secure_headers 5.0.3 → 5.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/.travis.yml +3 -3
- data/CHANGELOG.md +4 -0
- data/Gemfile +5 -5
- data/docs/per_action_configuration.md +3 -1
- data/lib/secure_headers/configuration.rb +1 -1
- data/lib/secure_headers/view_helper.rb +27 -3
- data/secure_headers.gemspec +2 -2
- data/spec/lib/secure_headers/view_helpers_spec.rb +15 -7
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d30a295775010a197058029cc447bdf51ad1f93e
|
|
4
|
+
data.tar.gz: 79a4928de6fe2508ebdfed92cfe36ba1d70cdce8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 206573552433a49370adf984f538091ac3bd4c2e6ee0ba521f949762e145259725a3938ab2ec5124b5556fdd1502388ac8dd7e8d5fcc947c9f96e3ed78947cfa
|
|
7
|
+
data.tar.gz: c53aab77376ad2d8fac21c2d684cc02dcf14322cd51591d7048f0865315a60b6266ce7f066651040b8d626adf311101e31b2b1690ce1e3b18190ea42f90f24ac
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
2.4.
|
|
1
|
+
2.4.2
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
data/Gemfile
CHANGED
|
@@ -5,14 +5,14 @@ gemspec
|
|
|
5
5
|
|
|
6
6
|
group :test do
|
|
7
7
|
gem "coveralls"
|
|
8
|
-
gem "json"
|
|
8
|
+
gem "json"
|
|
9
9
|
gem "pry-nav"
|
|
10
|
-
gem "rack"
|
|
10
|
+
gem "rack"
|
|
11
11
|
gem "rspec"
|
|
12
|
-
gem "rubocop"
|
|
12
|
+
gem "rubocop"
|
|
13
13
|
gem "rubocop-github"
|
|
14
|
-
gem "term-ansicolor"
|
|
15
|
-
gem "tins"
|
|
14
|
+
gem "term-ansicolor"
|
|
15
|
+
gem "tins"
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
group :guard do
|
|
@@ -72,6 +72,8 @@ body {
|
|
|
72
72
|
<%= nonced_javascript_pack_tag "pack.js" %>
|
|
73
73
|
|
|
74
74
|
<%= nonced_stylesheet_link_tag "link.css" %>
|
|
75
|
+
|
|
76
|
+
<%= nonced_stylesheet_pack_tag "pack.css" %>
|
|
75
77
|
```
|
|
76
78
|
|
|
77
79
|
becomes:
|
|
@@ -136,4 +138,4 @@ end
|
|
|
136
138
|
class SessionsController < ApplicationController
|
|
137
139
|
after_action :clear_browser_cache, only: :destroy
|
|
138
140
|
end
|
|
139
|
-
```
|
|
141
|
+
```
|
|
@@ -308,7 +308,7 @@ module SecureHeaders
|
|
|
308
308
|
def generate_csp_headers_for_config(headers, header_key, csp_config)
|
|
309
309
|
unless csp_config.opt_out?
|
|
310
310
|
headers[header_key] = {}
|
|
311
|
-
ContentSecurityPolicy::VARIATIONS.
|
|
311
|
+
ContentSecurityPolicy::VARIATIONS.each_key do |name|
|
|
312
312
|
csp = ContentSecurityPolicy.make_header(csp_config, UserAgent.parse(name))
|
|
313
313
|
headers[header_key][name] = csp.freeze
|
|
314
314
|
end
|
|
@@ -19,7 +19,9 @@ module SecureHeaders
|
|
|
19
19
|
#
|
|
20
20
|
# Returns an html-safe link tag with the nonce attribute.
|
|
21
21
|
def nonced_stylesheet_link_tag(*args, &block)
|
|
22
|
-
|
|
22
|
+
opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
|
|
23
|
+
|
|
24
|
+
stylesheet_link_tag(*args, opts, &block)
|
|
23
25
|
end
|
|
24
26
|
|
|
25
27
|
# Public: create a script tag using the content security policy nonce.
|
|
@@ -35,7 +37,9 @@ module SecureHeaders
|
|
|
35
37
|
#
|
|
36
38
|
# Returns an html-safe script tag with the nonce attribute.
|
|
37
39
|
def nonced_javascript_include_tag(*args, &block)
|
|
38
|
-
|
|
40
|
+
opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
|
|
41
|
+
|
|
42
|
+
javascript_include_tag(*args, opts, &block)
|
|
39
43
|
end
|
|
40
44
|
|
|
41
45
|
# Public: create a script Webpacker pack tag using the content security policy nonce.
|
|
@@ -43,7 +47,19 @@ module SecureHeaders
|
|
|
43
47
|
#
|
|
44
48
|
# Returns an html-safe script tag with the nonce attribute.
|
|
45
49
|
def nonced_javascript_pack_tag(*args, &block)
|
|
46
|
-
|
|
50
|
+
opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
|
|
51
|
+
|
|
52
|
+
javascript_pack_tag(*args, opts, &block)
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
# Public: create a stylesheet Webpacker link tag using the content security policy nonce.
|
|
56
|
+
# Instructs secure_headers to append a nonce to style-src directive.
|
|
57
|
+
#
|
|
58
|
+
# Returns an html-safe link tag with the nonce attribute.
|
|
59
|
+
def nonced_stylesheet_pack_tag(*args, &block)
|
|
60
|
+
opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
|
|
61
|
+
|
|
62
|
+
stylesheet_pack_tag(*args, opts, &block)
|
|
47
63
|
end
|
|
48
64
|
|
|
49
65
|
# Public: use the content security policy nonce for this request directly.
|
|
@@ -138,6 +154,14 @@ module SecureHeaders
|
|
|
138
154
|
end
|
|
139
155
|
content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
|
|
140
156
|
end
|
|
157
|
+
|
|
158
|
+
def extract_options(args)
|
|
159
|
+
if args.last.is_a? Hash
|
|
160
|
+
args.pop
|
|
161
|
+
else
|
|
162
|
+
{}
|
|
163
|
+
end
|
|
164
|
+
end
|
|
141
165
|
end
|
|
142
166
|
end
|
|
143
167
|
|
data/secure_headers.gemspec
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
Gem::Specification.new do |gem|
|
|
4
4
|
gem.name = "secure_headers"
|
|
5
|
-
gem.version = "5.0.
|
|
5
|
+
gem.version = "5.0.4"
|
|
6
6
|
gem.authors = ["Neil Matatall"]
|
|
7
7
|
gem.email = ["neil.matatall@gmail.com"]
|
|
8
8
|
gem.description = "Manages application of security headers with many safe defaults."
|
|
@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
|
|
|
22
22
|
gem.post_install_message = <<-POST_INSTALL
|
|
23
23
|
|
|
24
24
|
**********
|
|
25
|
-
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-
|
|
25
|
+
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
|
|
26
26
|
**********
|
|
27
27
|
|
|
28
28
|
POST_INSTALL
|
|
@@ -39,11 +39,13 @@ class Message < ERB
|
|
|
39
39
|
}
|
|
40
40
|
</style>
|
|
41
41
|
|
|
42
|
-
<%= nonced_javascript_include_tag "include.js" %>
|
|
42
|
+
<%= nonced_javascript_include_tag "include.js", defer: true %>
|
|
43
43
|
|
|
44
|
-
<%= nonced_javascript_pack_tag "pack.js" %>
|
|
44
|
+
<%= nonced_javascript_pack_tag "pack.js", "otherpack.js", defer: true %>
|
|
45
45
|
|
|
46
|
-
<%= nonced_stylesheet_link_tag "link.css" %>
|
|
46
|
+
<%= nonced_stylesheet_link_tag "link.css", media: :all %>
|
|
47
|
+
|
|
48
|
+
<%= nonced_stylesheet_pack_tag "pack.css", "otherpack.css", media: :all %>
|
|
47
49
|
|
|
48
50
|
TEMPLATE
|
|
49
51
|
end
|
|
@@ -70,16 +72,22 @@ TEMPLATE
|
|
|
70
72
|
"<#{type}#{options}>#{content}</#{type}>"
|
|
71
73
|
end
|
|
72
74
|
|
|
73
|
-
def javascript_include_tag(
|
|
74
|
-
|
|
75
|
+
def javascript_include_tag(*sources, **options)
|
|
76
|
+
sources.map do |source|
|
|
77
|
+
content_tag(:script, nil, options.merge(src: source))
|
|
78
|
+
end
|
|
75
79
|
end
|
|
76
80
|
|
|
77
81
|
alias_method :javascript_pack_tag, :javascript_include_tag
|
|
78
82
|
|
|
79
|
-
def stylesheet_link_tag(
|
|
80
|
-
|
|
83
|
+
def stylesheet_link_tag(*sources, **options)
|
|
84
|
+
sources.map do |source|
|
|
85
|
+
content_tag(:link, nil, options.merge(href: source, rel: "stylesheet", media: "screen"))
|
|
86
|
+
end
|
|
81
87
|
end
|
|
82
88
|
|
|
89
|
+
alias_method :stylesheet_pack_tag, :stylesheet_link_tag
|
|
90
|
+
|
|
83
91
|
def result
|
|
84
92
|
super(binding)
|
|
85
93
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.0.
|
|
4
|
+
version: 5.0.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-12-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -117,7 +117,7 @@ metadata: {}
|
|
|
117
117
|
post_install_message: |2+
|
|
118
118
|
|
|
119
119
|
**********
|
|
120
|
-
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-
|
|
120
|
+
:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
|
|
121
121
|
**********
|
|
122
122
|
|
|
123
123
|
rdoc_options: []
|
|
@@ -135,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
135
135
|
version: '0'
|
|
136
136
|
requirements: []
|
|
137
137
|
rubyforge_project:
|
|
138
|
-
rubygems_version: 2.6.
|
|
138
|
+
rubygems_version: 2.6.13
|
|
139
139
|
signing_key:
|
|
140
140
|
specification_version: 4
|
|
141
141
|
summary: Add easily configured security headers to responses including content-security-policy,
|