secure_headers 3.5.0 → 3.5.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +3 -0
- data/lib/secure_headers/headers/content_security_policy.rb +2 -1
- data/lib/secure_headers/headers/policy_management.rb +2 -1
- data/lib/secure_headers/headers/referrer_policy.rb +3 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +12 -0
- data/spec/lib/secure_headers/headers/referrer_policy_spec.rb +18 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d196b33a65e52d7a5e51d9aab6bece9d5931f3ec
|
4
|
+
data.tar.gz: ef4bff640a44b916d0d4abb568e32c55dfc5d184
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4b90556098db0af1a3469bee1c456291a0a68b44559e480faf08568a5e4656b0c53f0b5f5fe926f657c8884b8057a6ec545711998a359aeaef88ec10bc099e7a
|
7
|
+
data.tar.gz: 226f55c1d0ab7c8b13d5ef13c8baaedf1162c5afe9ab0b88e04b6a092b4fb01fbdbcd6af840992e39e9011d5686b53c2744e0ee6b39774047328c171edad29af
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
## 3.5.1
|
2
|
+
|
3
|
+
* Fix bug that can occur when useragent library version is older, resulting in a nil version sometimes.
|
4
|
+
* Add constant for `strict-dynamic`
|
5
|
+
|
1
6
|
## 3.5.0
|
2
7
|
|
3
8
|
This release adds support for setting two CSP headers (enforced/report-only) and management around them.
|
data/README.md
CHANGED
@@ -7,6 +7,9 @@
|
|
7
7
|
|
8
8
|
The gem will automatically apply several headers that are related to security. This includes:
|
9
9
|
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
|
10
|
+
- https://csp.withgoogle.com
|
11
|
+
- https://csp.withgoogle.com/docs/strict-csp.html
|
12
|
+
- https://csp-evaluator.withgoogle.com
|
10
13
|
- HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
|
11
14
|
- X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options Specification](https://tools.ietf.org/html/rfc7034)
|
12
15
|
- X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](https://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
|
@@ -9,6 +9,7 @@ module SecureHeaders
|
|
9
9
|
# constants to be used for version-specific UA sniffing
|
10
10
|
VERSION_46 = ::UserAgent::Version.new("46")
|
11
11
|
VERSION_10 = ::UserAgent::Version.new("10")
|
12
|
+
FALLBACK_VERSION = ::UserAgent::Version.new("0")
|
12
13
|
|
13
14
|
def initialize(config = nil, user_agent = OTHER)
|
14
15
|
@config = if config.is_a?(Hash)
|
@@ -213,7 +214,7 @@ module SecureHeaders
|
|
213
214
|
# Returns an array of symbols representing the directives.
|
214
215
|
def supported_directives
|
215
216
|
@supported_directives ||= if VARIATIONS[@parsed_ua.browser]
|
216
|
-
if @parsed_ua.browser == "Firefox" && @parsed_ua.version >= VERSION_46
|
217
|
+
if @parsed_ua.browser == "Firefox" && ((@parsed_ua.version || FALLBACK_VERSION) >= VERSION_46)
|
217
218
|
VARIATIONS["FirefoxTransitional"]
|
218
219
|
else
|
219
220
|
VARIATIONS[@parsed_ua.browser]
|
@@ -14,6 +14,7 @@ module SecureHeaders
|
|
14
14
|
STAR = "*".freeze
|
15
15
|
UNSAFE_INLINE = "'unsafe-inline'".freeze
|
16
16
|
UNSAFE_EVAL = "'unsafe-eval'".freeze
|
17
|
+
STRICT_DYNAMIC = "'strict-dynamic'".freeze
|
17
18
|
|
18
19
|
# leftover deprecated values that will be in common use upon upgrading.
|
19
20
|
DEPRECATED_SOURCE_VALUES = [SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze
|
@@ -217,7 +218,7 @@ module SecureHeaders
|
|
217
218
|
def nonces_supported?(user_agent)
|
218
219
|
user_agent = UserAgent.parse(user_agent) if user_agent.is_a?(String)
|
219
220
|
MODERN_BROWSERS.include?(user_agent.browser) ||
|
220
|
-
user_agent.browser == "Safari" && user_agent.version >= CSP::VERSION_10
|
221
|
+
user_agent.browser == "Safari" && (user_agent.version || CSP::FALLBACK_VERSION) >= CSP::VERSION_10
|
221
222
|
end
|
222
223
|
|
223
224
|
# Public: combine the values from two different configs.
|
data/secure_headers.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "secure_headers"
|
4
|
-
gem.version = "3.5.
|
4
|
+
gem.version = "3.5.1"
|
5
5
|
gem.authors = ["Neil Matatall"]
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
7
7
|
gem.description = 'Security related headers all in one gem.'
|
@@ -107,6 +107,11 @@ module SecureHeaders
|
|
107
107
|
expect(firefox_transitional).not_to match(/frame-src/)
|
108
108
|
end
|
109
109
|
|
110
|
+
it "supports strict-dynamic" do
|
111
|
+
csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
|
112
|
+
expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
|
113
|
+
end
|
114
|
+
|
110
115
|
context "browser sniffing" do
|
111
116
|
let (:complex_opts) do
|
112
117
|
(ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
|
@@ -149,6 +154,13 @@ module SecureHeaders
|
|
149
154
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
|
150
155
|
expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
|
151
156
|
end
|
157
|
+
|
158
|
+
it "falls back to standard Firefox defaults when the useragent version is not present" do
|
159
|
+
ua = USER_AGENTS[:firefox].dup
|
160
|
+
allow(ua).to receive(:version).and_return(nil)
|
161
|
+
policy = ContentSecurityPolicy.new(complex_opts, ua)
|
162
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
163
|
+
end
|
152
164
|
end
|
153
165
|
end
|
154
166
|
end
|
@@ -18,6 +18,24 @@ module SecureHeaders
|
|
18
18
|
end.not_to raise_error
|
19
19
|
end
|
20
20
|
|
21
|
+
it "accepts 'same-origin'" do
|
22
|
+
expect do
|
23
|
+
ReferrerPolicy.validate_config!("same-origin")
|
24
|
+
end.not_to raise_error
|
25
|
+
end
|
26
|
+
|
27
|
+
it "accepts 'strict-origin'" do
|
28
|
+
expect do
|
29
|
+
ReferrerPolicy.validate_config!("strict-origin")
|
30
|
+
end.not_to raise_error
|
31
|
+
end
|
32
|
+
|
33
|
+
it "accepts 'strict-origin-when-cross-origin'" do
|
34
|
+
expect do
|
35
|
+
ReferrerPolicy.validate_config!("strict-origin-when-cross-origin")
|
36
|
+
end.not_to raise_error
|
37
|
+
end
|
38
|
+
|
21
39
|
it "accepts 'origin'" do
|
22
40
|
expect do
|
23
41
|
ReferrerPolicy.validate_config!("origin")
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.5.
|
4
|
+
version: 3.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-11-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|