secure_headers 3.9.0 → 4.0.0.alpha01

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 6e2f294d6c2130a1f629bf3dba2a88da71fa2b80a015cb7dc96bcbbcb88d1d59
-  data.tar.gz: 767021dbec7d023bbcb629b3315ad10ff989e2c6ae7ceff9ffc5614b05fa3ba5
+SHA1:
+  metadata.gz: 1cfa800eacf250583e379d13a9149d585bc2f48d
+  data.tar.gz: 3de8c81b1308ec9d1d53f822cff8eeb7e20b5af0
 SHA512:
-  metadata.gz: 86d16e60409fca6b72e16321100a6afc3cc1fded1fb79c004778c8cdae2872ed4751205e90274f4b2c0517a70763c896692d9bd547f3b5b9144b8479b93268d5
-  data.tar.gz: a2462e058ad88292d40e5a7e4e23e0a5ba431a8a114616f1e1d77bd5218e99ed0b68f4e7b0cf9e3480e10ca2e34e97d60e3b7b1d77db8b71da71c031f4cdaa52
+  metadata.gz: 4c25ae5372ac00f74b0cae3b7de0a767a15b45f275bed64994c2cd7d078a2f0b52bdce562d14280984ad494fd008445d5d5448a3ac94694cd1f9778da3deeacc
+  data.tar.gz: 6fab2c382ed56f9a63dd118a34b617fb82b4ee4e9ef55f37d78e134ec9068c9ee1022ba0a94991d0b7b82ea756d78132d3c0dfc909e66d4068acde4f6d2673ff

data/.rspec

@@ -1,2 +1,3 @@
 --order rand
 --warnings
+--format progress

data/.rubocop.yml

@@ -0,0 +1,3 @@
+inherit_gem:
+  rubocop-github:
+    - config/default.yml

data/.ruby-version

@@ -1 +1 @@
-2.3.3
+2.4.1

data/.travis.yml

@@ -2,15 +2,17 @@ language: ruby
 
 rvm:
   - ruby-head
-  - 2.4.0
-  - 2.3.3
+  - 2.4.1
+  - 2.3.4
   - 2.2
-  - 2.1
-  - 2.0.0
-  - 1.9.3
-  - jruby-19mode
   - jruby-head
 
+env:
+  - SUITE=rspec spec
+  - SUITE=rubocop
+
+script: bundle exec $SUITE
+
 matrix:
   allow_failures:
     - rvm: jruby-head

data/CHANGELOG.md

@@ -1,38 +1,6 @@
-## 3.9.0
+## 4.x
 
-Fixes newline injection issue
-
-## 3.8.0
-
-Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
-
-## 3.7.4
-
-Backport SameSite=None functionality into 3.x line
-
-## 3.7.3
-
-- Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.
-
-## 3.7.2
-
-- Adds support for `worker-src` CSP directive to 3.x line (https://github.com/twitter/secureheaders/pull/364)
-
-## 3.7.1
-
-Fix support for the sandbox attribute of CSP. `true` and `[]` represent the maximally restricted policy (`sandbox;`) and validate other values.
-
-## 3.7.0
-
-Adds support for the `Expect-CT` header (@jacobbednarz: https://github.com/twitter/secureheaders/pull/322)
-
-## 3.6.7
-
-Actually set manifest-src when configured. https://github.com/twitter/secureheaders/pull/339 Thanks @carlosantoniodasilva!
-
-## 3.6.6
-
-wat?
+- See the [upgrading to 4.0](upgrading-to-4.0.md) guide. Lots of breaking changes.
 
 ## 3.6.5
 

data/CONTRIBUTING.md

@@ -30,7 +30,7 @@ Here are a few things you can do that will increase the likelihood of your pull
 0. Ensure CI is green
 0. Pull the latest code
 0. Increment the version
-0. Run `gem build darrrr.gemspec`
+0. Run `gem build secure_headers.gemspec`
 0. Bump the Gemfile and Gemfile.lock versions for an app which relies on this gem
 0. Test behavior locally, branch deploy, whatever needs to happen
 0. Run `bundle exec rake release`

data/Gemfile

@@ -1,19 +1,22 @@
+# frozen_string_literal: true
 source "https://rubygems.org"
 
 gemspec
 
 group :test do
-  gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
-  gem "pry-nav"
+  gem "coveralls"
   gem "json", "~> 1"
+  gem "pry-nav"
   gem "rack", "~> 1"
   gem "rspec"
-  gem "coveralls"
+  gem "rubocop", "~> 0.47.0"
+  gem "rubocop-github"
   gem "term-ansicolor", "< 1.4"
+  gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
 end
 
 group :guard do
-  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22]
   gem "growl"
+  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
   gem "rb-fsevent"
 end

data/Guardfile

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
   require "guard/rspec/dsl"
   dsl = Guard::RSpec::Dsl.new(self)

data/README.md

@@ -1,9 +1,10 @@
 # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
 
+**master represents the unreleased 4.x line**. See the [upgrading to 4.x doc](upgrading-to-4-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
 
-**The 3.x branch was recently merged**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
+**The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
 
-**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be maintained**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
+**The [2.x branch](https://github.com/twitter/secureheaders/tree/2.x) will be not be maintained once 4.x is released**. The documentation below only applies to the 3.x branch. See the 2.x [README](https://github.com/twitter/secureheaders/blob/2.x/README.md) for the old way of doing things.
 
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
@@ -18,7 +19,6 @@ The gem will automatically apply several headers that are related to security.
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
 - Referrer-Policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
 - Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning Specification](https://tools.ietf.org/html/rfc7469)
-- Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
 - Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
@@ -77,14 +77,8 @@ SecureHeaders::Configuration.default do |config|
     "storage",
     "executionContexts"
   ]
-  config.expect_certificate_transparency = {
-    enforce: false,
-    max_age: 1.day.to_i,
-    report_uri: "https://report-uri.io/example-ct"
-  }
   config.csp = {
-    # "meta" values. these will shaped the header, but the values are not included in the header.
-    # report_only: true,      # default: false [DEPRECATED from 3.5.0: instead, configure csp_report_only]
+    # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
 
     # directive values: these values will directly translate into source directives
@@ -103,7 +97,6 @@ SecureHeaders::Configuration.default do |config|
     plugin_types: %w(application/x-shockwave-flash),
     script_src: %w('self'),
     style_src: %w('unsafe-inline'),
-    worker_src: %w('self'),
     upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
     report_uri: %w(https://report-uri.io/example-csp)
   }
@@ -139,20 +132,6 @@ X-Permitted-Cross-Domain-Policies: none
 X-Xss-Protection: 1; mode=block
 ```
 
-### Default CSP
-
-By default, the above CSP will be applied to all requests. If you **only** want to set a Report-Only header, opt-out of the default enforced header for clarity. The configuration will assume that if you only supply `csp_report_only` that you intended to opt-out of `csp` but that's for the sake of backwards compatibility and it will be removed in the future.
-
-```ruby
-Configuration.default do |config|
-  config.csp = SecureHeaders::OPT_OUT # If this line is omitted, we will assume you meant to opt out.
-  config.csp_report_only = {
-    default_src: %w('self')
-  }
-end
-```
-
-
 ## Similar libraries
 
 * Rack [rack-secure_headers](https://github.com/frodsan/rack-secure_headers)

data/Rakefile

@@ -1,28 +1,32 @@
 #!/usr/bin/env rake
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
-require 'net/http'
-require 'net/https'
+# frozen_string_literal: true
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "net/http"
+require "net/https"
 
-desc "Run RSpec"
-RSpec::Core::RakeTask.new do |t|
-  t.verbose = false
-  t.rspec_opts = "--format progress"
-end
-
-task default: :spec
+RSpec::Core::RakeTask.new
 
 begin
-  require 'rdoc/task'
+  require "rdoc/task"
 rescue LoadError
-  require 'rdoc/rdoc'
-  require 'rake/rdoctask'
+  require "rdoc/rdoc"
+  require "rake/rdoctask"
   RDoc::Task = Rake::RDocTask
 end
 
+begin
+  require "rubocop/rake_task"
+  RuboCop::RakeTask.new
+rescue LoadError
+  task(:rubocop) { $stderr.puts "RuboCop is disabled" }
+end
+
 RDoc::Task.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'SecureHeaders'
-  rdoc.options << '--line-numbers'
-  rdoc.rdoc_files.include('lib/**/*.rb')
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title    = "SecureHeaders"
+  rdoc.options << "--line-numbers"
+  rdoc.rdoc_files.include("lib/**/*.rb")
 end
+
+task default: [:spec, :rubocop]

data/docs/cookies.md

@@ -4,14 +4,28 @@ SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.
 
 __Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
 
+#### Defaults
+
+By default, all cookies will get both `Secure`, `HttpOnly`, and `SameSite=Lax`.
+
+```ruby
+config.cookies = {
+  secure: true, # defaults to true but will be a no op on non-HTTPS requests
+  httponly: true, # defaults to true
+  samesite: {  # defaults to set `SameSite=Lax`
+    lax: true
+  }
+}
+```
+
 #### Boolean-based configuration
 
-Boolean-based configuration is intended to globally enable or disable a specific cookie attribute.
+Boolean-based configuration is intended to globally enable or disable a specific cookie attribute. *Note: As of 4.0, you must use OPT_OUT rather than false to opt out of the defaults.*
 
 ```ruby
 config.cookies = {
   secure: true, # mark all cookies as Secure
-  httponly: false, # do not mark any cookies as HttpOnly
+  httponly: OPT_OUT, # do not mark any cookies as HttpOnly
 }
 ```
 
@@ -38,14 +52,13 @@ config.cookies = {
 }
 ```
 
-`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
+`Strict` and `Lax` enforcement modes can also be specified using a Hash.
 
 ```ruby
 config.cookies = {
   samesite: {
     strict: { only: ['_rails_session'] },
-    lax: { only: ['_guest'] },
-    none: { only: ['_tracking'] },
+    lax: { only: ['_guest'] }
   }
 }
 ```

data/lib/secure_headers.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require "secure_headers/configuration"
 require "secure_headers/hash_helper"
 require "secure_headers/headers/cookie"
@@ -11,7 +12,6 @@ require "secure_headers/headers/x_download_options"
 require "secure_headers/headers/x_permitted_cross_domain_policies"
 require "secure_headers/headers/referrer_policy"
 require "secure_headers/headers/clear_site_data"
-require "secure_headers/headers/expect_certificate_transparency"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
@@ -52,7 +52,6 @@ module SecureHeaders
   CSP = ContentSecurityPolicy
 
   ALL_HEADER_CLASSES = [
-    ExpectCertificateTransparency,
     ClearSiteData,
     ContentSecurityPolicyConfig,
     ContentSecurityPolicyReportOnlyConfig,

data/lib/secure_headers/configuration.rb

@@ -1,4 +1,5 @@
-require 'yaml'
+# frozen_string_literal: true
+require "yaml"
 
 module SecureHeaders
   class Configuration
@@ -116,7 +117,7 @@ module SecureHeaders
 
     attr_writer :hsts, :x_frame_options, :x_content_type_options,
       :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
-      :referrer_policy, :clear_site_data, :expect_certificate_transparency
+      :referrer_policy, :clear_site_data
 
     attr_reader :cached_headers, :csp, :cookies, :csp_report_only, :hpkp, :hpkp_report_host
 
@@ -143,7 +144,6 @@ module SecureHeaders
       @x_frame_options = nil
       @x_permitted_cross_domain_policies = nil
       @x_xss_protection = nil
-      @expect_certificate_transparency = nil
 
       self.hpkp = OPT_OUT
       self.referrer_policy = OPT_OUT
@@ -169,7 +169,6 @@ module SecureHeaders
       copy.x_download_options = @x_download_options
       copy.x_permitted_cross_domain_policies = @x_permitted_cross_domain_policies
       copy.clear_site_data = @clear_site_data
-      copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
       copy.hpkp = @hpkp
       copy.hpkp_report_host = @hpkp_report_host
@@ -202,14 +201,12 @@ module SecureHeaders
       XDownloadOptions.validate_config!(@x_download_options)
       XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
       ClearSiteData.validate_config!(@clear_site_data)
-      ExpectCertificateTransparency.validate_config!(@expect_certificate_transparency)
       PublicKeyPins.validate_config!(@hpkp)
       Cookie.validate_config!(@cookies)
     end
 
     def secure_cookies=(secure_cookies)
-      Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#secure_cookies=` is deprecated. Please use `#cookies=` to configure secure cookies instead."
-      @cookies = (@cookies || {}).merge(secure: secure_cookies)
+      raise ArgumentError, "#{Kernel.caller.first}: `#secure_cookies=` is no longer supported. Please use `#cookies=` to configure secure cookies instead."
     end
 
     def csp=(new_csp)
@@ -217,10 +214,8 @@ module SecureHeaders
         @csp = new_csp.dup
       else
         if new_csp[:report_only]
-          # Deprecated configuration implies that CSPRO should be set, CSP should not - so opt out
-          Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
-          @csp = OPT_OUT
-          self.csp_report_only = new_csp
+          # invalid configuration implies that CSPRO should be set, CSP should not - so opt out
+          raise ArgumentError, "#{Kernel.caller.first}: `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
         else
           @csp = ContentSecurityPolicyConfig.new(new_csp)
         end
@@ -247,11 +242,6 @@ module SecureHeaders
           end
         end
       end
-
-      if !@csp_report_only.opt_out? && @csp.to_h == ContentSecurityPolicyConfig::DEFAULT
-        Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#csp_report_only=` was configured before `#csp=`. It is assumed you intended to opt out of `#csp=` so be sure to add `config.csp = SecureHeaders::OPT_OUT` to your config. Ensure that #csp_report_only is configured after #csp="
-        @csp = OPT_OUT
-      end
     end
 
     protected

data/lib/secure_headers/hash_helper.rb

@@ -1,4 +1,5 @@
-require 'base64'
+# frozen_string_literal: true
+require "base64"
 
 module SecureHeaders
   module HashHelper

data/lib/secure_headers/headers/clear_site_data.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module SecureHeaders
   class ClearSiteDataConfigError < StandardError; end
   class ClearSiteData
@@ -16,7 +17,7 @@ module SecureHeaders
       # Public: make an Clear-Site-Data header name, value pair
       #
       # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config=nil)
+      def make_header(config = nil)
         case config
         when nil, OPT_OUT, []
           # noop

data/lib/secure_headers/headers/content_security_policy.rb

@@ -1,6 +1,7 @@
-require_relative 'policy_management'
-require_relative 'content_security_policy_config'
-require 'useragent'
+# frozen_string_literal: true
+require_relative "policy_management"
+require_relative "content_security_policy_config"
+require "useragent"
 
 module SecureHeaders
   class ContentSecurityPolicy
@@ -54,18 +55,12 @@ module SecureHeaders
 
     private
 
-    # frame-src is deprecated, child-src is being implemented. They are
-    # very similar and in most cases, the same value can be used for both.
     def normalize_child_frame_src
       if @config.frame_src && @config.child_src && @config.frame_src != @config.child_src
-        Kernel.warn("#{Kernel.caller.first}: [DEPRECATION] both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers.")
+        raise ArgumentError, "#{Kernel.caller.first}: both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers."
       end
 
-      if supported_directives.include?(:child_src)
-        @config.child_src || @config.frame_src
-      else
-        @config.frame_src || @config.child_src
-      end
+      @config.frame_src || @config.child_src
     end
 
     # Private: converts the config object into a string representing a policy.
@@ -80,55 +75,20 @@ module SecureHeaders
         case DIRECTIVE_VALUE_TYPES[directive_name]
         when :boolean
           symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)
-        when :sandbox_list
-          build_sandbox_list_directive(directive_name)
-        when :media_type_list
-          build_media_type_list_directive(directive_name)
-        when :source_list
-          build_source_list_directive(directive_name)
+        when :string
+          [symbol_to_hyphen_case(directive_name), @config.directive_value(directive_name)].join(" ")
+        else
+          build_directive(directive_name)
         end
       end.compact.join("; ")
     end
 
-    def build_sandbox_list_directive(directive)
-      return unless sandbox_list = @config.directive_value(directive)
-      max_strict_policy = case sandbox_list
-      when Array
-        sandbox_list.empty?
-      when true
-        true
-      else
-        false
-      end
-
-      # A maximally strict sandbox policy is just the `sandbox` directive,
-      # whith no configuraiton values.
-      if max_strict_policy
-        symbol_to_hyphen_case(directive)
-      elsif sandbox_list && sandbox_list.any?
-        [
-          symbol_to_hyphen_case(directive),
-          sandbox_list.uniq
-        ].join(" ")
-      end
-    end
-
-    def build_media_type_list_directive(directive)
-      return unless media_type_list = @config.directive_value(directive)
-      if media_type_list && media_type_list.any?
-        [
-          symbol_to_hyphen_case(directive),
-          media_type_list.uniq
-        ].join(" ")
-      end
-    end
-
     # Private: builds a string that represents one directive in a minified form.
     #
     # directive_name - a symbol representing the various ALL_DIRECTIVES
     #
     # Returns a string representing a directive.
-    def build_source_list_directive(directive)
+    def build_directive(directive)
       source_list = case directive
       when :child_src
         if supported_directives.include?(:child_src)
@@ -142,14 +102,8 @@ module SecureHeaders
         @config.directive_value(directive)
       end
       return unless source_list && source_list.any?
-      normalized_source_list = minify_source_list(directive, source_list).join(" ")
-
-      if normalized_source_list =~ /(\n|;)/
-        Kernel.warn("#{directive} contains a #{$1} in #{normalized_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
-      end
-      escaped_source_list = normalized_source_list.gsub(/[\n;]/, " ")
-
-      [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
+      normalized_source_list = minify_source_list(directive, source_list)
+      [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
     end
 
     # If a directive contains *, all other values are omitted.
@@ -270,7 +224,7 @@ module SecureHeaders
     end
 
     def symbol_to_hyphen_case(sym)
-      sym.to_s.tr('_', '-')
+      sym.to_s.tr("_", "-")
     end
   end
 end