secure_headers 4.0.0.alpha01 → 4.0.0.alpha02

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1cfa800eacf250583e379d13a9149d585bc2f48d
4
- data.tar.gz: 3de8c81b1308ec9d1d53f822cff8eeb7e20b5af0
3
+ metadata.gz: c3e3971d0169ad3db917dbf0d64e26425c9e8252
4
+ data.tar.gz: 6fa1f1c7b0d36063a4be0a19549ced444d6f07b7
5
5
  SHA512:
6
- metadata.gz: 4c25ae5372ac00f74b0cae3b7de0a767a15b45f275bed64994c2cd7d078a2f0b52bdce562d14280984ad494fd008445d5d5448a3ac94694cd1f9778da3deeacc
7
- data.tar.gz: 6fab2c382ed56f9a63dd118a34b617fb82b4ee4e9ef55f37d78e134ec9068c9ee1022ba0a94991d0b7b82ea756d78132d3c0dfc909e66d4068acde4f6d2673ff
6
+ metadata.gz: d7f430815d9b49f0fdaf5c16854aab22d89f09721975a332769c9e0a2b055522a271a610fc8e8ec89614be286f4d4292e5b2105af61181a2670089f9fb42e58d
7
+ data.tar.gz: 044e9282dfc9c0a7b01c3ae4420c44781ffe460819e58d46b2eb7a9f08ba02a91937afed977c9ed13d4f9aad168e2d7b308108e9f977e5c515b6285b74a8f2b6
@@ -101,9 +101,11 @@ module SecureHeaders
101
101
  else
102
102
  @config.directive_value(directive)
103
103
  end
104
- return unless source_list && source_list.any?
105
- normalized_source_list = minify_source_list(directive, source_list)
106
- [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
104
+
105
+ if source_list != OPT_OUT && source_list && source_list.any?
106
+ normalized_source_list = minify_source_list(directive, source_list)
107
+ [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
108
+ end
107
109
  end
108
110
 
109
111
  # If a directive contains *, all other values are omitted.
@@ -202,7 +202,10 @@ module SecureHeaders
202
202
  def validate_config!(config)
203
203
  return if config.nil? || config.opt_out?
204
204
  raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
205
- raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous") unless config.directive_value(:script_src)
205
+ if config.directive_value(:script_src).nil?
206
+ raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous. Use `script_src: OPT_OUT` to override")
207
+ end
208
+
206
209
  ContentSecurityPolicyConfig.attrs.each do |key|
207
210
  value = config.directive_value(key)
208
211
  next unless value
@@ -342,12 +345,13 @@ module SecureHeaders
342
345
  end
343
346
 
344
347
  def ensure_array_of_strings!(directive, source_expression)
345
- unless source_expression.is_a?(Array) && source_expression.compact.all? { |v| v.is_a?(String) }
348
+ if (!source_expression.is_a?(Array) || !source_expression.compact.all? { |v| v.is_a?(String) }) && source_expression != OPT_OUT
346
349
  raise ContentSecurityPolicyConfigError.new("#{directive} must be an array of strings")
347
350
  end
348
351
  end
349
352
 
350
353
  def ensure_valid_sources!(directive, source_expression)
354
+ return if source_expression == OPT_OUT
351
355
  source_expression.each do |expression|
352
356
  if ContentSecurityPolicy::DEPRECATED_SOURCE_VALUES.include?(expression)
353
357
  raise ContentSecurityPolicyConfigError.new("#{directive} contains an invalid keyword source (#{expression}). This value must be single quoted.")
@@ -2,7 +2,7 @@
2
2
  # frozen_string_literal: true
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "secure_headers"
5
- gem.version = "4.0.0.alpha01"
5
+ gem.version = "4.0.0.alpha02"
6
6
  gem.authors = ["Neil Matatall"]
7
7
  gem.email = ["neil.matatall@gmail.com"]
8
8
  gem.description = "Manages application of security headers with many safe defaults."
@@ -51,6 +51,11 @@ module SecureHeaders
51
51
  expect(csp.value).to eq("default-src example.org")
52
52
  end
53
53
 
54
+ it "does not build directives with a value of OPT_OUT (and bypasses directive requirements)" do
55
+ csp = ContentSecurityPolicy.new(default_src: %w(https://example.org), script_src: OPT_OUT)
56
+ expect(csp.value).to eq("default-src example.org")
57
+ end
58
+
54
59
  it "does not remove schemes from report-uri values" do
55
60
  csp = ContentSecurityPolicy.new(default_src: %w(https:), report_uri: %w(https://example.org))
56
61
  expect(csp.value).to eq("default-src https:; report-uri https://example.org")
@@ -57,6 +57,12 @@ module SecureHeaders
57
57
  end.to raise_error(ContentSecurityPolicyConfigError)
58
58
  end
59
59
 
60
+ it "accepts OPT_OUT as a script-src value" do
61
+ expect do
62
+ ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_src: %w('self'), script_src: OPT_OUT))
63
+ end.to_not raise_error
64
+ end
65
+
60
66
  it "requires :report_only to be a truthy value" do
61
67
  expect do
62
68
  ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(report_only: "steve")))
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.0.alpha01
4
+ version: 4.0.0.alpha02
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-07-24 00:00:00.000000000 Z
11
+ date: 2017-07-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake