secure_headers 3.6.3 → 3.6.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/secure_headers/headers/policy_management.rb +8 -2
  4. data/secure_headers.gemspec +1 -1
  5. data/spec/lib/secure_headers_spec.rb +27 -0
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: dd5f78a40f8d31a380fcd970d120e6347c2bd6e2
4
- data.tar.gz: 2dc3822aa77da59d2d2210137ad0ae76f0311911
3
+ metadata.gz: fec7efedf547e7aff5f7193f3306802367df524e
4
+ data.tar.gz: 5d4a99a2f5989e2c119b6d8be2ed232850635855
5
5
  SHA512:
6
- metadata.gz: da1e539890120c9612cc425fd2502f6f59e43eafb78ca5cfa45f192dc73ae2b52b43ad8f495c65621ea4db082a0bb3004881d89084423614449e222f21240890
7
- data.tar.gz: 6a998c6542b3ffbd0852c731007f4cec605c9029464396002083c8415df6a9eae515c3035357f745d86f9d5c56ae451fcc66846b4f30e13ba8e8f9e425c651b2
6
+ metadata.gz: d5ca176a980b3acf9d97442d13e6109c5a8e8043f796733b3ffbee16f45554acd1f46ee2874fd3099be4f9217618b1591e75ec1ac6c7bc7e2e49acce3e06dbcf
7
+ data.tar.gz: 9881f2a604975c4d1f64b4cbc690c063751b8f573f0db87a5c2593326fa5ffcdb83e533d95d9a1ce46551d97192c7faa48e6a5f9485765252d25f53b66d168f1
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.6.4
2
+
3
+ Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: https://github.com/twitter/secureheaders/pull/325
4
+
1
5
  ## 3.6.3
2
6
 
3
7
  Remove deprecation warning when setting `frame-src`. It is no longer deprecated.
data/lib/secure_headers/headers/policy_management.rb CHANGED
@@ -278,15 +278,21 @@ module SecureHeaders
278
278
  if nonce_added?(original, additions)
279
279
  inferred_directive = directive.to_s.gsub(/_nonce/, "_src").to_sym
280
280
  unless original[inferred_directive] || NON_FETCH_SOURCES.include?(inferred_directive)
281
- original[inferred_directive] = original[:default_src]
281
+ original[inferred_directive] = default_for(directive, original)
282
282
  end
283
283
  else
284
- original[directive] = original[:default_src]
284
+ original[directive] = default_for(directive, original)
285
285
  end
286
286
  end
287
287
  end
288
288
  end
289
289
 
290
+ def default_for(directive, original)
291
+ return original[FRAME_SRC] if directive == CHILD_SRC && original[FRAME_SRC]
292
+ return original[CHILD_SRC] if directive == FRAME_SRC && original[CHILD_SRC]
293
+ original[DEFAULT_SRC]
294
+ end
295
+
290
296
  def nonce_added?(original, additions)
291
297
  [:script_nonce, :style_nonce].each do |nonce|
292
298
  if additions[nonce] && !original[nonce]
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.6.3"
4
+ gem.version = "3.6.4"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Manages application of security headers with many safe defaults.'
data/spec/lib/secure_headers_spec.rb CHANGED
@@ -173,6 +173,33 @@ module SecureHeaders
173
173
  expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
174
174
  end
175
175
 
176
+ it "appends child-src to frame-src" do
177
+ Configuration.default do |config|
178
+ config.csp = {
179
+ default_src: %w('self'),
180
+ frame_src: %w(frame_src.com)
181
+ }
182
+ end
183
+
184
+ SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
185
+ hash = SecureHeaders.header_hash_for(chrome_request)
186
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
187
+ end
188
+
189
+ it "appends frame-src to child-src" do
190
+ Configuration.default do |config|
191
+ config.csp = {
192
+ default_src: %w('self'),
193
+ child_src: %w(child_src.com)
194
+ }
195
+ end
196
+
197
+ safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
198
+ SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
199
+ hash = SecureHeaders.header_hash_for(safari_request)
200
+ expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
201
+ end
202
+
176
203
  it "supports named appends" do
177
204
  Configuration.default do |config|
178
205
  config.csp = {
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.6.3
4
+ version: 3.6.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-04-25 00:00:00.000000000 Z
11
+ date: 2017-05-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake