secure_headers 5.0.3 → 5.0.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: fd26137e6127e709c13eadb6b16969d87ff354d2
4
- data.tar.gz: 3cfc345eec36d83dc0186c4b0a41f61145e432df
3
+ metadata.gz: d30a295775010a197058029cc447bdf51ad1f93e
4
+ data.tar.gz: 79a4928de6fe2508ebdfed92cfe36ba1d70cdce8
5
5
  SHA512:
6
- metadata.gz: 9353e1023fa74152d817162f800e13570c58541b79fc16705b0f143876300838cde65af0c7d06a9286c39a69a33ba42d04c8ef0fad60824e7efcf2a33baf460b
7
- data.tar.gz: b0e99964050e7a31ae32069832dcb32eac00f536dae6301e4e7504970db2d64a243549fa1cf53b50f5246913043c39f78dd347f695651b54a3d1bb1aa30b9daa
6
+ metadata.gz: 206573552433a49370adf984f538091ac3bd4c2e6ee0ba521f949762e145259725a3938ab2ec5124b5556fdd1502388ac8dd7e8d5fcc947c9f96e3ed78947cfa
7
+ data.tar.gz: c53aab77376ad2d8fac21c2d684cc02dcf14322cd51591d7048f0865315a60b6266ce7f066651040b8d626adf311101e31b2b1690ce1e3b18190ea42f90f24ac
@@ -1 +1 @@
1
- 2.4.1
1
+ 2.4.2
@@ -2,9 +2,9 @@ language: ruby
2
2
 
3
3
  rvm:
4
4
  - ruby-head
5
- - 2.4.1
6
- - 2.3.4
7
- - 2.2
5
+ - 2.4.2
6
+ - 2.3.5
7
+ - 2.2.8
8
8
  - jruby-head
9
9
 
10
10
  env:
@@ -1,3 +1,7 @@
1
+ ## 5.0.4
2
+
3
+ - Adds support for `nonced_stylesheet_pack_tag` #373 (@paulfri)
4
+
1
5
  ## 5.0.3
2
6
 
3
7
  - Add nonced versions of Rails link/include tags #372 (@steveh)
data/Gemfile CHANGED
@@ -5,14 +5,14 @@ gemspec
5
5
 
6
6
  group :test do
7
7
  gem "coveralls"
8
- gem "json", "~> 1"
8
+ gem "json"
9
9
  gem "pry-nav"
10
- gem "rack", "~> 1"
10
+ gem "rack"
11
11
  gem "rspec"
12
- gem "rubocop", "~> 0.47.0"
12
+ gem "rubocop"
13
13
  gem "rubocop-github"
14
- gem "term-ansicolor", "< 1.4"
15
- gem "tins", "~> 1.6.0" # 1.7 requires ruby 2.0
14
+ gem "term-ansicolor"
15
+ gem "tins"
16
16
  end
17
17
 
18
18
  group :guard do
@@ -72,6 +72,8 @@ body {
72
72
  <%= nonced_javascript_pack_tag "pack.js" %>
73
73
 
74
74
  <%= nonced_stylesheet_link_tag "link.css" %>
75
+
76
+ <%= nonced_stylesheet_pack_tag "pack.css" %>
75
77
  ```
76
78
 
77
79
  becomes:
@@ -136,4 +138,4 @@ end
136
138
  class SessionsController < ApplicationController
137
139
  after_action :clear_browser_cache, only: :destroy
138
140
  end
139
- ```
141
+ ```
@@ -308,7 +308,7 @@ module SecureHeaders
308
308
  def generate_csp_headers_for_config(headers, header_key, csp_config)
309
309
  unless csp_config.opt_out?
310
310
  headers[header_key] = {}
311
- ContentSecurityPolicy::VARIATIONS.each do |name, _|
311
+ ContentSecurityPolicy::VARIATIONS.each_key do |name|
312
312
  csp = ContentSecurityPolicy.make_header(csp_config, UserAgent.parse(name))
313
313
  headers[header_key][name] = csp.freeze
314
314
  end
@@ -19,7 +19,9 @@ module SecureHeaders
19
19
  #
20
20
  # Returns an html-safe link tag with the nonce attribute.
21
21
  def nonced_stylesheet_link_tag(*args, &block)
22
- stylesheet_link_tag(*args, nonce: content_security_policy_nonce(:style), &block)
22
+ opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
23
+
24
+ stylesheet_link_tag(*args, opts, &block)
23
25
  end
24
26
 
25
27
  # Public: create a script tag using the content security policy nonce.
@@ -35,7 +37,9 @@ module SecureHeaders
35
37
  #
36
38
  # Returns an html-safe script tag with the nonce attribute.
37
39
  def nonced_javascript_include_tag(*args, &block)
38
- javascript_include_tag(*args, nonce: content_security_policy_nonce(:script), &block)
40
+ opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
41
+
42
+ javascript_include_tag(*args, opts, &block)
39
43
  end
40
44
 
41
45
  # Public: create a script Webpacker pack tag using the content security policy nonce.
@@ -43,7 +47,19 @@ module SecureHeaders
43
47
  #
44
48
  # Returns an html-safe script tag with the nonce attribute.
45
49
  def nonced_javascript_pack_tag(*args, &block)
46
- javascript_pack_tag(*args, nonce: content_security_policy_nonce(:script), &block)
50
+ opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
51
+
52
+ javascript_pack_tag(*args, opts, &block)
53
+ end
54
+
55
+ # Public: create a stylesheet Webpacker link tag using the content security policy nonce.
56
+ # Instructs secure_headers to append a nonce to style-src directive.
57
+ #
58
+ # Returns an html-safe link tag with the nonce attribute.
59
+ def nonced_stylesheet_pack_tag(*args, &block)
60
+ opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
61
+
62
+ stylesheet_pack_tag(*args, opts, &block)
47
63
  end
48
64
 
49
65
  # Public: use the content security policy nonce for this request directly.
@@ -138,6 +154,14 @@ module SecureHeaders
138
154
  end
139
155
  content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
140
156
  end
157
+
158
+ def extract_options(args)
159
+ if args.last.is_a? Hash
160
+ args.pop
161
+ else
162
+ {}
163
+ end
164
+ end
141
165
  end
142
166
  end
143
167
 
@@ -2,7 +2,7 @@
2
2
  # frozen_string_literal: true
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "secure_headers"
5
- gem.version = "5.0.3"
5
+ gem.version = "5.0.4"
6
6
  gem.authors = ["Neil Matatall"]
7
7
  gem.email = ["neil.matatall@gmail.com"]
8
8
  gem.description = "Manages application of security headers with many safe defaults."
@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
22
22
  gem.post_install_message = <<-POST_INSTALL
23
23
 
24
24
  **********
25
- :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
25
+ :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
26
26
  **********
27
27
 
28
28
  POST_INSTALL
@@ -39,11 +39,13 @@ class Message < ERB
39
39
  }
40
40
  </style>
41
41
 
42
- <%= nonced_javascript_include_tag "include.js" %>
42
+ <%= nonced_javascript_include_tag "include.js", defer: true %>
43
43
 
44
- <%= nonced_javascript_pack_tag "pack.js" %>
44
+ <%= nonced_javascript_pack_tag "pack.js", "otherpack.js", defer: true %>
45
45
 
46
- <%= nonced_stylesheet_link_tag "link.css" %>
46
+ <%= nonced_stylesheet_link_tag "link.css", media: :all %>
47
+
48
+ <%= nonced_stylesheet_pack_tag "pack.css", "otherpack.css", media: :all %>
47
49
 
48
50
  TEMPLATE
49
51
  end
@@ -70,16 +72,22 @@ TEMPLATE
70
72
  "<#{type}#{options}>#{content}</#{type}>"
71
73
  end
72
74
 
73
- def javascript_include_tag(source, options = {})
74
- content_tag(:script, nil, options.merge(src: source))
75
+ def javascript_include_tag(*sources, **options)
76
+ sources.map do |source|
77
+ content_tag(:script, nil, options.merge(src: source))
78
+ end
75
79
  end
76
80
 
77
81
  alias_method :javascript_pack_tag, :javascript_include_tag
78
82
 
79
- def stylesheet_link_tag(source, options = {})
80
- content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
83
+ def stylesheet_link_tag(*sources, **options)
84
+ sources.map do |source|
85
+ content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
86
+ end
81
87
  end
82
88
 
89
+ alias_method :stylesheet_pack_tag, :stylesheet_link_tag
90
+
83
91
  def result
84
92
  super(binding)
85
93
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.3
4
+ version: 5.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-11-20 00:00:00.000000000 Z
11
+ date: 2017-12-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -117,7 +117,7 @@ metadata: {}
117
117
  post_install_message: |2+
118
118
 
119
119
  **********
120
- :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-4-0.md
120
+ :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
121
121
  **********
122
122
 
123
123
  rdoc_options: []
@@ -135,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
135
135
  version: '0'
136
136
  requirements: []
137
137
  rubyforge_project:
138
- rubygems_version: 2.6.11
138
+ rubygems_version: 2.6.13
139
139
  signing_key:
140
140
  specification_version: 4
141
141
  summary: Add easily configured security headers to responses including content-security-policy,