secure_headers 3.5.0 → 3.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f47871f10c97316165d3f4230ddae85935d9a736
4
- data.tar.gz: f5777312e07643e054d48b4121ba30a905aab4dd
3
+ metadata.gz: d196b33a65e52d7a5e51d9aab6bece9d5931f3ec
4
+ data.tar.gz: ef4bff640a44b916d0d4abb568e32c55dfc5d184
5
5
  SHA512:
6
- metadata.gz: 8516799304bf21ea8d67aace99325df8c34d1e3d72082b44ad4a80c658ddc9cee6e4a04fc8202ac062044c0abbc91ce870fc26a472960f390fe359670f7362cf
7
- data.tar.gz: d4fc7f5482fc8e904ce3ea80340da5c5426b87c88bbb8f669af9e050b212a1189b997de0c3c6bdc9a3b4df58c69efa54598ea40caaf56eb9bc69a80722029f8c
6
+ metadata.gz: 4b90556098db0af1a3469bee1c456291a0a68b44559e480faf08568a5e4656b0c53f0b5f5fe926f657c8884b8057a6ec545711998a359aeaef88ec10bc099e7a
7
+ data.tar.gz: 226f55c1d0ab7c8b13d5ef13c8baaedf1162c5afe9ab0b88e04b6a092b4fb01fbdbcd6af840992e39e9011d5686b53c2744e0ee6b39774047328c171edad29af
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## 3.5.1
2
+
3
+ * Fix bug that can occur when useragent library version is older, resulting in a nil version sometimes.
4
+ * Add constant for `strict-dynamic`
5
+
1
6
  ## 3.5.0
2
7
 
3
8
  This release adds support for setting two CSP headers (enforced/report-only) and management around them.
data/README.md CHANGED
@@ -7,6 +7,9 @@
7
7
 
8
8
  The gem will automatically apply several headers that are related to security. This includes:
9
9
  - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
10
+ - https://csp.withgoogle.com
11
+ - https://csp.withgoogle.com/docs/strict-csp.html
12
+ - https://csp-evaluator.withgoogle.com
10
13
  - HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks. [HSTS Specification](https://tools.ietf.org/html/rfc6797)
11
14
  - X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options Specification](https://tools.ietf.org/html/rfc7034)
12
15
  - X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](https://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
@@ -9,6 +9,7 @@ module SecureHeaders
9
9
  # constants to be used for version-specific UA sniffing
10
10
  VERSION_46 = ::UserAgent::Version.new("46")
11
11
  VERSION_10 = ::UserAgent::Version.new("10")
12
+ FALLBACK_VERSION = ::UserAgent::Version.new("0")
12
13
 
13
14
  def initialize(config = nil, user_agent = OTHER)
14
15
  @config = if config.is_a?(Hash)
@@ -213,7 +214,7 @@ module SecureHeaders
213
214
  # Returns an array of symbols representing the directives.
214
215
  def supported_directives
215
216
  @supported_directives ||= if VARIATIONS[@parsed_ua.browser]
216
- if @parsed_ua.browser == "Firefox" && @parsed_ua.version >= VERSION_46
217
+ if @parsed_ua.browser == "Firefox" && ((@parsed_ua.version || FALLBACK_VERSION) >= VERSION_46)
217
218
  VARIATIONS["FirefoxTransitional"]
218
219
  else
219
220
  VARIATIONS[@parsed_ua.browser]
@@ -14,6 +14,7 @@ module SecureHeaders
14
14
  STAR = "*".freeze
15
15
  UNSAFE_INLINE = "'unsafe-inline'".freeze
16
16
  UNSAFE_EVAL = "'unsafe-eval'".freeze
17
+ STRICT_DYNAMIC = "'strict-dynamic'".freeze
17
18
 
18
19
  # leftover deprecated values that will be in common use upon upgrading.
19
20
  DEPRECATED_SOURCE_VALUES = [SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze
@@ -217,7 +218,7 @@ module SecureHeaders
217
218
  def nonces_supported?(user_agent)
218
219
  user_agent = UserAgent.parse(user_agent) if user_agent.is_a?(String)
219
220
  MODERN_BROWSERS.include?(user_agent.browser) ||
220
- user_agent.browser == "Safari" && user_agent.version >= CSP::VERSION_10
221
+ user_agent.browser == "Safari" && (user_agent.version || CSP::FALLBACK_VERSION) >= CSP::VERSION_10
221
222
  end
222
223
 
223
224
  # Public: combine the values from two different configs.
@@ -6,6 +6,9 @@ module SecureHeaders
6
6
  VALID_POLICIES = %w(
7
7
  no-referrer
8
8
  no-referrer-when-downgrade
9
+ same-origin
10
+ strict-origin
11
+ strict-origin-when-cross-origin
9
12
  origin
10
13
  origin-when-cross-origin
11
14
  unsafe-url
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.5.0"
4
+ gem.version = "3.5.1"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Security related headers all in one gem.'
@@ -107,6 +107,11 @@ module SecureHeaders
107
107
  expect(firefox_transitional).not_to match(/frame-src/)
108
108
  end
109
109
 
110
+ it "supports strict-dynamic" do
111
+ csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
112
+ expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
113
+ end
114
+
110
115
  context "browser sniffing" do
111
116
  let (:complex_opts) do
112
117
  (ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
@@ -149,6 +154,13 @@ module SecureHeaders
149
154
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
150
155
  expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
151
156
  end
157
+
158
+ it "falls back to standard Firefox defaults when the useragent version is not present" do
159
+ ua = USER_AGENTS[:firefox].dup
160
+ allow(ua).to receive(:version).and_return(nil)
161
+ policy = ContentSecurityPolicy.new(complex_opts, ua)
162
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
163
+ end
152
164
  end
153
165
  end
154
166
  end
@@ -18,6 +18,24 @@ module SecureHeaders
18
18
  end.not_to raise_error
19
19
  end
20
20
 
21
+ it "accepts 'same-origin'" do
22
+ expect do
23
+ ReferrerPolicy.validate_config!("same-origin")
24
+ end.not_to raise_error
25
+ end
26
+
27
+ it "accepts 'strict-origin'" do
28
+ expect do
29
+ ReferrerPolicy.validate_config!("strict-origin")
30
+ end.not_to raise_error
31
+ end
32
+
33
+ it "accepts 'strict-origin-when-cross-origin'" do
34
+ expect do
35
+ ReferrerPolicy.validate_config!("strict-origin-when-cross-origin")
36
+ end.not_to raise_error
37
+ end
38
+
21
39
  it "accepts 'origin'" do
22
40
  expect do
23
41
  ReferrerPolicy.validate_config!("origin")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.0
4
+ version: 3.5.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-10-12 00:00:00.000000000 Z
11
+ date: 2016-11-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake