secure_headers 3.3.0 → 3.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +11 -11
- data/lib/secure_headers/headers/content_security_policy.rb +1 -1
- data/lib/tasks/tasks.rake +1 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +10 -0
- data/upgrading-to-3-0.md +1 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 81af1b59ac5a5a838557fb48a3b605c5202bcd8f
|
|
4
|
+
data.tar.gz: 5b5ecdf10eea6b5a8e224e6b1606c554105775c6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e3c87eb56ae112ae7048592fe082a70cf215603133b5f1385f57b5dbe080ab74c61eb4b093d3dc911a4f837e8d57a16a88a420a49195311ecd375d838ad4edd2
|
|
7
|
+
data.tar.gz: 2708e94fffbaa40e649c30925142fd16d8e79236f4cefdbcb64b58a4e08941100961f891d23754798d08c681309341717fd49597df281d601e3e3edf1b09a524
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 3.3.1 bugfix for boolean CSP directives
|
|
2
|
+
|
|
3
|
+
[@stefansundin](https://github.com/twitter/secureheaders/pull/253) noticed that supplying `false` to "boolean" CSP directives (e.g. `upgrade-insecure-requests` and `block-all-mixed-content`) would still include the value.
|
|
4
|
+
|
|
1
5
|
## 3.3.0 referrer-policy support
|
|
2
6
|
|
|
3
7
|
While not officially part of the spec and not implemented anywhere, support for the experimental [`referrer-policy` header](https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header) was [preemptively added](https://github.com/twitter/secureheaders/pull/249).
|
data/README.md
CHANGED
|
@@ -48,7 +48,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
48
48
|
config.referrer_policy = "origin-when-cross-origin"
|
|
49
49
|
config.csp = {
|
|
50
50
|
# "meta" values. these will shaped the header, but the values are not included in the header.
|
|
51
|
-
report_only:
|
|
51
|
+
report_only: true, # default: false
|
|
52
52
|
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
|
53
53
|
|
|
54
54
|
# directive values: these values will directly translate into source directives
|
|
@@ -66,7 +66,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
66
66
|
form_action: %w('self' github.com),
|
|
67
67
|
frame_ancestors: %w('none'),
|
|
68
68
|
plugin_types: %w(application/x-shockwave-flash),
|
|
69
|
-
block_all_mixed_content: true, # see
|
|
69
|
+
block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
|
|
70
70
|
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
|
|
71
71
|
report_uri: %w(https://report-uri.io/example-csp)
|
|
72
72
|
}
|
|
@@ -85,7 +85,7 @@ end
|
|
|
85
85
|
|
|
86
86
|
### rails 2
|
|
87
87
|
|
|
88
|
-
For rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. For rails 2 applications, an explicit statement is required to use the middleware component.
|
|
88
|
+
For rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. For rails 2 or non-rails applications, an explicit statement is required to use the middleware component.
|
|
89
89
|
|
|
90
90
|
```ruby
|
|
91
91
|
use SecureHeaders::Middleware
|
|
@@ -137,7 +137,7 @@ class MyController < ApplicationController
|
|
|
137
137
|
end
|
|
138
138
|
```
|
|
139
139
|
|
|
140
|
-
By default, a
|
|
140
|
+
By default, a no-op configuration is provided. No headers will be set when this default override is used.
|
|
141
141
|
|
|
142
142
|
```ruby
|
|
143
143
|
class MyController < ApplicationController
|
|
@@ -163,12 +163,12 @@ You can override the settings for a given action by producing a temporary overri
|
|
|
163
163
|
class MyController < ApplicationController
|
|
164
164
|
def index
|
|
165
165
|
# Append value to the source list, override 'none' values
|
|
166
|
-
# Produces: default-src 'self'; script-src 'self' s3.
|
|
167
|
-
append_content_security_policy_directives(script_src: %w(s3.
|
|
166
|
+
# Produces: default-src 'self'; script-src 'self' s3.amazonaws.com; object-src 'self' www.youtube.com
|
|
167
|
+
append_content_security_policy_directives(script_src: %w(s3.amazonaws.com), object_src: %w('self' www.youtube.com))
|
|
168
168
|
|
|
169
169
|
# Overrides the previously set source list, override 'none' values
|
|
170
|
-
# Produces: default-src 'self'; script-src s3.
|
|
171
|
-
override_content_security_policy_directives(script_src: %w(s3.
|
|
170
|
+
# Produces: default-src 'self'; script-src s3.amazonaws.com; object-src 'self'
|
|
171
|
+
override_content_security_policy_directives(script_src: %w(s3.amazonaws.com), object_src: %w('self'))
|
|
172
172
|
|
|
173
173
|
# Global settings default to "sameorigin"
|
|
174
174
|
override_x_frame_options("DENY")
|
|
@@ -207,7 +207,7 @@ You can use a view helper to automatically add nonces to script tags:
|
|
|
207
207
|
|
|
208
208
|
```erb
|
|
209
209
|
<%= nonced_javascript_tag do %>
|
|
210
|
-
console.log("
|
|
210
|
+
console.log("nonced!");
|
|
211
211
|
<% end %>
|
|
212
212
|
|
|
213
213
|
<%= nonced_style_tag do %>
|
|
@@ -324,14 +324,14 @@ Be aware that pinning error reporting is governed by the same rules as everythin
|
|
|
324
324
|
|
|
325
325
|
```ruby
|
|
326
326
|
config.hpkp = {
|
|
327
|
-
max_age: 60.days.to_i,
|
|
327
|
+
max_age: 60.days.to_i, # max_age is a required parameter
|
|
328
328
|
include_subdomains: true, # whether or not to apply pins to subdomains
|
|
329
329
|
# Per the spec, SHA256 hashes are the only currently supported format.
|
|
330
330
|
pins: [
|
|
331
331
|
{sha256: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'},
|
|
332
332
|
{sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
|
|
333
333
|
],
|
|
334
|
-
report_only: true,
|
|
334
|
+
report_only: true, # defaults to false (report-only mode)
|
|
335
335
|
report_uri: 'https://report-uri.io/example-hpkp'
|
|
336
336
|
}
|
|
337
337
|
```
|
|
@@ -53,7 +53,7 @@ module SecureHeaders
|
|
|
53
53
|
directives.map do |directive_name|
|
|
54
54
|
case DIRECTIVE_VALUE_TYPES[directive_name]
|
|
55
55
|
when :boolean
|
|
56
|
-
symbol_to_hyphen_case(directive_name)
|
|
56
|
+
symbol_to_hyphen_case(directive_name) if @config[directive_name]
|
|
57
57
|
when :string
|
|
58
58
|
[symbol_to_hyphen_case(directive_name), @config[directive_name]].join(" ")
|
|
59
59
|
else
|
data/lib/tasks/tasks.rake
CHANGED
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.3.
|
|
4
|
+
gem.version = "3.3.1"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
|
@@ -71,6 +71,16 @@ module SecureHeaders
|
|
|
71
71
|
expect(csp.value).to eq("default-src example.org")
|
|
72
72
|
end
|
|
73
73
|
|
|
74
|
+
it "does add a boolean directive if the value is true" do
|
|
75
|
+
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: true)
|
|
76
|
+
expect(csp.value).to eq("default-src example.org; block-all-mixed-content; upgrade-insecure-requests")
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
it "does not add a boolean directive if the value is false" do
|
|
80
|
+
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: false)
|
|
81
|
+
expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
|
|
82
|
+
end
|
|
83
|
+
|
|
74
84
|
it "deduplicates any source expressions" do
|
|
75
85
|
csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
|
|
76
86
|
expect(csp.value).to eq("default-src example.org")
|
data/upgrading-to-3-0.md
CHANGED
|
@@ -13,6 +13,7 @@ Changes
|
|
|
13
13
|
| `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'` |
|
|
14
14
|
| Per-action configuration | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111) | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
|
|
15
15
|
| CSP/HPKP use `report_only` config that defaults to false | `enforce: false` | `report_only: false` |
|
|
16
|
+
| schemes in source expressions | Schemes were not stripped | Schemes are stripped by default to discourage mixed content. Setting `preserve_schemes: true` will revert to previous behavior |
|
|
16
17
|
|
|
17
18
|
Migrating to 3.x from <= 2.x
|
|
18
19
|
==
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.3.
|
|
4
|
+
version: 3.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-05-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|