secure_headers 3.7.3 → 3.7.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/docs/cookies.md +3 -2
- data/lib/secure_headers/headers/cookie.rb +7 -1
- data/lib/secure_headers/utils/cookies_config.rb +6 -4
- data/secure_headers.gemspec +1 -1
- data/spec/lib/secure_headers/headers/cookie_spec.rb +22 -25
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a365e7f904bc5b4eba16131acbfa3dae889c6b5b
|
|
4
|
+
data.tar.gz: 750fb42f0641c07950c55082f946ea6ae6d8087f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ba3a0808f3f7f3136e265c687dd766bdc79598eac7eebc98b1ce8160f150716c4b085dfd83da1f4408abcb220eba8e681b29aaf07cb9d8bb196ac5b408c9d8af
|
|
7
|
+
data.tar.gz: 54a80c904e4f06b9888e6d42669a06ecc81b4eea2482f0cf44fdf626c74d1cc79543d07fb6034e43685031d19efe15845e49bfbec9ce94efc49f1ccf2f41456a
|
data/CHANGELOG.md
CHANGED
data/docs/cookies.md
CHANGED
|
@@ -38,13 +38,14 @@ config.cookies = {
|
|
|
38
38
|
}
|
|
39
39
|
```
|
|
40
40
|
|
|
41
|
-
`Strict` and `
|
|
41
|
+
`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
|
|
42
42
|
|
|
43
43
|
```ruby
|
|
44
44
|
config.cookies = {
|
|
45
45
|
samesite: {
|
|
46
46
|
strict: { only: ['_rails_session'] },
|
|
47
|
-
lax: { only: ['_guest'] }
|
|
47
|
+
lax: { only: ['_guest'] },
|
|
48
|
+
none: { only: ['_tracking'] },
|
|
48
49
|
}
|
|
49
50
|
}
|
|
50
51
|
```
|
|
@@ -81,11 +81,13 @@ module SecureHeaders
|
|
|
81
81
|
"SameSite=Lax"
|
|
82
82
|
elsif flag_samesite_strict?
|
|
83
83
|
"SameSite=Strict"
|
|
84
|
+
elsif flag_samesite_none?
|
|
85
|
+
"SameSite=None"
|
|
84
86
|
end
|
|
85
87
|
end
|
|
86
88
|
|
|
87
89
|
def flag_samesite?
|
|
88
|
-
flag_samesite_lax? || flag_samesite_strict?
|
|
90
|
+
flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
|
|
89
91
|
end
|
|
90
92
|
|
|
91
93
|
def flag_samesite_lax?
|
|
@@ -96,6 +98,10 @@ module SecureHeaders
|
|
|
96
98
|
flag_samesite_enforcement?(:strict)
|
|
97
99
|
end
|
|
98
100
|
|
|
101
|
+
def flag_samesite_none?
|
|
102
|
+
flag_samesite_enforcement?(:none)
|
|
103
|
+
end
|
|
104
|
+
|
|
99
105
|
def flag_samesite_enforcement?(mode)
|
|
100
106
|
return unless config[:samesite]
|
|
101
107
|
|
|
@@ -41,10 +41,12 @@ module SecureHeaders
|
|
|
41
41
|
|
|
42
42
|
# when configuring with booleans, only one enforcement is permitted
|
|
43
43
|
def validate_samesite_boolean_config!
|
|
44
|
-
if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
|
|
45
|
-
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax
|
|
46
|
-
elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
|
|
47
|
-
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax
|
|
44
|
+
if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
|
|
45
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
|
|
46
|
+
elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
|
|
47
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
|
|
48
|
+
elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
|
|
49
|
+
raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
|
|
48
50
|
end
|
|
49
51
|
end
|
|
50
52
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "secure_headers"
|
|
4
|
-
gem.version = "3.7.
|
|
4
|
+
gem.version = "3.7.4"
|
|
5
5
|
gem.authors = ["Neil Matatall"]
|
|
6
6
|
gem.email = ["neil.matatall@gmail.com"]
|
|
7
7
|
gem.description = 'Manages application of security headers with many safe defaults.'
|
|
@@ -62,29 +62,21 @@ module SecureHeaders
|
|
|
62
62
|
end
|
|
63
63
|
|
|
64
64
|
context "SameSite cookies" do
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
it "flags SameSite=Lax when configured with a boolean" do
|
|
71
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: true})
|
|
72
|
-
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
|
|
73
|
-
end
|
|
74
|
-
|
|
75
|
-
it "does not flag cookies as SameSite=Lax when excluded" do
|
|
76
|
-
cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } })
|
|
77
|
-
expect(cookie.to_s).to eq("_session=thisisatest")
|
|
78
|
-
end
|
|
65
|
+
%w(None Lax Strict).each do |flag|
|
|
66
|
+
it "flags SameSite=#{flag}" do
|
|
67
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } })
|
|
68
|
+
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
|
|
69
|
+
end
|
|
79
70
|
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
71
|
+
it "flags SameSite=#{flag} when configured with a boolean" do
|
|
72
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true })
|
|
73
|
+
expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
|
|
74
|
+
end
|
|
84
75
|
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
76
|
+
it "does not flag cookies as SameSite=#{flag} when excluded" do
|
|
77
|
+
cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } })
|
|
78
|
+
expect(cookie.to_s).to eq("_session=thisisatest")
|
|
79
|
+
end
|
|
88
80
|
end
|
|
89
81
|
|
|
90
82
|
it "flags SameSite=Strict when configured with a boolean" do
|
|
@@ -131,10 +123,15 @@ module SecureHeaders
|
|
|
131
123
|
end.to raise_error(CookiesConfigError)
|
|
132
124
|
end
|
|
133
125
|
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
126
|
+
cookie_options = %w(none lax strict).map(&:to_sym)
|
|
127
|
+
cookie_options.each do |flag|
|
|
128
|
+
(cookie_options - [flag]).each do |other_flag|
|
|
129
|
+
it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
|
|
130
|
+
expect do
|
|
131
|
+
Cookie.validate_config!(samesite: { flag => true, other_flag => true})
|
|
132
|
+
end.to raise_error(CookiesConfigError)
|
|
133
|
+
end
|
|
134
|
+
end
|
|
138
135
|
end
|
|
139
136
|
|
|
140
137
|
it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.7.
|
|
4
|
+
version: 3.7.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-01-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|