RubyGems - secure_headers - Versions diffs - 3.6.3 → 3.6.4 - Mend

secure_headers 3.6.3 → 3.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/lib/secure_headers/headers/policy_management.rb +8 -2
data/secure_headers.gemspec +1 -1
data/spec/lib/secure_headers_spec.rb +27 -0
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: dd5f78a40f8d31a380fcd970d120e6347c2bd6e2
-  data.tar.gz: 2dc3822aa77da59d2d2210137ad0ae76f0311911
+  metadata.gz: fec7efedf547e7aff5f7193f3306802367df524e
+  data.tar.gz: 5d4a99a2f5989e2c119b6d8be2ed232850635855
 SHA512:
-  metadata.gz: da1e539890120c9612cc425fd2502f6f59e43eafb78ca5cfa45f192dc73ae2b52b43ad8f495c65621ea4db082a0bb3004881d89084423614449e222f21240890
-  data.tar.gz: 6a998c6542b3ffbd0852c731007f4cec605c9029464396002083c8415df6a9eae515c3035357f745d86f9d5c56ae451fcc66846b4f30e13ba8e8f9e425c651b2
+  metadata.gz: d5ca176a980b3acf9d97442d13e6109c5a8e8043f796733b3ffbee16f45554acd1f46ee2874fd3099be4f9217618b1591e75ec1ac6c7bc7e2e49acce3e06dbcf
+  data.tar.gz: 9881f2a604975c4d1f64b4cbc690c063751b8f573f0db87a5c2593326fa5ffcdb83e533d95d9a1ce46551d97192c7faa48e6a5f9485765252d25f53b66d168f1

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 3.6.4
+Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: https://github.com/twitter/secureheaders/pull/325
 ## 3.6.3
 Remove deprecation warning when setting `frame-src`. It is no longer deprecated.

data/lib/secure_headers/headers/policy_management.rb CHANGED

@@ -278,15 +278,21 @@ module SecureHeaders
             if nonce_added?(original, additions)
               inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
               unless original[inferred_directive] || NON_FETCH_SOURCES.include?(inferred_directive)
-                original[inferred_directive] = original[:default_src]
+                original[inferred_directive] = default_for(directive, original)
               end
             else
-              original[directive] = original[:default_src]
+              original[directive] = default_for(directive, original)
             end
           end
         end
       end
+      def default_for(directive, original)
+        return original[FRAME_SRC] if directive == CHILD_SRC && original[FRAME_SRC]
+        return original[CHILD_SRC] if directive == FRAME_SRC && original[CHILD_SRC]
+        original[DEFAULT_SRC]
+      end
       def nonce_added?(original, additions)
         [:script_nonce, :style_nonce].each do |nonce|
           if additions[nonce] && !original[nonce]

data/secure_headers.gemspec CHANGED

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.6.3"
+  gem.version       = "3.6.4"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Manages application of security headers with many safe defaults.'

data/spec/lib/secure_headers_spec.rb CHANGED

@@ -173,6 +173,33 @@ module SecureHeaders
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
+        it "appends child-src to frame-src" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              frame_src: %w(frame_src.com)
+            }
+          end
+          SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
+          hash = SecureHeaders.header_hash_for(chrome_request)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
+        end
+        it "appends frame-src to child-src" do
+          Configuration.default do |config|
+            config.csp = {
+              default_src: %w('self'),
+              child_src: %w(child_src.com)
+            }
+          end
+          safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
+          SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
+          hash = SecureHeaders.header_hash_for(safari_request)
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
+        end
         it "supports named appends" do
           Configuration.default do |config|
             config.csp = {

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.6.3
+  version: 3.6.4
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-04-25 00:00:00.000000000 Z
+date: 2017-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake