secure_headers 3.1.1 → 3.1.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/secure_headers/configuration.rb +8 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/configuration_spec.rb +8 -0
- data/spec/lib/secure_headers_spec.rb +18 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3ebe74bc751469bb4305dd36b59fe4881a87ec3d
|
|
4
|
+
data.tar.gz: 83fed6de7e4cab010cab6010caa0ba005ac43fc7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd02880ba737a5a9489dd6e8209420259fec8d78330f5992e7b34f61ebe16677a93ff123dd3b417f6973bfcd85e03524b053bcd1487458492aa4c7b8a7a9bb40
|
|
7
|
+
data.tar.gz: 550c48cfd47e656e70dd3ab39ed6386b8d148231d55a553395da6076bc88bdaaa7fe1803695b093cf3e4fd49cb30bed0aff15a2455652efd00d7a27d9ce55636
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 3.1.2 Bug fix for regression
|
|
2
|
+
|
|
3
|
+
See https://github.com/twitter/secureheaders/pull/239
|
|
4
|
+
|
|
5
|
+
This meant that when header caches were regenerated upon calling `SecureHeaders.override(:name)` and using it with `use_secure_headers_override` would result in default values for anything other than CSP/HPKP.
|
|
6
|
+
|
|
1
7
|
## 3.1.1 Bug fix for regression
|
|
2
8
|
|
|
3
9
|
See https://github.com/twitter/secureheaders/pull/235
|
|
@@ -121,6 +121,13 @@ module SecureHeaders
|
|
|
121
121
|
copy.csp = self.class.send(:deep_copy_if_hash, @csp)
|
|
122
122
|
copy.dynamic_csp = self.class.send(:deep_copy_if_hash, @dynamic_csp)
|
|
123
123
|
copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
|
|
124
|
+
copy.x_content_type_options = @x_content_type_options
|
|
125
|
+
copy.hsts = @hsts
|
|
126
|
+
copy.x_frame_options = @x_frame_options
|
|
127
|
+
copy.x_xss_protection = @x_xss_protection
|
|
128
|
+
copy.x_download_options = @x_download_options
|
|
129
|
+
copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
|
|
130
|
+
copy.hpkp = @hpkp
|
|
124
131
|
copy
|
|
125
132
|
end
|
|
126
133
|
|
|
@@ -133,6 +140,7 @@ module SecureHeaders
|
|
|
133
140
|
end
|
|
134
141
|
|
|
135
142
|
def update_x_frame_options(value)
|
|
143
|
+
@x_frame_options = value
|
|
136
144
|
self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
|
|
137
145
|
end
|
|
138
146
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.1.
|
|
4
|
+
gem.version = "3.1.2"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
|
@@ -41,6 +41,14 @@ module SecureHeaders
|
|
|
41
41
|
end
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
+
it "regenerates cached headers when building an override" do
|
|
45
|
+
Configuration.override(:test_override) do |config|
|
|
46
|
+
config.x_content_type_options = OPT_OUT
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
expect(Configuration.get.cached_headers).to_not eq(Configuration.get(:test_override).cached_headers)
|
|
50
|
+
end
|
|
51
|
+
|
|
44
52
|
it "stores an override of the global config" do
|
|
45
53
|
Configuration.override(:test_override) do |config|
|
|
46
54
|
config.x_frame_options = "DENY"
|
|
@@ -21,7 +21,7 @@ module SecureHeaders
|
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
describe "#header_hash_for" do
|
|
24
|
-
it "allows you to opt out of individual headers" do
|
|
24
|
+
it "allows you to opt out of individual headers via API" do
|
|
25
25
|
Configuration.default
|
|
26
26
|
SecureHeaders.opt_out_of_header(request, CSP::CONFIG_KEY)
|
|
27
27
|
SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
|
|
@@ -31,6 +31,23 @@ module SecureHeaders
|
|
|
31
31
|
expect(hash['X-Content-Type-Options']).to be_nil
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
+
it "Carries options over when using overrides" do
|
|
35
|
+
Configuration.default do |config|
|
|
36
|
+
config.x_download_options = OPT_OUT
|
|
37
|
+
config.x_permitted_cross_domain_policies = OPT_OUT
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
Configuration.override(:api) do |config|
|
|
41
|
+
config.x_frame_options = OPT_OUT
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
SecureHeaders.use_secure_headers_override(request, :api)
|
|
45
|
+
hash = SecureHeaders.header_hash_for(request)
|
|
46
|
+
expect(hash['X-Download-Options']).to be_nil
|
|
47
|
+
expect(hash['X-Permitted-Cross-Domain-Policies']).to be_nil
|
|
48
|
+
expect(hash['X-Frame-Options']).to be_nil
|
|
49
|
+
end
|
|
50
|
+
|
|
34
51
|
it "allows you to opt out entirely" do
|
|
35
52
|
Configuration.default
|
|
36
53
|
SecureHeaders.opt_out_of_all_protection(request)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.1.
|
|
4
|
+
version: 3.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-03-
|
|
11
|
+
date: 2016-03-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|