secure_headers 3.0.1 → 3.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 208059fe9a87ae245d5e89de656e6e5065a7b146
-  data.tar.gz: 61befbceb8d4fd119abf6a3913829f15a328054c
+  metadata.gz: 38f8848bc8ed124b3cf8a37194bb521f780a35f9
+  data.tar.gz: 62c0b9f67c175c1492ef29a5be347f19a37f84e4
 SHA512:
-  metadata.gz: 828c2b59608e98e470e8a1b1bf11f272897d7db47443c79057f37775d7fa866679bc2d77da4a8b8a88d3135732fa01bc2b1d2f0a8b29afb07dc6c450cc0fd436
-  data.tar.gz: 2caac270328075254de8940840dce7b2573302c534f3533ec6566765a66a4a3546f9d52be972945cf28c8dad3ca6d7fb7d2044af4bc28f0b646041841017627f
+  metadata.gz: ff5d974553272fbe6aba27b4d1f2b005c7d6a6493475bc94ce73535b2fbd19b87d9cb6ddf17a03d814ce59b9f3170511cc531d8b1e8d83bdb8bf6d3bed4a6cfe
+  data.tar.gz: d254d604fdb85af4727d25c2229d7b8f7bbc950e947a75e71c1b94ca1b79cbbcea96549ec29ee832ac63ea94eed779de2e85e12b3a9fcce09bc58193d948ffe9

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.0.2
+
+Bug fix for handling CSP configs that supply a frozen hash. If a directive value is `nil`, then appending to a config with a frozen hash would cause an error since we're trying to modify a frozen hash. See https://github.com/twitter/secureheaders/pull/223.
+
 ## 3.0.1
 
 Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (and Opera). See [the spec](https://www.w3.org/TR/upgrade-insecure-requests/) for details.

data/lib/secure_headers/headers/content_security_policy.rb

@@ -210,6 +210,8 @@ module SecureHeaders
           raise ContentSecurityPolicyConfigError.new("Attempted to override an opt-out CSP config.")
         end
 
+        original = original.dup if original.frozen?
+
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.keys.each do |directive|
           unless original[directive] || !source_list?(directive)

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.0.1"
+  gem.version       = "3.0.2"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -117,6 +117,17 @@ module SecureHeaders
         expect(csp.value).to eq("default-src https:; script-src https: anothercdn.com")
       end
 
+      it "combines directives where the original value is nil and the hash is frozen" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w('self'),
+            report_only: false
+          }.freeze
+        end
+        combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: %w(https://report-uri.io/asdf))
+        expect(combined_config[:report_uri]).to_not be_nil
+      end
+
       it "overrides the report_only flag" do
         Configuration.default do |config|
           config.csp = {

data/upgrading-to-3-0.md

@@ -20,6 +20,7 @@ Migrating to 3.x from <= 2.x
 1. Convert all instances of `self`/`none`/`eval`/`inline` to the corresponding values in the above table.
 1. Convert all CSP space-delimited directives to an array of strings.
 1. Convert all `enforce: true|false` to `report_only: true|false`. 
+1. Remove `ensure_security_headers` from controllers (3.x uses a middleware instead).
 
 Everything is terrible, why should I upgrade?
 ==

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.0.1
+  version: 3.0.2
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-26 00:00:00.000000000 Z
+date: 2016-02-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake