secure_headers 3.7.1 → 3.7.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/README.md +1 -0
  4. data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
  5. data/lib/secure_headers/headers/policy_management.rb +6 -0
  6. data/secure_headers.gemspec +1 -1
  7. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +2 -2
  8. data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
  9. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 95d8b4815c1f0553ff7a7d6ca32cc046aaf08009
4
- data.tar.gz: 0f2f8a647f84de17c79d6369ace1ffbcaefdf089
3
+ metadata.gz: c119abbad46d190ddf82e5c9868e0b80e300676a
4
+ data.tar.gz: 891a862a3adfe690765bae7a0a3a68d31aa3e2ea
5
5
  SHA512:
6
- metadata.gz: cbaedf0a0bf671e9a0e7454fa31e2a1bb3952481a21e37ee3cfeb0a6cc8833267af8781471413c10415736a792f50f7779accc5a18392b9139c4c311e47e6c32
7
- data.tar.gz: dcd71e54dd3a2ea821e25e520f57be97aac4e00f8efd992bfc4cba84c5cf75e6777de38b710ef348ce62581e851deb498e2add4da06d6336ff4a4ca3b4b437be
6
+ metadata.gz: 3d4898ed4bc2aada51f79b6aad95a62a5f8aa45309ab0831c61b8dabacd5af749fe513d495a35186532e68466ff21bd8b51d49c0d0461fc4fa788adc43723bce
7
+ data.tar.gz: cf29ea5654f024321177cb81ed8eaec9ea0a910bd665ba0281590584108e74095afc69edc5c8b43a31f3ec5690370f10d0f98bb1b38269cdeda78cd4a6f0a3a3
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.7.2
2
+
3
+ - Adds support for `worker-src` CSP directive to 3.x line (https://github.com/twitter/secureheaders/pull/364)
4
+
1
5
  ## 3.7.1
2
6
 
3
7
  Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maximally restricted policy (`sandbox;`) and validate other values.
data/README.md CHANGED
@@ -103,6 +103,7 @@ SecureHeaders::Configuration.default do |config|
103
103
  plugin_types: %w(application/x-shockwave-flash),
104
104
  script_src: %w('self'),
105
105
  style_src: %w('unsafe-inline'),
106
+ worker_src: %w('self'),
106
107
  upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
107
108
  report_uri: %w(https://report-uri.io/example-csp)
108
109
  }
data/lib/secure_headers/headers/content_security_policy_config.rb CHANGED
@@ -37,6 +37,7 @@ module SecureHeaders
37
37
  @script_src = nil
38
38
  @style_nonce = nil
39
39
  @style_src = nil
40
+ @worker_src = nil
40
41
  @upgrade_insecure_requests = nil
41
42
 
42
43
  from_hash(hash)
data/lib/secure_headers/headers/policy_management.rb CHANGED
@@ -65,10 +65,13 @@ module SecureHeaders
65
65
  BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
66
66
  MANIFEST_SRC = :manifest_src
67
67
  UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
68
+ WORKER_SRC = :worker_src
69
+
68
70
  DIRECTIVES_3_0 = [
69
71
  DIRECTIVES_2_0,
70
72
  BLOCK_ALL_MIXED_CONTENT,
71
73
  MANIFEST_SRC,
74
+ WORKER_SRC,
72
75
  UPGRADE_INSECURE_REQUESTS
73
76
  ].flatten.freeze
74
77
 
@@ -79,6 +82,7 @@ module SecureHeaders
79
82
  FIREFOX_UNSUPPORTED_DIRECTIVES = [
80
83
  BLOCK_ALL_MIXED_CONTENT,
81
84
  CHILD_SRC,
85
+ WORKER_SRC,
82
86
  PLUGIN_TYPES
83
87
  ].freeze
84
88
 
@@ -88,6 +92,7 @@ module SecureHeaders
88
92
 
89
93
  FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
90
94
  BLOCK_ALL_MIXED_CONTENT,
95
+ WORKER_SRC,
91
96
  PLUGIN_TYPES
92
97
  ].freeze
93
98
 
@@ -141,6 +146,7 @@ module SecureHeaders
141
146
  SANDBOX => :sandbox_list,
142
147
  SCRIPT_SRC => :source_list,
143
148
  STYLE_SRC => :source_list,
149
+ WORKER_SRC => :source_list,
144
150
  UPGRADE_INSECURE_REQUESTS => :boolean
145
151
  }.freeze
146
152
 
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.7.1"
4
+ gem.version = "3.7.2"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Manages application of security headers with many safe defaults.'
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -143,12 +143,12 @@ module SecureHeaders
143
143
 
144
144
  it "does not filter any directives for Chrome" do
145
145
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
146
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
146
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
147
147
  end
148
148
 
149
149
  it "does not filter any directives for Opera" do
150
150
  policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
151
- expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
151
+ expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
152
152
  end
153
153
 
154
154
  it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
data/spec/lib/secure_headers/headers/policy_management_spec.rb CHANGED
@@ -32,6 +32,7 @@ module SecureHeaders
32
32
  object_src: %w('self'),
33
33
  script_src: %w('self'),
34
34
  style_src: %w('unsafe-inline'),
35
+ worker_src: %w(worker.com),
35
36
  base_uri: %w('self'),
36
37
  form_action: %w('self' github.com),
37
38
  frame_ancestors: %w('none'),
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.7.1
4
+ version: 3.7.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-09-05 00:00:00.000000000 Z
11
+ date: 2017-10-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake