secure_headers 3.6.6 → 3.6.7
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -1
- data/README.md +1 -0
- data/lib/secure_headers/headers/content_security_policy_config.rb +0 -1
- data/lib/secure_headers/headers/policy_management.rb +8 -16
- data/secure_headers.gemspec +2 -2
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +5 -6
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9ba9d50d38ff5d5eb3770fd8e2d445ac0c8bf934
|
|
4
|
+
data.tar.gz: 0d0a0bd64c859ce0421effd4b1648de3df8acfa1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d0c708c8b93bf64c601a0fe7c358a9d2270016a80931d786774e8180ca50b7c61207e4f9759fb085fde7703099a1be96c4b5210b642d17a0c13000a4cdc8c51f
|
|
7
|
+
data.tar.gz: 00fe77abc4a759ada4b509b899c48f0b0ee62d86b151b5c6a41f6bbde390c4dccc8ed1a33e02ed67a45fa8e2d61da0ebeeefa1c2a59566e587b583f53df98805
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,10 @@
|
|
|
1
|
+
## 3.6.7
|
|
2
|
+
|
|
3
|
+
Actually set manifest-src when configured. https://github.com/twitter/secureheaders/pull/339 Thanks @carlosantoniodasilva!
|
|
4
|
+
|
|
1
5
|
## 3.6.6
|
|
2
6
|
|
|
3
|
-
|
|
7
|
+
wat?
|
|
4
8
|
|
|
5
9
|
## 3.6.5
|
|
6
10
|
|
data/README.md
CHANGED
|
@@ -91,6 +91,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
91
91
|
form_action: %w('self' github.com),
|
|
92
92
|
frame_ancestors: %w('none'),
|
|
93
93
|
img_src: %w(mycdn.com data:),
|
|
94
|
+
manifest_src: %w('self'),
|
|
94
95
|
media_src: %w(utoob.com),
|
|
95
96
|
object_src: %w('self'),
|
|
96
97
|
plugin_types: %w(application/x-shockwave-flash),
|
|
@@ -62,22 +62,15 @@ module SecureHeaders
|
|
|
62
62
|
|
|
63
63
|
# All the directives currently under consideration for CSP level 3.
|
|
64
64
|
# https://w3c.github.io/webappsec/specs/CSP2/
|
|
65
|
+
BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
|
|
65
66
|
MANIFEST_SRC = :manifest_src
|
|
66
|
-
|
|
67
|
+
UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
|
|
67
68
|
DIRECTIVES_3_0 = [
|
|
68
69
|
DIRECTIVES_2_0,
|
|
69
|
-
MANIFEST_SRC,
|
|
70
|
-
REFLECTED_XSS
|
|
71
|
-
].flatten.freeze
|
|
72
|
-
|
|
73
|
-
# All the directives that are not currently in a formal spec, but have
|
|
74
|
-
# been implemented somewhere.
|
|
75
|
-
BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
|
|
76
|
-
UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
|
|
77
|
-
DIRECTIVES_DRAFT = [
|
|
78
70
|
BLOCK_ALL_MIXED_CONTENT,
|
|
71
|
+
MANIFEST_SRC,
|
|
79
72
|
UPGRADE_INSECURE_REQUESTS
|
|
80
|
-
].freeze
|
|
73
|
+
].flatten.freeze
|
|
81
74
|
|
|
82
75
|
EDGE_DIRECTIVES = DIRECTIVES_1_0
|
|
83
76
|
SAFARI_DIRECTIVES = DIRECTIVES_1_0
|
|
@@ -99,18 +92,18 @@ module SecureHeaders
|
|
|
99
92
|
].freeze
|
|
100
93
|
|
|
101
94
|
FIREFOX_DIRECTIVES = (
|
|
102
|
-
|
|
95
|
+
DIRECTIVES_3_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
|
|
103
96
|
).freeze
|
|
104
97
|
|
|
105
98
|
FIREFOX_46_DIRECTIVES = (
|
|
106
|
-
|
|
99
|
+
DIRECTIVES_3_0 - FIREFOX_46_UNSUPPORTED_DIRECTIVES - FIREFOX_46_DEPRECATED_DIRECTIVES
|
|
107
100
|
).freeze
|
|
108
101
|
|
|
109
102
|
CHROME_DIRECTIVES = (
|
|
110
|
-
|
|
103
|
+
DIRECTIVES_3_0
|
|
111
104
|
).freeze
|
|
112
105
|
|
|
113
|
-
ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0
|
|
106
|
+
ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0).uniq.sort
|
|
114
107
|
|
|
115
108
|
# Think of default-src and report-uri as the beginning and end respectively,
|
|
116
109
|
# everything else is in between.
|
|
@@ -156,7 +149,6 @@ module SecureHeaders
|
|
|
156
149
|
MEDIA_SRC => :source_list,
|
|
157
150
|
OBJECT_SRC => :source_list,
|
|
158
151
|
PLUGIN_TYPES => :source_list,
|
|
159
|
-
REFLECTED_XSS => :string,
|
|
160
152
|
REPORT_URI => :source_list,
|
|
161
153
|
SANDBOX => :source_list,
|
|
162
154
|
SCRIPT_SRC => :source_list,
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.6.
|
|
4
|
+
gem.version = "3.6.7"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Manages application of security headers with many safe defaults.'
|
|
@@ -15,5 +15,5 @@ Gem::Specification.new do |gem|
|
|
|
15
15
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
|
16
16
|
gem.require_paths = ["lib"]
|
|
17
17
|
gem.add_development_dependency "rake"
|
|
18
|
-
gem.add_dependency "useragent"
|
|
18
|
+
gem.add_dependency "useragent"
|
|
19
19
|
end
|
|
@@ -119,7 +119,6 @@ module SecureHeaders
|
|
|
119
119
|
end.merge({
|
|
120
120
|
block_all_mixed_content: true,
|
|
121
121
|
upgrade_insecure_requests: true,
|
|
122
|
-
reflected_xss: "block",
|
|
123
122
|
script_src: %w(script-src.com),
|
|
124
123
|
script_nonce: 123456
|
|
125
124
|
})
|
|
@@ -127,22 +126,22 @@ module SecureHeaders
|
|
|
127
126
|
|
|
128
127
|
it "does not filter any directives for Chrome" do
|
|
129
128
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
|
|
130
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
129
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
131
130
|
end
|
|
132
131
|
|
|
133
132
|
it "does not filter any directives for Opera" do
|
|
134
133
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
|
|
135
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
134
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types plugin-types.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
136
135
|
end
|
|
137
136
|
|
|
138
137
|
it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
|
|
139
138
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox])
|
|
140
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
139
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
141
140
|
end
|
|
142
141
|
|
|
143
142
|
it "filters blocked-all-mixed-content, frame-src, and plugin-types for firefox 46 and higher" do
|
|
144
143
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:firefox46])
|
|
145
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
144
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
146
145
|
end
|
|
147
146
|
|
|
148
147
|
it "child-src value is copied to frame-src, adds 'unsafe-inline', filters base-uri, blocked-all-mixed-content, upgrade-insecure-requests, child-src, form-action, frame-ancestors, nonce sources, hash sources, and plugin-types for Edge" do
|
|
@@ -164,7 +163,7 @@ module SecureHeaders
|
|
|
164
163
|
ua = USER_AGENTS[:firefox].dup
|
|
165
164
|
allow(ua).to receive(:version).and_return(nil)
|
|
166
165
|
policy = ContentSecurityPolicy.new(complex_opts, ua)
|
|
167
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
166
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; frame-src child-src.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; sandbox sandbox.com; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
|
168
167
|
end
|
|
169
168
|
end
|
|
170
169
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.6.
|
|
4
|
+
version: 3.6.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-07-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -30,14 +30,14 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - ">="
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 0
|
|
33
|
+
version: '0'
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 0
|
|
40
|
+
version: '0'
|
|
41
41
|
description: Manages application of security headers with many safe defaults.
|
|
42
42
|
email:
|
|
43
43
|
- neil.matatall@gmail.com
|