secure_headers 3.3.1 → 3.3.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/tasks/tasks.rake +4 -4
  4. data/secure_headers.gemspec +1 -1
  5. data/upgrading-to-3-0.md +13 -11
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 81af1b59ac5a5a838557fb48a3b605c5202bcd8f
4
- data.tar.gz: 5b5ecdf10eea6b5a8e224e6b1606c554105775c6
3
+ metadata.gz: c9f6cd36ab6ff2100c1c0bdd0fe493aaf6030ab7
4
+ data.tar.gz: dd8e633b00f13f2afe165a7cebb5d9b2a13fc5d0
5
5
  SHA512:
6
- metadata.gz: e3c87eb56ae112ae7048592fe082a70cf215603133b5f1385f57b5dbe080ab74c61eb4b093d3dc911a4f837e8d57a16a88a420a49195311ecd375d838ad4edd2
7
- data.tar.gz: 2708e94fffbaa40e649c30925142fd16d8e79236f4cefdbcb64b58a4e08941100961f891d23754798d08c681309341717fd49597df281d601e3e3edf1b09a524
6
+ metadata.gz: ed6420d1b5a1817b09557501834ac7d9c48b8dfa4cd4affdff49208038b3b277d3debc37baca7d31c5a800b4cfcb27b31311581d1302311d4a639498652b119c
7
+ data.tar.gz: 6bf1ef8d330ee00ccee7a5950e73aeae24fe5c10d78a6fa96bc34b0724cc4f772f577a0b11dc3daf9f3270ad41fefce2505dfcae709f2ebb1b79ae9e6b352ae4
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.3.2 minor fix to silence warnings when using rake
2
+
3
+ [@dankohn](https://github.com/twitter/secureheaders/issues/257) was seeing "already initialized" errors in his output. This change conditionally defines the constants.
4
+
1
5
  ## 3.3.1 bugfix for boolean CSP directives
2
6
 
3
7
  [@stefansundin](https://github.com/twitter/secureheaders/pull/253) noticed that supplying `false` to "boolean" CSP directives (e.g. `upgrade-insecure-requests` and `block-all-mixed-content`) would still include the value.
data/lib/tasks/tasks.rake CHANGED
@@ -1,7 +1,7 @@
1
- INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx
2
- INLINE_STYLE_REGEX = /(<style[^>]*>)(.*?)<\/style>/mx
3
- INLINE_HASH_SCRIPT_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
4
- INLINE_HASH_STYLE_HELPER_REGEX = /<%=\s?hashed_style_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
1
+ INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx unless defined? INLINE_SCRIPT_REGEX
2
+ INLINE_STYLE_REGEX = /(<style[^>]*>)(.*?)<\/style>/mx unless defined? INLINE_STYLE_REGEX
3
+ INLINE_HASH_SCRIPT_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx unless defined? INLINE_HASH_SCRIPT_HELPER_REGEX
4
+ INLINE_HASH_STYLE_HELPER_REGEX = /<%=\s?hashed_style_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx unless defined? INLINE_HASH_STYLE_HELPER_REGEX
5
5
 
6
6
  namespace :secure_headers do
7
7
  include SecureHeaders::HashHelper
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.3.1"
4
+ gem.version = "3.3.2"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Security related headers all in one gem.'
data/upgrading-to-3-0.md CHANGED
@@ -3,17 +3,19 @@
3
3
  Changes
4
4
  ==
5
5
 
6
- | What | < = 2.x | >= 3.0 |
7
- |----------------------------------|----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
8
- | Global configuration | `SecureHeaders::Configuration.configure` block | `SecureHeaders::Configuration.default` block |
9
- | All headers besides HPKP and CSP | Accept hashes as config values | Must be strings (validated during configuration) |
10
- | CSP directive values | Accepted space delimited strings OR arrays of strings | Must be arrays of strings |
11
- | CSP Nonce values in views | `@content_security_policy_nonce` | `content_security_policy_script_nonce` or `content_security_policy_style_nonce`
12
- | `self`/`none` source expressions | could be `self` / `none` / `'self'` / `'none'` | Must be `'self'` or `'none'` |
13
- | `inline` / `eval` source expressions | could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'` |
14
- | Per-action configuration | override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111) | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
15
- | CSP/HPKP use `report_only` config that defaults to false | `enforce: false` | `report_only: false` |
16
- | schemes in source expressions | Schemes were not stripped | Schemes are stripped by default to discourage mixed content. Setting `preserve_schemes: true` will revert to previous behavior |
6
+ | What | < = 2.x | >= 3.0 |
7
+ | ---------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
8
+ | Global configuration | `SecureHeaders::Configuration.configure` block | `SecureHeaders::Configuration.default` block |
9
+ | All headers besides HPKP and CSP | Accept hashes as config values | Must be strings (validated during configuration) |
10
+ | CSP directive values | Accepted space delimited strings OR arrays of strings | Must be arrays of strings |
11
+ | CSP Nonce values in views | `@content_security_policy_nonce` | `content_security_policy_script_nonce` or `content_security_policy_style_nonce` |
12
+ | nonce is no longer a source expression | `config.csp = "'self' 'nonce'"` | Remove `'nonce'` from source expression and use [nonce helpers](https://github.com/twitter/secureheaders#nonce). |
13
+ | `self`/`none` source expressions | Could be `self` / `none` / `'self'` / `'none'` | Must be `'self'` or `'none'` |
14
+ | `inline` / `eval` source expressions | Could be `inline`, `eval`, `'unsafe-inline'`, or `'unsafe-eval'` | Must be `'unsafe-eval'` or `'unsafe-inline'` |
15
+ | Per-action configuration | Override [`def secure_header_options_for(header, options)`](https://github.com/twitter/secureheaders/commit/bb9ebc6c12a677aad29af8e0f08ffd1def56efec#diff-04c6e90faac2675aa89e2176d2eec7d8R111) | Use [named overrides](https://github.com/twitter/secureheaders#named-overrides) or [per-action helpers](https://github.com/twitter/secureheaders#per-action-configuration) |
16
+ | CSP/HPKP use `report_only` config that defaults to false | `enforce: false` | `report_only: false` |
17
+ | Schemes in source expressions | Schemes were not stripped | Schemes are stripped by default to discourage mixed content. Setting `preserve_schemes: true` will revert to previous behavior |
18
+ | Opting out of default configuration | `skip_before_filter :set_x_download_options_header` or `config.x_download_options = false` | Within default block: `config.x_download_options = SecureHeaders::OPT_OUT` |
17
19
 
18
20
  Migrating to 3.x from <= 2.x
19
21
  ==
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.1
4
+ version: 3.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-05-09 00:00:00.000000000 Z
11
+ date: 2016-05-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake