secure_headers 3.5.0 → 3.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f47871f10c97316165d3f4230ddae85935d9a736
-  data.tar.gz: f5777312e07643e054d48b4121ba30a905aab4dd
+  metadata.gz: d196b33a65e52d7a5e51d9aab6bece9d5931f3ec
+  data.tar.gz: ef4bff640a44b916d0d4abb568e32c55dfc5d184
 SHA512:
-  metadata.gz: 8516799304bf21ea8d67aace99325df8c34d1e3d72082b44ad4a80c658ddc9cee6e4a04fc8202ac062044c0abbc91ce870fc26a472960f390fe359670f7362cf
-  data.tar.gz: d4fc7f5482fc8e904ce3ea80340da5c5426b87c88bbb8f669af9e050b212a1189b997de0c3c6bdc9a3b4df58c69efa54598ea40caaf56eb9bc69a80722029f8c
+  metadata.gz: 4b90556098db0af1a3469bee1c456291a0a68b44559e480faf08568a5e4656b0c53f0b5f5fe926f657c8884b8057a6ec545711998a359aeaef88ec10bc099e7a
+  data.tar.gz: 226f55c1d0ab7c8b13d5ef13c8baaedf1162c5afe9ab0b88e04b6a092b4fb01fbdbcd6af840992e39e9011d5686b53c2744e0ee6b39774047328c171edad29af

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 3.5.1
+
+* Fix bug that can occur when useragent library version is older, resulting in a nil version sometimes.
+* Add constant for `strict-dynamic`
+
 ## 3.5.0
 
 This release adds support for setting two CSP headers (enforced/report-only) and management around them.

data/README.md

@@ -7,6 +7,9 @@
 
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
+  - https://csp.withgoogle.com
+  - https://csp.withgoogle.com/docs/strict-csp.html
+  - https://csp-evaluator.withgoogle.com
 - HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects from SSLStrip/Firesheep attacks.  [HSTS Specification](https://tools.ietf.org/html/rfc6797)
 - X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options Specification](https://tools.ietf.org/html/rfc7034)
 - X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](https://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)

data/lib/secure_headers/headers/content_security_policy.rb

@@ -9,6 +9,7 @@ module SecureHeaders
     # constants to be used for version-specific UA sniffing
     VERSION_46 = ::UserAgent::Version.new("46")
     VERSION_10 = ::UserAgent::Version.new("10")
+    FALLBACK_VERSION = ::UserAgent::Version.new("0")
 
     def initialize(config = nil, user_agent = OTHER)
       @config = if config.is_a?(Hash)
@@ -213,7 +214,7 @@ module SecureHeaders
     # Returns an array of symbols representing the directives.
     def supported_directives
       @supported_directives ||= if VARIATIONS[@parsed_ua.browser]
-        if @parsed_ua.browser == "Firefox" && @parsed_ua.version >= VERSION_46
+        if @parsed_ua.browser == "Firefox" && ((@parsed_ua.version || FALLBACK_VERSION) >= VERSION_46)
           VARIATIONS["FirefoxTransitional"]
         else
           VARIATIONS[@parsed_ua.browser]

data/lib/secure_headers/headers/policy_management.rb

@@ -14,6 +14,7 @@ module SecureHeaders
     STAR = "*".freeze
     UNSAFE_INLINE = "'unsafe-inline'".freeze
     UNSAFE_EVAL = "'unsafe-eval'".freeze
+    STRICT_DYNAMIC = "'strict-dynamic'".freeze
 
     # leftover deprecated values that will be in common use upon upgrading.
     DEPRECATED_SOURCE_VALUES = [SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze
@@ -217,7 +218,7 @@ module SecureHeaders
       def nonces_supported?(user_agent)
         user_agent = UserAgent.parse(user_agent) if user_agent.is_a?(String)
         MODERN_BROWSERS.include?(user_agent.browser) ||
-          user_agent.browser == "Safari" && user_agent.version >= CSP::VERSION_10
+          user_agent.browser == "Safari" && (user_agent.version || CSP::FALLBACK_VERSION) >= CSP::VERSION_10
       end
 
       # Public: combine the values from two different configs.

data/lib/secure_headers/headers/referrer_policy.rb

@@ -6,6 +6,9 @@ module SecureHeaders
     VALID_POLICIES = %w(
       no-referrer
       no-referrer-when-downgrade
+      same-origin
+      strict-origin
+      strict-origin-when-cross-origin
       origin
       origin-when-cross-origin
       unsafe-url

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.5.0"
+  gem.version       = "3.5.1"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -107,6 +107,11 @@ module SecureHeaders
         expect(firefox_transitional).not_to match(/frame-src/)
       end
 
+      it "supports strict-dynamic" do
+        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome])
+        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
+      end
+
       context "browser sniffing" do
         let (:complex_opts) do
           (ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|
@@ -149,6 +154,13 @@ module SecureHeaders
           policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:safari6])
           expect(policy.value).to eq("default-src default-src.com; connect-src connect-src.com; font-src font-src.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'unsafe-inline'; style-src style-src.com; report-uri report-uri.com")
         end
+
+        it "falls back to standard Firefox defaults when the useragent version is not present" do
+          ua = USER_AGENTS[:firefox].dup
+          allow(ua).to receive(:version).and_return(nil)
+          policy = ContentSecurityPolicy.new(complex_opts, ua)
+          expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
+        end
       end
     end
   end

data/spec/lib/secure_headers/headers/referrer_policy_spec.rb

@@ -18,6 +18,24 @@ module SecureHeaders
         end.not_to raise_error
       end
 
+      it "accepts 'same-origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("same-origin")
+        end.not_to raise_error
+      end
+
+      it "accepts 'strict-origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("strict-origin")
+        end.not_to raise_error
+      end
+
+      it "accepts 'strict-origin-when-cross-origin'" do
+        expect do
+          ReferrerPolicy.validate_config!("strict-origin-when-cross-origin")
+        end.not_to raise_error
+      end
+
       it "accepts 'origin'" do
         expect do
           ReferrerPolicy.validate_config!("origin")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.5.0
+  version: 3.5.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-12 00:00:00.000000000 Z
+date: 2016-11-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake