end
|
49
49
|
|
50
|
+
it "allows nil values" do
|
51
|
+
expect do
|
52
|
+
CSP.validate_config!(default_src: %w('self'), script_src: ["https:", nil])
|
53
|
+
end.to_not raise_error
|
54
|
+
end
|
55
|
+
|
50
56
|
it "rejects unknown directives / config" do
|
51
57
|
expect do
|
52
58
|
CSP.validate_config!(default_src: %w('self'), default_src_totally_mispelled: "steve")
|
@@ -109,9 +115,9 @@ module SecureHeaders
|
|
109
115
|
expect(csp.value).not_to include("'none'")
|
110
116
|
end
|
111
117
|
|
112
|
-
it "discards source expressions besides unsafe-*
|
113
|
-
csp = ContentSecurityPolicy.new(default_src: %w(* 'unsafe-inline' 'unsafe-eval' http: https: example.org))
|
114
|
-
expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval'")
|
118
|
+
it "discards source expressions (besides unsafe-* and non-host source values) when * is present" do
|
119
|
+
csp = ContentSecurityPolicy.new(default_src: %w(* 'unsafe-inline' 'unsafe-eval' http: https: example.org data: blob:))
|
120
|
+
expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval' data: blob:")
|
115
121
|
end
|
116
122
|
|
117
123
|
it "minifies source expressions based on overlapping wildcards" do
|
@@ -137,6 +143,11 @@ module SecureHeaders
|
|
137
143
|
expect(csp.value).to eq("default-src example.org")
|
138
144
|
end
|
139
145
|
|
146
|
+
it "does not add a directive if the value is an empty array (or all nil)" do
|
147
|
+
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], script_src: [nil])
|
148
|
+
expect(csp.value).to eq("default-src example.org")
|
149
|
+
end
|
150
|
+
|
140
151
|
it "deduplicates any source expressions" do
|
141
152
|
csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
|
142
153
|
expect(csp.value).to eq("default-src example.org")
|