secure_headers 5.0.3 → 5.0.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/.travis.yml +3 -3
- data/CHANGELOG.md +4 -0
- data/Gemfile +5 -5
- data/docs/per_action_configuration.md +3 -1
- data/lib/secure_headers/configuration.rb +1 -1
- data/lib/secure_headers/view_helper.rb +27 -3
- data/secure_headers.gemspec +2 -2
- data/spec/lib/secure_headers/view_helpers_spec.rb +15 -7
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d30a295775010a197058029cc447bdf51ad1f93e
|
|
4
|
+
data.tar.gz: 79a4928de6fe2508ebdfed92cfe36ba1d70cdce8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 206573552433a49370adf984f538091ac3bd4c2e6ee0ba521f949762e145259725a3938ab2ec5124b5556fdd1502388ac8dd7e8d5fcc947c9f96e3ed78947cfa
|
|
7
|
+
data.tar.gz: c53aab77376ad2d8fac21c2d684cc02dcf14322cd51591d7048f0865315a60b6266ce7f066651040b8d626adf311101e31b2b1690ce1e3b18190ea42f90f24ac
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.4.
|
|
1
|
+
2.4.2
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
data/Gemfile
CHANGED
|
@@ -5,14 +5,14 @@ gemspec
|
|
|
5
5
|
|
|
6
6
|
group :test do
|
|
7
7
|
gem "coveralls"
|
|
8
|
-
gem "json"
|
|
8
|
+
gem "json"
|
|
9
9
|
gem "pry-nav"
|
|
10
|
-
gem "rack"
|
|
10
|
+
gem "rack"
|
|
11
11
|
gem "rspec"
|
|
12
|
-
gem "rubocop"
|
|
12
|
+
gem "rubocop"
|
|
13
13
|
gem "rubocop-github"
|
|
14
|
-
gem "term-ansicolor"
|
|
15
|
-
gem "tins"
|
|
14
|
+
gem "term-ansicolor"
|
|
15
|
+
gem "tins"
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
group :guard do
|
|
@@ -72,6 +72,8 @@ body {
|
|
|
72
72
|
<%= nonced_javascript_pack_tag "pack.js" %>
|
|
73
73
|
|
|
74
74
|
<%= nonced_stylesheet_link_tag "link.css" %>
|
|
75
|
+
|
|
76
|
+
<%= nonced_stylesheet_pack_tag "pack.css" %>
|
|
75
77
|
```
|
|
76
78
|
|
|
77
79
|
becomes:
|
|
@@ -136,4 +138,4 @@ end
|
|
|
136
138
|
class SessionsController < ApplicationController
|
|
137
139
|
after_action :clear_browser_cache, only: :destroy
|
|
138
140
|
end
|
|
139
|
-
```
|
|
141
|
+
```
|
|
@@ -308,7 +308,7 @@ module SecureHeaders
|
|
|
308
308
|
def generate_csp_headers_for_config(headers, header_key, csp_config)
|
|
309
309
|
unless csp_config.opt_out?
|
|
310
310
|
headers[header_key] = {}
|
|
311
|
-
ContentSecurityPolicy::VARIATIONS.
|
|
311
|
+
ContentSecurityPolicy::VARIATIONS.each_key do |name|
|
|
312
312
|
csp = ContentSecurityPolicy.make_header(csp_config, UserAgent.parse(name))
|
|
313
313
|
headers[header_key][name] = csp.freeze
|
|
314
314
|
end
|
|
@@ -19,7 +19,9 @@ module SecureHeaders
|
|
|
19
19
|
#
|
|
20
20
|
# Returns an html-safe link tag with the nonce attribute.
|
|
21
21
|
def nonced_stylesheet_link_tag(*args, &block)
|
|
22
|
-
|
|
22
|
+
opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
|
|
23
|
+
|
|
24
|
+
stylesheet_link_tag(*args, opts, &block)
|
|
23
25
|
end
|
|
24
26
|
|
|
25
27
|
# Public: create a script tag using the content security policy nonce.
|
|
@@ -35,7 +37,9 @@ module SecureHeaders
|
|
|
35
37
|
#
|
|
36
38
|
# Returns an html-safe script tag with the nonce attribute.
|
|
37
39
|
def nonced_javascript_include_tag(*args, &block)
|
|
38
|
-
|
|
40
|
+
opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
|
|
41
|
+
|
|
42
|
+
javascript_include_tag(*args, opts, &block)
|
|
39
43
|
end
|
|
40
44
|
|
|
41
45
|
# Public: create a script Webpacker pack tag using the content security policy nonce.
|
|
@@ -43,7 +47,19 @@ module SecureHeaders
|
|
|
43
47
|
#
|
|
44
48
|
# Returns an html-safe script tag with the nonce attribute.
|
|
45
49
|
def nonced_javascript_pack_tag(*args, &block)
|
|
46
|
-
|
|
50
|
+
opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
|
|
51
|
+
|
|
52
|
+
javascript_pack_tag(*args, opts, &block)
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
# Public: create a stylesheet Webpacker link tag using the content security policy nonce.
|
|
56
|
+
# Instructs secure_headers to append a nonce to style-src directive.
|
|
57
|
+
#
|
|
58
|
+
# Returns an html-safe link tag with the nonce attribute.
|
|
59
|
+
def nonced_stylesheet_pack_tag(*args, &block)
|
|
60
|
+
opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
|
|
61
|
+
|
|
62
|
+
stylesheet_pack_tag(*args, opts, &block)
|
|
47
63
|
end
|
|
48
64
|
|
|
49
65
|
# Public: use the content security policy nonce for this request directly.
|
|
@@ -138,6 +154,14 @@ module SecureHeaders
|
|
|
138
154
|
end
|
|
139
155
|
content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
|
|
140
156
|
end
|
|
157
|
+
|
|
158
|
+
def extract_options(args)
|
|
159
|
+
if args.last.is_a? Hash
|
|
160
|
+
args.pop
|
|
161
|
+
else
|
|
162
|
+
{}
|
|
163
|
+
end
|
|
164
|
+
end
|
|
141
165
|
end
|
|
142
166
|
end
|
|
143
167
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
Gem::Specification.new do |gem|
|
|
4
4
|
gem.name = "secure_headers"
|
|
5
|
-
gem.version = "5.0.
|
|
5
|
+
gem.version = "5.0.4"
|
|
6
6
|
gem.authors = ["Neil Matatall"]
|
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
|
@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
|
|
|
22
22
|
gem.post_install_message = <<-POST_INSTALL
|
|
23
23
|
|
|
24
24
|
**********
|
|
25
|
-
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-
|
|
25
|
+
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
|
|
26
26
|
**********
|
|
27
27
|
|
|
28
28
|
POST_INSTALL
|
|
@@ -39,11 +39,13 @@ class Message < ERB
|
|
|
39
39
|
}
|
|
40
40
|
</style>
|
|
41
41
|
|
|
42
|
-
<%= nonced_javascript_include_tag "include.js" %>
|
|
42
|
+
<%= nonced_javascript_include_tag "include.js", defer: true %>
|
|
43
43
|
|
|
44
|
-
<%= nonced_javascript_pack_tag "pack.js" %>
|
|
44
|
+
<%= nonced_javascript_pack_tag "pack.js", "otherpack.js", defer: true %>
|
|
45
45
|
|
|
46
|
-
<%= nonced_stylesheet_link_tag "link.css" %>
|
|
46
|
+
<%= nonced_stylesheet_link_tag "link.css", media: :all %>
|
|
47
|
+
|
|
48
|
+
<%= nonced_stylesheet_pack_tag "pack.css", "otherpack.css", media: :all %>
|
|
47
49
|
|
|
48
50
|
TEMPLATE
|
|
49
51
|
end
|
|
@@ -70,16 +72,22 @@ TEMPLATE
|
|
|
70
72
|
"<#{type}#{options}>#{content}</#{type}>"
|
|
71
73
|
end
|
|
72
74
|
|
|
73
|
-
def javascript_include_tag(
|
|
74
|
-
|
|
75
|
+
def javascript_include_tag(*sources, **options)
|
|
76
|
+
sources.map do |source|
|
|
77
|
+
content_tag(:script, nil, options.merge(src: source))
|
|
78
|
+
end
|
|
75
79
|
end
|
|
76
80
|
|
|
77
81
|
alias_method :javascript_pack_tag, :javascript_include_tag
|
|
78
82
|
|
|
79
|
-
def stylesheet_link_tag(
|
|
80
|
-
|
|
83
|
+
def stylesheet_link_tag(*sources, **options)
|
|
84
|
+
sources.map do |source|
|
|
85
|
+
content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
|
|
86
|
+
end
|
|
81
87
|
end
|
|
82
88
|
|
|
89
|
+
alias_method :stylesheet_pack_tag, :stylesheet_link_tag
|
|
90
|
+
|
|
83
91
|
def result
|
|
84
92
|
super(binding)
|
|
85
93
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.0.
|
|
4
|
+
version: 5.0.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-12-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -117,7 +117,7 @@ metadata: {}
|
|
|
117
117
|
post_install_message: |2+
|
|
118
118
|
|
|
119
119
|
**********
|
|
120
|
-
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-
|
|
120
|
+
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
|
|
121
121
|
**********
|
|
122
122
|
|
|
123
123
|
rdoc_options: []
|
|
@@ -135,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
135
135
|
version: '0'
|
|
136
136
|
requirements: []
|
|
137
137
|
rubyforge_project:
|
|
138
|
-
rubygems_version: 2.6.
|
|
138
|
+
rubygems_version: 2.6.13
|
|
139
139
|
signing_key:
|
|
140
140
|
specification_version: 4
|
|
141
141
|
summary: Add easily configured security headers to responses including content-security-policy,
|