secure_headers 3.5.0 → 3.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +3 -0
- data/lib/secure_headers/headers/content_security_policy.rb +2 -1
- data/lib/secure_headers/headers/policy_management.rb +2 -1
- data/lib/secure_headers/headers/referrer_policy.rb +3 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -0
- data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +18 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d196b33a65e52d7a5e51d9aab6bece9d5931f3ec
|
4
|
+
data.tar.gz: ef4bff640a44b916d0d4abb568e32c55dfc5d184
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4b90556098db0af1a3469bee1c456291a0a68b44559e480faf08568a5e4656b0c53f0b5f5fe926f657c8884b8057a6ec545711998a359aeaef88ec10bc099e7a
|
7
|
+
data.tar.gz: 226f55c1d0ab7c8b13d5ef13c8baaedf1162c5afe9ab0b88e04b6a092b4fb01fbdbcd6af840992e39e9011d5686b53c2744e0ee6b39774047328c171edad29af
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
## 3.5.1
|
2
|
+
|
3
|
+
* Fix bug that can occur when useragent library version is older, resulting in a nil version sometimes.
|
4
|
+
* Add constant for `strict-dynamic`
|
5
|
+
|
1
6
|
## 3.5.0
|
2
7
|
|
3
8
|
This release adds support for setting two CSP headers (enforced/report-only) and management around them.
|
data/README.md
CHANGED
@@ -7,6 +7,9 @@
|
|
7
7
|
|
8
8
|
The gem will automatically apply several headers that are related to security. This includes:
|
9
9
|
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
|
10
|
+
- https://csp.withgoogle.com
|
11
|
+
- https://csp.withgoogle.com/docs/strict-csp.html
|
12
|
+
- https://csp-evaluator.withgoogle.com
|
10
13
|
- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
|
11
14
|
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options Specification](https://tools.ietf.org/html/rfc7034)
|
12
15
|
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](https://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
@@ -9,6 +9,7 @@ module SecureHeaders
|
|
9
9
|
# constants to be used for version-specific UA sniffing
|
10
10
|
VERSION_46 = ::UserAgent::Version.new("46")
|
11
11
|
VERSION_10 = ::UserAgent::Version.new("10")
|
12
|
+
FALLBACK_VERSION = ::UserAgent::Version.new("0")
|
12
13
|
|
13
14
|
def initialize(config = nil, user_agent = OTHER)
|
14
15
|
@config = if config.is_a?(Hash)
|
@@ -213,7 +214,7 @@ module SecureHeaders
|
|
213
214
|
# Returns an array of symbols representing the directives.
|
214
215
|
def supported_directives
|
215
216
|
@supported_directives ||= if VARIATIONS[@parsed_ua.browser]
|
216
|
-
if @parsed_ua.browser == "Firefox" && @parsed_ua.version >= VERSION_46
|
217
|
+
if @parsed_ua.browser == "Firefox" && ((@parsed_ua.version || FALLBACK_VERSION) >= VERSION_46)
|
217
218
|
VARIATIONS["FirefoxTransitional"]
|
218
219
|
else
|
219
220
|
VARIATIONS[@parsed_ua.browser]
|
@@ -14,6 +14,7 @@ module SecureHeaders
|
|
14
14
|
STAR = "*".freeze
|
15
15
|
UNSAFE_INLINE = "'unsafe-inline'".freeze
|
16
16
|
UNSAFE_EVAL = "'unsafe-eval'".freeze
|
17
|
+
STRICT_DYNAMIC = "'strict-dynamic'".freeze
|
17
18
|
|
18
19
|
# leftover deprecated values that will be in common use upon upgrading.
|
19
20
|
DEPRECATED_SOURCE_VALUES = [SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze
|
@@ -217,7 +218,7 @@ module SecureHeaders
|
|
217
218
|
def nonces_supported?(user_agent)
|
218
219
|
user_agent = UserAgent.parse(user_agent) if user_agent.is_a?(String)
|
219
220
|
MODERN_BROWSERS.include?(user_agent.browser) ||
|
220
|
-
user_agent.browser == "Safari" && user_agent.version >= CSP::VERSION_10
|
221
|
+
user_agent.browser == "Safari" && (user_agent.version || CSP::FALLBACK_VERSION) >= CSP::VERSION_10
|
221
222
|
end
|
222
223
|
|
223
224
|
# Public: combine the values from two different configs.
|
data/secure_headers.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "secure_headers"
|
4
|
-
gem.version = "3.5.
|
4
|
+
gem.version = "3.5.1"
|
5
5
|
gem.authors = ["Neil Matatall"]
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
@@ -107,6 +107,11 @@ module SecureHeaders
|
|
107
107
|
expect(firefox_transitional).not_to match(/frame-src/)
|
108
108
|
end
|
109
109
|
|
110
|
+
it "supports strict-dynamic" do
|
111
|
+
csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
|
112
|
+
expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
|
113
|
+
end
|
114
|
+
|
110
115
|
context "browser sniffing" do
|
111
116
|
let (:complex_opts) do
|
112
117
|
(ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
|
@@ -149,6 +154,13 @@ module SecureHeaders
|
|
149
154
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
|
150
155
|
expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
|
151
156
|
end
|
157
|
+
|
158
|
+
it "falls back to standard Firefox defaults when the useragent version is not present" do
|
159
|
+
ua = USER_AGENTS[:firefox].dup
|
160
|
+
allow(ua).to receive(:version).and_return(nil)
|
161
|
+
policy = ContentSecurityPolicy.new(complex_opts, ua)
|
162
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
163
|
+
end
|
152
164
|
end
|
153
165
|
end
|
154
166
|
end
|
@@ -18,6 +18,24 @@ module SecureHeaders
|
|
18
18
|
end.not_to raise_error
|
19
19
|
end
|
20
20
|
|
21
|
+
it "accepts 'same-origin'" do
|
22
|
+
expect do
|
23
|
+
ReferrerPolicy.validate_config!("same-origin")
|
24
|
+
end.not_to raise_error
|
25
|
+
end
|
26
|
+
|
27
|
+
it "accepts 'strict-origin'" do
|
28
|
+
expect do
|
29
|
+
ReferrerPolicy.validate_config!("strict-origin")
|
30
|
+
end.not_to raise_error
|
31
|
+
end
|
32
|
+
|
33
|
+
it "accepts 'strict-origin-when-cross-origin'" do
|
34
|
+
expect do
|
35
|
+
ReferrerPolicy.validate_config!("strict-origin-when-cross-origin")
|
36
|
+
end.not_to raise_error
|
37
|
+
end
|
38
|
+
|
21
39
|
it "accepts 'origin'" do
|
22
40
|
expect do
|
23
41
|
ReferrerPolicy.validate_config!("origin")
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.5.
|
4
|
+
version: 3.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-11-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|