secure_headers 3.7.1 → 3.7.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +1 -0
- data/lib/secure_headers/headers/content_security_policy_config.rb +1 -0
- data/lib/secure_headers/headers/policy_management.rb +6 -0
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +2 -2
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c119abbad46d190ddf82e5c9868e0b80e300676a
|
4
|
+
data.tar.gz: 891a862a3adfe690765bae7a0a3a68d31aa3e2ea
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3d4898ed4bc2aada51f79b6aad95a62a5f8aa45309ab0831c61b8dabacd5af749fe513d495a35186532e68466ff21bd8b51d49c0d0461fc4fa788adc43723bce
|
7
|
+
data.tar.gz: cf29ea5654f024321177cb81ed8eaec9ea0a910bd665ba0281590584108e74095afc69edc5c8b43a31f3ec5690370f10d0f98bb1b38269cdeda78cd4a6f0a3a3
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
## 3.7.2
|
2
|
+
|
3
|
+
- Adds support for `worker-src` CSP directive to 3.x line (https://github.com/twitter/secureheaders/pull/364)
|
4
|
+
|
1
5
|
## 3.7.1
|
2
6
|
|
3
7
|
Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maximally restricted policy (`sandbox;`) and validate other values.
|
data/README.md
CHANGED
@@ -103,6 +103,7 @@ SecureHeaders::Configuration.default do |config|
|
|
103
103
|
plugin_types: %w(application/x-shockwave-flash),
|
104
104
|
script_src: %w('self'),
|
105
105
|
style_src: %w('unsafe-inline'),
|
106
|
+
worker_src: %w('self'),
|
106
107
|
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
|
107
108
|
report_uri: %w(https://report-uri.io/example-csp)
|
108
109
|
}
|
@@ -65,10 +65,13 @@ module SecureHeaders
|
|
65
65
|
BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
|
66
66
|
MANIFEST_SRC = :manifest_src
|
67
67
|
UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
|
68
|
+
WORKER_SRC = :worker_src
|
69
|
+
|
68
70
|
DIRECTIVES_3_0 = [
|
69
71
|
DIRECTIVES_2_0,
|
70
72
|
BLOCK_ALL_MIXED_CONTENT,
|
71
73
|
MANIFEST_SRC,
|
74
|
+
WORKER_SRC,
|
72
75
|
UPGRADE_INSECURE_REQUESTS
|
73
76
|
].flatten.freeze
|
74
77
|
|
@@ -79,6 +82,7 @@ module SecureHeaders
|
|
79
82
|
FIREFOX_UNSUPPORTED_DIRECTIVES = [
|
80
83
|
BLOCK_ALL_MIXED_CONTENT,
|
81
84
|
CHILD_SRC,
|
85
|
+
WORKER_SRC,
|
82
86
|
PLUGIN_TYPES
|
83
87
|
].freeze
|
84
88
|
|
@@ -88,6 +92,7 @@ module SecureHeaders
|
|
88
92
|
|
89
93
|
FIREFOX_46_UNSUPPORTED_DIRECTIVES = [
|
90
94
|
BLOCK_ALL_MIXED_CONTENT,
|
95
|
+
WORKER_SRC,
|
91
96
|
PLUGIN_TYPES
|
92
97
|
].freeze
|
93
98
|
|
@@ -141,6 +146,7 @@ module SecureHeaders
|
|
141
146
|
SANDBOX => :sandbox_list,
|
142
147
|
SCRIPT_SRC => :source_list,
|
143
148
|
STYLE_SRC => :source_list,
|
149
|
+
WORKER_SRC => :source_list,
|
144
150
|
UPGRADE_INSECURE_REQUESTS => :boolean
|
145
151
|
}.freeze
|
146
152
|
|
data/secure_headers.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "secure_headers"
|
4
|
-
gem.version = "3.7.
|
4
|
+
gem.version = "3.7.2"
|
5
5
|
gem.authors = ["Neil Matatall"]
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
7
7
|
gem.description = 'Manages application of security headers with many safe defaults.'
|
@@ -143,12 +143,12 @@ module SecureHeaders
|
|
143
143
|
|
144
144
|
it "does not filter any directives for Chrome" do
|
145
145
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:chrome])
|
146
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
146
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
|
147
147
|
end
|
148
148
|
|
149
149
|
it "does not filter any directives for Opera" do
|
150
150
|
policy = ContentSecurityPolicy.new(complex_opts, USER_AGENTS[:opera])
|
151
|
-
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; report-uri report-uri.com")
|
151
|
+
expect(policy.value).to eq("default-src default-src.com; base-uri base-uri.com; block-all-mixed-content; child-src child-src.com; connect-src connect-src.com; font-src font-src.com; form-action form-action.com; frame-ancestors frame-ancestors.com; img-src img-src.com; manifest-src manifest-src.com; media-src media-src.com; object-src object-src.com; plugin-types application/pdf; sandbox allow-forms; script-src script-src.com 'nonce-123456'; style-src style-src.com; upgrade-insecure-requests; worker-src worker-src.com; report-uri report-uri.com")
|
152
152
|
end
|
153
153
|
|
154
154
|
it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.7.
|
4
|
+
version: 3.7.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-10-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|