secure_headers 3.6.4 → 3.6.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fec7efedf547e7aff5f7193f3306802367df524e
-  data.tar.gz: 5d4a99a2f5989e2c119b6d8be2ed232850635855
+  metadata.gz: 17b1294265412b033c265b34e05ce2e4b2655d58
+  data.tar.gz: 2febd47d96fa32beb7b662e7c990f8ac5f3c3f64
 SHA512:
-  metadata.gz: d5ca176a980b3acf9d97442d13e6109c5a8e8043f796733b3ffbee16f45554acd1f46ee2874fd3099be4f9217618b1591e75ec1ac6c7bc7e2e49acce3e06dbcf
-  data.tar.gz: 9881f2a604975c4d1f64b4cbc690c063751b8f573f0db87a5c2593326fa5ffcdb83e533d95d9a1ce46551d97192c7faa48e6a5f9485765252d25f53b66d168f1
+  metadata.gz: cccc0f3501e0ceaa5ce9bed046952d0469c06f74201afbca405686508ec87ca93fbd301018a1134227827af1069b738b6849cc3415cd115810014894fff42e46
+  data.tar.gz: 1e22a0849cfbbe6a24eb3de3026b2b3a0c4c581d0a825abd6d31fcb23df591ff74f563c82101a787596f650b5dd6be4994a1fc3b8ab8a946e2c166f74b86cd85

data/.rspec

@@ -1 +1,2 @@
 --order rand
+--warnings

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.6.5
+
+Update clear-site-data header to use current format specified by the specification.
+
 ## 3.6.4
 
 Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: https://github.com/twitter/secureheaders/pull/325
@@ -196,7 +200,7 @@ You can add hash sources directly to your policy :
  rake secure_headers:generate_hashes
  ```
 
- This will generate a file (`config/config/secure_headers_generated_hashes.yml` by default, you can override by setting `ENV["secure_headers_generated_hashes_file"]`) containing a mapping of file names with the array of hash values found on that page. When ActionView renders a given file, we check if there are any known hashes for that given file. If so, they are added as values to the header.
+ This will generate a file (`config/secure_headers_generated_hashes.yml` by default, you can override by setting `ENV["secure_headers_generated_hashes_file"]`) containing a mapping of file names with the array of hash values found on that page. When ActionView renders a given file, we check if there are any known hashes for that given file. If so, they are added as values to the header.
 
 ```yaml
 ---

data/CONTRIBUTING.md

@@ -15,7 +15,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 0. Configure and install the dependencies: `bundle install`
 0. Make sure the tests pass on your machine: `bundle exec rspec spec`
 0. Create a new branch: `git checkout -b my-branch-name`
-0. Make your change, add tests, and make sure the tests still pass
+0. Make your change, add tests, and make sure the tests still pass and that no warnings are raised
 0. Push to your fork and [submit a pull request][pr]
 0. Pat your self on the back and wait for your pull request to be reviewed and merged.
 
@@ -25,7 +25,7 @@ Here are a few things you can do that will increase the likelihood of your pull
 - Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
 - Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
 
-## Releasing 
+## Releasing
 
 0. Ensure CI is green
 0. Pull the latest code
@@ -39,5 +39,3 @@ Here are a few things you can do that will increase the likelihood of your pull
 
 - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
 - [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
-
-

data/README.md

@@ -18,7 +18,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
 - Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
-- Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://www.w3.org/TR/clear-site-data/).
+- Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
 

data/docs/hashes.md

@@ -21,7 +21,7 @@ You can add hash sources directly to your policy :
  rake secure_headers:generate_hashes
  ```
 
- This will generate a file (`config/config/secure_headers_generated_hashes.yml` by default, you can override by setting `ENV["secure_headers_generated_hashes_file"]`) containing a mapping of file names with the array of hash values found on that page. When ActionView renders a given file, we check if there are any known hashes for that given file. If so, they are added as values to the header.
+ This will generate a file (`config/secure_headers_generated_hashes.yml` by default, you can override by setting `ENV["secure_headers_generated_hashes_file"]`) containing a mapping of file names with the array of hash values found on that page. When ActionView renders a given file, we check if there are any known hashes for that given file. If so, they are added as values to the header.
 
 ```yaml
 ---

data/lib/secure_headers.rb

@@ -163,7 +163,8 @@ module SecureHeaders
     # returned is meant to be merged into the header value from `@app.call(env)`
     # in Rack middleware.
     def header_hash_for(request)
-      config = config_for(request, prevent_dup = true)
+      prevent_dup = true
+      config = config_for(request, prevent_dup)
       headers = config.cached_headers
       user_agent = UserAgent.parse(request.user_agent)
 

data/lib/secure_headers/configuration.rb

@@ -31,7 +31,7 @@ module SecureHeaders
           raise NotYetConfiguredError, "#{base} policy not yet supplied"
         end
         override = @configurations[base].dup
-        override.instance_eval &block if block_given?
+        override.instance_eval(&block) if block_given?
         add_configuration(name, override)
       end
 
@@ -120,19 +120,36 @@ module SecureHeaders
 
     attr_reader :cached_headers, :csp, :cookies, :csp_report_only, :hpkp, :hpkp_report_host
 
+    @script_hashes = nil
+    @style_hashes = nil
+
     HASH_CONFIG_FILE = ENV["secure_headers_generated_hashes_file"] || "config/secure_headers_generated_hashes.yml"
-    if File.exists?(HASH_CONFIG_FILE)
+    if File.exist?(HASH_CONFIG_FILE)
       config = YAML.safe_load(File.open(HASH_CONFIG_FILE))
       @script_hashes = config["scripts"]
       @style_hashes = config["styles"]
     end
 
     def initialize(&block)
+      @cookies = nil
+      @clear_site_data = nil
+      @csp = nil
+      @csp_report_only = nil
+      @hpkp_report_host = nil
+      @hpkp = nil
+      @hsts = nil
+      @x_content_type_options = nil
+      @x_download_options = nil
+      @x_frame_options = nil
+      @x_permitted_cross_domain_policies = nil
+      @x_xss_protection = nil
+
       self.hpkp = OPT_OUT
       self.referrer_policy = OPT_OUT
       self.csp = ContentSecurityPolicyConfig.new(ContentSecurityPolicyConfig::DEFAULT)
       self.csp_report_only = OPT_OUT
-      instance_eval &block if block_given?
+
+      instance_eval(&block) if block_given?
     end
 
     # Public: copy everything but the cached headers

data/lib/secure_headers/headers/clear_site_data.rb

@@ -2,7 +2,6 @@ module SecureHeaders
   class ClearSiteDataConfigError < StandardError; end
   class ClearSiteData
     HEADER_NAME = "Clear-Site-Data".freeze
-    TYPES = "types".freeze
 
     # Valid `types`
     CACHE = "cache".freeze
@@ -22,9 +21,9 @@ module SecureHeaders
         when nil, OPT_OUT, []
           # noop
         when Array
-          [HEADER_NAME, JSON.dump(TYPES => config)]
+          [HEADER_NAME, make_header_value(config)]
         when true
-          [HEADER_NAME, JSON.dump(TYPES => ALL_TYPES)]
+          [HEADER_NAME, make_header_value(ALL_TYPES)]
         end
       end
 
@@ -36,16 +35,20 @@ module SecureHeaders
           unless config.all? { |t| t.is_a?(String) }
             raise ClearSiteDataConfigError.new("types must be Strings")
           end
-
-          begin
-            JSON.dump(config)
-          rescue JSON::GeneratorError, Encoding::UndefinedConversionError
-            raise ClearSiteDataConfigError.new("types must serializable by JSON")
-          end
         else
           raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
         end
       end
+
+      # Public: Transform a Clear-Site-Data config (an Array of Strings) into a
+      # String that can be used as the value for the Clear-Site-Data header.
+      #
+      # types - An Array of String of types of data to clear.
+      #
+      # Returns a String of quoted values that are comma separated.
+      def make_header_value(types)
+        types.map { |t| "\"#{t}\""}.join(", ")
+      end
     end
   end
 end

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -15,6 +15,31 @@ module SecureHeaders
     end
 
     def initialize(hash)
+      @base_uri = nil
+      @block_all_mixed_content = nil
+      @child_src = nil
+      @connect_src = nil
+      @default_src = nil
+      @font_src = nil
+      @form_action = nil
+      @frame_ancestors = nil
+      @frame_src = nil
+      @img_src = nil
+      @manifest_src = nil
+      @media_src = nil
+      @object_src = nil
+      @plugin_types = nil
+      @preserve_schemes = nil
+      @reflected_xss = nil
+      @report_only = nil
+      @report_uri = nil
+      @sandbox = nil
+      @script_nonce = nil
+      @script_src = nil
+      @style_nonce = nil
+      @style_src = nil
+      @upgrade_insecure_requests = nil
+
       from_hash(hash)
       @modified = false
     end

data/lib/secure_headers/headers/policy_management.rb

@@ -348,9 +348,9 @@ module SecureHeaders
       end
 
       def ensure_valid_sources!(directive, source_expression)
-        source_expression.each do |source_expression|
-          if ContentSecurityPolicy::DEPRECATED_SOURCE_VALUES.include?(source_expression)
-            raise ContentSecurityPolicyConfigError.new("#{directive} contains an invalid keyword source (#{source_expression}). This value must be single quoted.")
+        source_expression.each do |expression|
+          if ContentSecurityPolicy::DEPRECATED_SOURCE_VALUES.include?(expression)
+            raise ContentSecurityPolicyConfigError.new("#{directive} contains an invalid keyword source (#{expression}). This value must be single quoted.")
           end
         end
       end

data/lib/secure_headers/headers/public_key_pins.rb

@@ -49,7 +49,7 @@ module SecureHeaders
     end
 
     def value
-      header_value = [
+      [
         max_age_directive,
         pin_directives,
         report_uri_directive,

data/lib/secure_headers/view_helper.rb

@@ -95,9 +95,9 @@ module SecureHeaders
       <<-EOF
 \n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
 #{content}
-*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/script_hashes.yml:***
+*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/secure_headers_generated_hashes.yml:***
 #{file_path}:
-- #{hash_value}\n\n
+- \"#{hash_value}\"\n\n
       NOTE: dynamic javascript is not supported using script hash integration
       on purpose. It defeats the point of using it in the first place.
       EOF

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.6.4"
+  gem.version       = "3.6.5"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Manages application of security headers with many safe defaults.'

data/spec/lib/secure_headers/headers/clear_site_data_spec.rb

@@ -19,30 +19,16 @@ module SecureHeaders
         name, value = described_class.make_header(true)
 
         expect(name).to eq(ClearSiteData::HEADER_NAME)
-        expect(value).to eq(normalize_json(<<-HERE))
-          {
-            "types": [
-              "cache",
-              "cookies",
-              "storage",
-              "executionContexts"
-            ]
-          }
-        HERE
+        expect(value).to eq(
+          %("cache", "cookies", "storage", "executionContexts")
+        )
       end
 
       it "returns specified types" do
         name, value = described_class.make_header(["foo", "bar"])
 
         expect(name).to eq(ClearSiteData::HEADER_NAME)
-        expect(value).to eq(normalize_json(<<-HERE))
-          {
-            "types": [
-              "foo",
-              "bar"
-            ]
-          }
-        HERE
+        expect(value).to eq(%("foo", "bar"))
       end
     end
 
@@ -83,12 +69,6 @@ module SecureHeaders
         end.to raise_error(ClearSiteDataConfigError)
       end
 
-      it "fails for non-serializable config" do
-        expect do
-          described_class.validate_config!(["hi \255"])
-        end.to raise_error(ClearSiteDataConfigError)
-      end
-
       it "fails for other types of config" do
         expect do
           described_class.validate_config!(:cookies)
@@ -96,8 +76,11 @@ module SecureHeaders
       end
     end
 
-    def normalize_json(json)
-      JSON.dump(JSON.parse(json))
+    describe "make_header_value" do
+      it "returns a string of quoted values that are comma separated" do
+        value = described_class.make_header_value(["foo", "bar"])
+        expect(value).to eq(%("foo", "bar"))
+      end
     end
   end
 end

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -37,7 +37,6 @@ class Message < ERB
     background-color: black;
   }
 </style>
-<%= @name %>
 
 TEMPLATE
   end

data/spec/lib/secure_headers_spec.rb

@@ -105,7 +105,7 @@ module SecureHeaders
       end
 
       it "produces a UA-specific CSP when overriding (and busting the cache)" do
-        config = Configuration.default do |config|
+        Configuration.default do |config|
           config.csp = {
             default_src: %w('self'),
             child_src: %w('self')
@@ -231,7 +231,7 @@ module SecureHeaders
 
           SecureHeaders.content_security_policy_script_nonce(request) # should add the value to the header
           hash = SecureHeaders.header_hash_for(chrome_request)
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'nonce-.*'\z/)
         end
 
         it "appends a hash to a missing script-src value" do
@@ -243,7 +243,7 @@ module SecureHeaders
 
           SecureHeaders.append_content_security_policy_directives(request, script_src: %w('sha256-abc123'))
           hash = SecureHeaders.header_hash_for(chrome_request)
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match /\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/\Adefault-src 'self'; script-src 'self' 'sha256-abc123'\z/)
         end
 
         it "overrides individual directives" do
@@ -279,7 +279,7 @@ module SecureHeaders
           end
 
           safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari5]))
-          nonce = SecureHeaders.content_security_policy_script_nonce(safari_request)
+          SecureHeaders.content_security_policy_script_nonce(safari_request)
           hash = SecureHeaders.header_hash_for(safari_request)
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline'; style-src 'self'")
         end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.6.4
+  version: 3.6.5
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-03 00:00:00.000000000 Z
+date: 2017-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake