secure_headers 3.6.3 → 3.6.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/secure_headers/headers/policy_management.rb +8 -2
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers_spec.rb +27 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fec7efedf547e7aff5f7193f3306802367df524e
|
4
|
+
data.tar.gz: 5d4a99a2f5989e2c119b6d8be2ed232850635855
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d5ca176a980b3acf9d97442d13e6109c5a8e8043f796733b3ffbee16f45554acd1f46ee2874fd3099be4f9217618b1591e75ec1ac6c7bc7e2e49acce3e06dbcf
|
7
|
+
data.tar.gz: 9881f2a604975c4d1f64b4cbc690c063751b8f573f0db87a5c2593326fa5ffcdb83e533d95d9a1ce46551d97192c7faa48e6a5f9485765252d25f53b66d168f1
|
data/CHANGELOG.md
CHANGED
@@ -278,15 +278,21 @@ module SecureHeaders
|
|
278
278
|
if nonce_added?(original, additions)
|
279
279
|
inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
|
280
280
|
unless original[inferred_directive] || NON_FETCH_SOURCES.include?(inferred_directive)
|
281
|
-
original[inferred_directive] = original
|
281
|
+
original[inferred_directive] = default_for(directive, original)
|
282
282
|
end
|
283
283
|
else
|
284
|
-
original[directive] = original
|
284
|
+
original[directive] = default_for(directive, original)
|
285
285
|
end
|
286
286
|
end
|
287
287
|
end
|
288
288
|
end
|
289
289
|
|
290
|
+
def default_for(directive, original)
|
291
|
+
return original[FRAME_SRC] if directive == CHILD_SRC && original[FRAME_SRC]
|
292
|
+
return original[CHILD_SRC] if directive == FRAME_SRC && original[CHILD_SRC]
|
293
|
+
original[DEFAULT_SRC]
|
294
|
+
end
|
295
|
+
|
290
296
|
def nonce_added?(original, additions)
|
291
297
|
[:script_nonce, :style_nonce].each do |nonce|
|
292
298
|
if additions[nonce] && !original[nonce]
|
data/secure_headers.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "secure_headers"
|
4
|
-
gem.version = "3.6.
|
4
|
+
gem.version = "3.6.4"
|
5
5
|
gem.authors = ["Neil Matatall"]
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
7
7
|
gem.description = 'Manages application of security headers with many safe defaults.'
|
@@ -173,6 +173,33 @@ module SecureHeaders
|
|
173
173
|
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
|
174
174
|
end
|
175
175
|
|
176
|
+
it "appends child-src to frame-src" do
|
177
|
+
Configuration.default do |config|
|
178
|
+
config.csp = {
|
179
|
+
default_src: %w('self'),
|
180
|
+
frame_src: %w(frame_src.com)
|
181
|
+
}
|
182
|
+
end
|
183
|
+
|
184
|
+
SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
|
185
|
+
hash = SecureHeaders.header_hash_for(chrome_request)
|
186
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
|
187
|
+
end
|
188
|
+
|
189
|
+
it "appends frame-src to child-src" do
|
190
|
+
Configuration.default do |config|
|
191
|
+
config.csp = {
|
192
|
+
default_src: %w('self'),
|
193
|
+
child_src: %w(child_src.com)
|
194
|
+
}
|
195
|
+
end
|
196
|
+
|
197
|
+
safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
|
198
|
+
SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
|
199
|
+
hash = SecureHeaders.header_hash_for(safari_request)
|
200
|
+
expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
|
201
|
+
end
|
202
|
+
|
176
203
|
it "supports named appends" do
|
177
204
|
Configuration.default do |config|
|
178
205
|
config.csp = {
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.6.
|
4
|
+
version: 3.6.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-05-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|