secure_headers 3.7.1 → 3.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 95d8b4815c1f0553ff7a7d6ca32cc046aaf08009
4
- data.tar.gz: 0f2f8a647f84de17c79d6369ace1ffbcaefdf089
3
+ metadata.gz: c119abbad46d190ddf82e5c9868e0b80e300676a
4
+ data.tar.gz: 891a862a3adfe690765bae7a0a3a68d31aa3e2ea
5
5
  SHA512:
6
- metadata.gz: cbaedf0a0bf671e9a0e7454fa31e2a1bb3952481a21e37ee3cfeb0a6cc8833267af8781471413c10415736a792f50f7779accc5a18392b9139c4c311e47e6c32
7
- data.tar.gz: dcd71e54dd3a2ea821e25e520f57be97aac4e00f8efd992bfc4cba84c5cf75e6777de38b710ef348ce62581e851deb498e2add4da06d6336ff4a4ca3b4b437be
6
+ metadata.gz: 3d4898ed4bc2aada51f79b6aad95a62a5f8aa45309ab0831c61b8dabacd5af749fe513d495a35186532e68466ff21bd8b51d49c0d0461fc4fa788adc43723bce
7
+ data.tar.gz: cf29ea5654f024321177cb81ed8eaec9ea0a910bd665ba0281590584108e74095afc69edc5c8b43a31f3ec5690370f10d0f98bb1b38269cdeda78cd4a6f0a3a3
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.7.2
2
+
3
+ - Adds support for `worker-src` CSP directive to 3.x line (https://github.com/twitter/secureheaders/pull/364)
4
+
1
5
  ## 3.7.1
2
6
 
3
7
  Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maximally restricted policy (`sandbox;`) and validate other values.
data/README.md CHANGED
@@ -103,6 +103,7 @@ SecureHeaders::Configuration.default do |config|
103
103
  plugin_types: %w(application/x-shockwave-flash),
104
104
  script_src: %w('self'),
105
105
  style_src: %w('unsafe-inline'),
106
+ worker_src: %w('self'),
106
107
  upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
107
108
  report_uri: %w(https://report-uri.io/example-csp)
108
109
  }
@@ -37,6 +37,7 @@ module SecureHeaders
37
37
  @script_src = nil
38
38
  @style_nonce = nil
39
39
  @style_src = nil
40
+ @worker_src = nil
40
41
  @upgrade_insecure_requests = nil
41
42
 
42
43
  from_hash(hash)
@@ -65,10 +65,13 @@ module SecureHeaders
65
65
  BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
66
66
  MANIFEST_SRC = :manifest_src
67
67
  UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
68
+ WORKER_SRC = :worker_src
69
+
68
70
  DIRECTIVES_3_0 = [
69
71
  DIRECTIVES_2_0,
70
72
  BLOCK_ALL_MIXED_CONTENT,
71
73
  MANIFEST_SRC,
74
+ WORKER_SRC,
72
75
  UPGRADE_INSECURE_REQUESTS
73
76
  ].flatten.freeze
74
77
 
@@ -79,6 +82,7 @@ module SecureHeaders
79
82
  FIREFOX_UNSUPPORTED_DIRECTIVES = [
80
83
  BLOCK_ALL_MIXED_CONTENT,
81
84
  CHILD_SRC,
85
+ WORKER_SRC,
82
86
  PLUGIN_TYPES
83
87
  ].freeze
84
88
 
@@ -88,6 +92,7 @@ module SecureHeaders
88
92
 
89
93
  FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
90
94
  BLOCK_ALL_MIXED_CONTENT,
95
+ WORKER_SRC,
91
96
  PLUGIN_TYPES
92
97
  ].freeze
93
98
 
@@ -141,6 +146,7 @@ module SecureHeaders
141
146
  SANDBOX => :sandbox_list,
142
147
  SCRIPT_SRC => :source_list,
143
148
  STYLE_SRC => :source_list,
149
+ WORKER_SRC => :source_list,
144
150
  UPGRADE_INSECURE_REQUESTS => :boolean
145
151
  }.freeze
146
152
 
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.7.1"
4
+ gem.version = "3.7.2"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Manages application of security headers with many safe defaults.'
@@ -143,12 +143,12 @@ module SecureHeaders
143
143
 
144
144
  it "does not filter any directives for Chrome" do
145
145
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
146
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
146
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
147
147
  end
148
148
 
149
149
  it "does not filter any directives for Opera" do
150
150
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
151
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
151
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
152
152
  end
153
153
 
154
154
  it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
@@ -32,6 +32,7 @@ module SecureHeaders
32
32
  object_src: %w('self'),
33
33
  script_src: %w('self'),
34
34
  style_src: %w('unsafe-inline'),
35
+ worker_src: %w(worker.com),
35
36
  base_uri: %w('self'),
36
37
  form_action: %w('self' github.com),
37
38
  frame_ancestors: %w('none'),
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.7.1
4
+ version: 3.7.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-09-05 00:00:00.000000000 Z
11
+ date: 2017-10-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake