secure_headers 3.1.1 → 3.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/secure_headers/configuration.rb +8 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/configuration_spec.rb +8 -0
- data/spec/lib/secure_headers_spec.rb +18 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3ebe74bc751469bb4305dd36b59fe4881a87ec3d
|
|
4
|
+
data.tar.gz: 83fed6de7e4cab010cab6010caa0ba005ac43fc7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd02880ba737a5a9489dd6e8209420259fec8d78330f5992e7b34f61ebe16677a93ff123dd3b417f6973bfcd85e03524b053bcd1487458492aa4c7b8a7a9bb40
|
|
7
|
+
data.tar.gz: 550c48cfd47e656e70dd3ab39ed6386b8d148231d55a553395da6076bc88bdaaa7fe1803695b093cf3e4fd49cb30bed0aff15a2455652efd00d7a27d9ce55636
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 3.1.2 Bug fix for regression
|
|
2
|
+
|
|
3
|
+
See https://github.com/twitter/secureheaders/pull/239
|
|
4
|
+
|
|
5
|
+
This meant that when header caches were regenerated upon calling `SecureHeaders.override(:name)` and using it with `use_secure_headers_override` would result in default values for anything other than CSP/HPKP.
|
|
6
|
+
|
|
1
7
|
## 3.1.1 Bug fix for regression
|
|
2
8
|
|
|
3
9
|
See https://github.com/twitter/secureheaders/pull/235
|
|
@@ -121,6 +121,13 @@ module SecureHeaders
|
|
|
121
121
|
copy.csp = self.class.send(:deep_copy_if_hash, @csp)
|
|
122
122
|
copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp)
|
|
123
123
|
copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
|
|
124
|
+
copy.x_content_type_options = @x_content_type_options
|
|
125
|
+
copy.hsts = @hsts
|
|
126
|
+
copy.x_frame_options = @x_frame_options
|
|
127
|
+
copy.x_xss_protection = @x_xss_protection
|
|
128
|
+
copy.x_download_options = @x_download_options
|
|
129
|
+
copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
|
|
130
|
+
copy.hpkp = @hpkp
|
|
124
131
|
copy
|
|
125
132
|
end
|
|
126
133
|
|
|
@@ -133,6 +140,7 @@ module SecureHeaders
|
|
|
133
140
|
end
|
|
134
141
|
|
|
135
142
|
def update_x_frame_options(value)
|
|
143
|
+
@x_frame_options = value
|
|
136
144
|
self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
|
|
137
145
|
end
|
|
138
146
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.1.
|
|
4
|
+
gem.version = "3.1.2"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
|
@@ -41,6 +41,14 @@ module SecureHeaders
|
|
|
41
41
|
end
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
+
it "regenerates cached headers when building an override" do
|
|
45
|
+
Configuration.override(:test_override) do |config|
|
|
46
|
+
config.x_content_type_options = OPT_OUT
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
expect(Configuration.get.cached_headers).to_not eq(Configuration.get(:test_override).cached_headers)
|
|
50
|
+
end
|
|
51
|
+
|
|
44
52
|
it "stores an override of the global config" do
|
|
45
53
|
Configuration.override(:test_override) do |config|
|
|
46
54
|
config.x_frame_options = "DENY"
|
|
@@ -21,7 +21,7 @@ module SecureHeaders
|
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
describe "#header_hash_for" do
|
|
24
|
-
it "allows you to opt out of individual headers" do
|
|
24
|
+
it "allows you to opt out of individual headers via API" do
|
|
25
25
|
Configuration.default
|
|
26
26
|
SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
|
|
27
27
|
SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
|
|
@@ -31,6 +31,23 @@ module SecureHeaders
|
|
|
31
31
|
expect(hash['X-Content-Type-Options']).to be_nil
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
+
it "Carries options over when using overrides" do
|
|
35
|
+
Configuration.default do |config|
|
|
36
|
+
config.x_download_options = OPT_OUT
|
|
37
|
+
config.x_permitted_cross_domain_policies = OPT_OUT
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
Configuration.override(:api) do |config|
|
|
41
|
+
config.x_frame_options = OPT_OUT
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
SecureHeaders.use_secure_headers_override(request, :api)
|
|
45
|
+
hash = SecureHeaders.header_hash_for(request)
|
|
46
|
+
expect(hash['X-Download-Options']).to be_nil
|
|
47
|
+
expect(hash['X-Permitted-Cross-Domain-Policies']).to be_nil
|
|
48
|
+
expect(hash['X-Frame-Options']).to be_nil
|
|
49
|
+
end
|
|
50
|
+
|
|
34
51
|
it "allows you to opt out entirely" do
|
|
35
52
|
Configuration.default
|
|
36
53
|
SecureHeaders.opt_out_of_all_protection(request)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.1.
|
|
4
|
+
version: 3.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-03-
|
|
11
|
+
date: 2016-03-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|