secure_headers 6.1.2 → 6.2.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/LICENSE +1 -1
- data/README.md +0 -6
- data/docs/cookies.md +4 -4
- data/docs/upgrading-to-6-0.md +1 -1
- data/lib/secure_headers/configuration.rb +3 -1
- data/lib/secure_headers/headers/content_security_policy.rb +8 -3
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +5 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6aed18c8a69d4ddb01e664faca9c6db1e4b4cb6fa26203b9f3c1f20ace3001bb
|
|
4
|
+
data.tar.gz: 1a347b7ffa5efd650131b9d9bacff110ba6b08b3cb9dc5a93b6c70de6f1d3359
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a0ff8c0e7b81d8a1b543d54ff7cd4b4186521276242cff4614839f6d4abcf9313c66f0b935358d3f0f283052111000c84dbc7da40374563f9b82df8b39281d3a
|
|
7
|
+
data.tar.gz: d22831fc277d3ecbd7d9923d8ff3ad724c0fcdab88b75389edaaa2ec8c4b0653908ef756c2fc642d8328643dca6e0417769e2b323066bb357a1230c33c17df97
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 6.2.0
|
|
2
|
+
|
|
3
|
+
Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
|
|
4
|
+
|
|
1
5
|
## 6.1.2
|
|
2
6
|
|
|
3
7
|
Adds the ability to specify `SameSite=none` with the same configurability as `Strict`/`Lax` in order to disable Chrome's soon-to-be-lax-by-default state.
|
data/LICENSE
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
Copyright 2013, 2014, 2015, 2016, 2017 Twitter, Inc.
|
|
1
|
+
Copyright 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Twitter, Inc.
|
|
2
2
|
|
|
3
3
|
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
|
4
4
|
|
data/README.md
CHANGED
|
@@ -132,9 +132,3 @@ However, I would consider these headers anyways depending on your load and bandw
|
|
|
132
132
|
* Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
|
|
133
133
|
* Ember.js [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy/)
|
|
134
134
|
* PHP [secure-headers](https://github.com/BePsvPT/secure-headers)
|
|
135
|
-
|
|
136
|
-
## License
|
|
137
|
-
|
|
138
|
-
Copyright 2013-2014 Twitter, Inc and other contributors.
|
|
139
|
-
|
|
140
|
-
Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
|
data/docs/cookies.md
CHANGED
|
@@ -25,7 +25,7 @@ Boolean-based configuration is intended to globally enable or disable a specific
|
|
|
25
25
|
```ruby
|
|
26
26
|
config.cookies = {
|
|
27
27
|
secure: true, # mark all cookies as Secure
|
|
28
|
-
httponly: OPT_OUT, # do not mark any cookies as HttpOnly
|
|
28
|
+
httponly: SecureHeaders::OPT_OUT, # do not mark any cookies as HttpOnly
|
|
29
29
|
}
|
|
30
30
|
```
|
|
31
31
|
|
|
@@ -57,9 +57,9 @@ config.cookies = {
|
|
|
57
57
|
```ruby
|
|
58
58
|
config.cookies = {
|
|
59
59
|
samesite: {
|
|
60
|
-
strict: { only: ['
|
|
61
|
-
lax: { only: ['_guest'] },
|
|
62
|
-
none: { only: ['_tracking'] },
|
|
60
|
+
strict: { only: ['session_id_duplicate'] },
|
|
61
|
+
lax: { only: ['_guest', '_rails_session', 'device_id'] },
|
|
62
|
+
none: { only: ['_tracking', 'saml_cookie', 'session_id'] },
|
|
63
63
|
}
|
|
64
64
|
}
|
|
65
65
|
```
|
data/docs/upgrading-to-6-0.md
CHANGED
|
@@ -5,7 +5,7 @@ The original implementation of name overrides worked by making a copy of the def
|
|
|
5
5
|
```ruby
|
|
6
6
|
class ApplicationController < ActionController::Base
|
|
7
7
|
Configuration.default do |config|
|
|
8
|
-
config.x_frame_options = OPT_OUT
|
|
8
|
+
config.x_frame_options = SecureHeaders::OPT_OUT
|
|
9
9
|
end
|
|
10
10
|
|
|
11
11
|
SecureHeaders::Configuration.override(:dynamic_override) do |config|
|
|
@@ -126,7 +126,9 @@ module SecureHeaders
|
|
|
126
126
|
# The list of attributes that must respond to a `make_header` method
|
|
127
127
|
HEADERABLE_ATTRIBUTES = (CONFIG_ATTRIBUTES - [:cookies]).freeze
|
|
128
128
|
|
|
129
|
-
|
|
129
|
+
attr_writer(*(CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.reject { |key| [:csp, :csp_report_only].include?(key) }.keys))
|
|
130
|
+
|
|
131
|
+
attr_reader(*(CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys))
|
|
130
132
|
|
|
131
133
|
@script_hashes = nil
|
|
132
134
|
@style_hashes = nil
|
|
@@ -103,10 +103,15 @@ module SecureHeaders
|
|
|
103
103
|
# Returns a string representing a directive.
|
|
104
104
|
def build_source_list_directive(directive)
|
|
105
105
|
source_list = @config.directive_value(directive)
|
|
106
|
-
|
|
107
106
|
if source_list != OPT_OUT && source_list && source_list.any?
|
|
108
|
-
|
|
109
|
-
|
|
107
|
+
minified_source_list = minify_source_list(directive, source_list).join(" ")
|
|
108
|
+
|
|
109
|
+
if minified_source_list.include?(";")
|
|
110
|
+
Kernel.warn("#{directive} contains a ; in '#{minified_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
escaped_source_list = minified_source_list.gsub(";", " ")
|
|
114
|
+
[symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
|
|
110
115
|
end
|
|
111
116
|
end
|
|
112
117
|
|
|
@@ -28,6 +28,11 @@ module SecureHeaders
|
|
|
28
28
|
expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
+
it "deprecates and escapes semicolons in directive source lists" do
|
|
32
|
+
expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
|
|
33
|
+
expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
|
|
34
|
+
end
|
|
35
|
+
|
|
31
36
|
it "discards 'none' values if any other source expressions are present" do
|
|
32
37
|
csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
|
|
33
38
|
expect(csp.value).not_to include("'none'")
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.
|
|
4
|
+
version: 6.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-01-
|
|
11
|
+
date: 2020-01-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|