secure_headers 3.3.0 → 3.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +11 -11
- data/lib/secure_headers/headers/content_security_policy.rb +1 -1
- data/lib/tasks/tasks.rake +1 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +10 -0
- data/upgrading-to-3-0.md +1 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 81af1b59ac5a5a838557fb48a3b605c5202bcd8f
|
|
4
|
+
data.tar.gz: 5b5ecdf10eea6b5a8e224e6b1606c554105775c6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e3c87eb56ae112ae7048592fe082a70cf215603133b5f1385f57b5dbe080ab74c61eb4b093d3dc911a4f837e8d57a16a88a420a49195311ecd375d838ad4edd2
|
|
7
|
+
data.tar.gz: 2708e94fffbaa40e649c30925142fd16d8e79236f4cefdbcb64b58a4e08941100961f891d23754798d08c681309341717fd49597df281d601e3e3edf1b09a524
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 3.3.1 bugfix for boolean CSP directives
|
|
2
|
+
|
|
3
|
+
[@stefansundin](https://github.com/twitter/secureheaders/pull/253) noticed that supplying `false` to "boolean" CSP directives (e.g. `upgrade-insecure-requests` and `block-all-mixed-content`) would still include the value.
|
|
4
|
+
|
|
1
5
|
## 3.3.0 referrer-policy support
|
|
2
6
|
|
|
3
7
|
While not officially part of the spec and not implemented anywhere, support for the experimental [`referrer-policy` header](https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header) was [preemptively added](https://github.com/twitter/secureheaders/pull/249).
|
data/README.md
CHANGED
|
@@ -48,7 +48,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
48
48
|
config.referrer_policy = "origin-when-cross-origin"
|
|
49
49
|
config.csp = {
|
|
50
50
|
# "meta" values. these will shaped the header, but the values are not included in the header.
|
|
51
|
-
report_only:
|
|
51
|
+
report_only: true, # default: false
|
|
52
52
|
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
|
53
53
|
|
|
54
54
|
# directive values: these values will directly translate into source directives
|
|
@@ -66,7 +66,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
66
66
|
form_action: %w('self' github.com),
|
|
67
67
|
frame_ancestors: %w('none'),
|
|
68
68
|
plugin_types: %w(application/x-shockwave-flash),
|
|
69
|
-
block_all_mixed_content: true, # see
|
|
69
|
+
block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
|
|
70
70
|
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
|
|
71
71
|
report_uri: %w(https://report-uri.io/example-csp)
|
|
72
72
|
}
|
|
@@ -85,7 +85,7 @@ end
|
|
|
85
85
|
|
|
86
86
|
### rails 2
|
|
87
87
|
|
|
88
|
-
For rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. For rails 2 applications, an explicit statement is required to use the middleware component.
|
|
88
|
+
For rails 3+ applications, `secure_headers` has a `railtie` that should automatically include the middleware. For rails 2 or non-rails applications, an explicit statement is required to use the middleware component.
|
|
89
89
|
|
|
90
90
|
```ruby
|
|
91
91
|
use SecureHeaders::Middleware
|
|
@@ -137,7 +137,7 @@ class MyController < ApplicationController
|
|
|
137
137
|
end
|
|
138
138
|
```
|
|
139
139
|
|
|
140
|
-
By default, a
|
|
140
|
+
By default, a no-op configuration is provided. No headers will be set when this default override is used.
|
|
141
141
|
|
|
142
142
|
```ruby
|
|
143
143
|
class MyController < ApplicationController
|
|
@@ -163,12 +163,12 @@ You can override the settings for a given action by producing a temporary overri
|
|
|
163
163
|
class MyController < ApplicationController
|
|
164
164
|
def index
|
|
165
165
|
# Append value to the source list, override 'none' values
|
|
166
|
-
# Produces: default-src 'self'; script-src 'self' s3.
|
|
167
|
-
append_content_security_policy_directives(script_src: %w(s3.
|
|
166
|
+
# Produces: default-src 'self'; script-src 'self' s3.amazonaws.com; object-src 'self' www.youtube.com
|
|
167
|
+
append_content_security_policy_directives(script_src: %w(s3.amazonaws.com), object_src: %w('self' www.youtube.com))
|
|
168
168
|
|
|
169
169
|
# Overrides the previously set source list, override 'none' values
|
|
170
|
-
# Produces: default-src 'self'; script-src s3.
|
|
171
|
-
override_content_security_policy_directives(script_src: %w(s3.
|
|
170
|
+
# Produces: default-src 'self'; script-src s3.amazonaws.com; object-src 'self'
|
|
171
|
+
override_content_security_policy_directives(script_src: %w(s3.amazonaws.com), object_src: %w('self'))
|
|
172
172
|
|
|
173
173
|
# Global settings default to "sameorigin"
|
|
174
174
|
override_x_frame_options("DENY")
|
|
@@ -207,7 +207,7 @@ You can use a view helper to automatically add nonces to script tags:
|
|
|
207
207
|
|
|
208
208
|
```erb
|
|
209
209
|
<%= nonced_javascript_tag do %>
|
|
210
|
-
console.log("
|
|
210
|
+
console.log("nonced!");
|
|
211
211
|
<% end %>
|
|
212
212
|
|
|
213
213
|
<%= nonced_style_tag do %>
|
|
@@ -324,14 +324,14 @@ Be aware that pinning error reporting is governed by the same rules as everythin
|
|
|
324
324
|
|
|
325
325
|
```ruby
|
|
326
326
|
config.hpkp = {
|
|
327
|
-
max_age: 60.days.to_i,
|
|
327
|
+
max_age: 60.days.to_i, # max_age is a required parameter
|
|
328
328
|
include_subdomains: true, # whether or not to apply pins to subdomains
|
|
329
329
|
# Per the spec, SHA256 hashes are the only currently supported format.
|
|
330
330
|
pins: [
|
|
331
331
|
{sha256: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'},
|
|
332
332
|
{sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
|
|
333
333
|
],
|
|
334
|
-
report_only: true,
|
|
334
|
+
report_only: true, # defaults to false (report-only mode)
|
|
335
335
|
report_uri: 'https://report-uri.io/example-hpkp'
|
|
336
336
|
}
|
|
337
337
|
```
|
|
@@ -53,7 +53,7 @@ module SecureHeaders
|
|
|
53
53
|
directives.map do |directive_name|
|
|
54
54
|
case DIRECTIVE_VALUE_TYPES[directive_name]
|
|
55
55
|
when :boolean
|
|
56
|
-
symbol_to_hyphen_case(directive_name)
|
|
56
|
+
symbol_to_hyphen_case(directive_name) if @config[directive_name]
|
|
57
57
|
when :string
|
|
58
58
|
[symbol_to_hyphen_case(directive_name), @config[directive_name]].join(" ")
|
|
59
59
|
else
|
data/lib/tasks/tasks.rake
CHANGED
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.3.
|
|
4
|
+
gem.version = "3.3.1"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
|
@@ -71,6 +71,16 @@ module SecureHeaders
|
|
|
71
71
|
expect(csp.value).to eq("default-src example.org")
|
|
72
72
|
end
|
|
73
73
|
|
|
74
|
+
it "does add a boolean directive if the value is true" do
|
|
75
|
+
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: true)
|
|
76
|
+
expect(csp.value).to eq("default-src example.org; block-all-mixed-content; upgrade-insecure-requests")
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
it "does not add a boolean directive if the value is false" do
|
|
80
|
+
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: false)
|
|
81
|
+
expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
|
|
82
|
+
end
|
|
83
|
+
|
|
74
84
|
it "deduplicates any source expressions" do
|
|
75
85
|
csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
|
|
76
86
|
expect(csp.value).to eq("default-src example.org")
|
data/upgrading-to-3-0.md
CHANGED
|
@@ -13,6 +13,7 @@ Changes
|
|
|
13
13
|
| `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'` |
|
|
14
14
|
| Per-action configuration | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111) | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
|
|
15
15
|
| CSP/HPKP use `report_only` config that defaults to false | `enforce: false` | `report_only: false` |
|
|
16
|
+
| schemes in source expressions | Schemes were not stripped | Schemes are stripped by default to discourage mixed content. Setting `preserve_schemes: true` will revert to previous behavior |
|
|
16
17
|
|
|
17
18
|
Migrating to 3.x from <= 2.x
|
|
18
19
|
==
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.3.
|
|
4
|
+
version: 3.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-05-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|