secure_headers 6.3.2 → 6.3.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/build.yml +2 -2
  3. data/CHANGELOG.md +4 -0
  4. data/README.md +1 -1
  5. data/docs/per_action_configuration.md +2 -4
  6. data/lib/secure_headers/version.rb +1 -1
  7. data/lib/tasks/tasks.rake +6 -7
  8. metadata +2 -3
  9. data/.github/workflows/sync.yml +0 -20
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5e68ad14ceec22ceeeabe2f49b47ad9325f43585cbb688f9f6ffe9c9f3536abc
4
- data.tar.gz: ffab69d446b3935d4cf01ad21c660d8035ab8ecd4343d682841510509bb8b714
3
+ metadata.gz: 19914a6c5043c42b398c52760c39a22b8246815d0dd4d2e7ec2feeec703da6c0
4
+ data.tar.gz: f52cf84fe9b6a798fd167be5158c32df83aef8db0887d6c94f8f8a3b53d4427f
5
5
  SHA512:
6
- metadata.gz: 02a79d8c96fd8d64eba216bd8785ae2deee7dceb7ef388f65e100f1597ed1f3005ecbeb069e823beef5fcdf89a6998ea296d954e3d80de0ba61456a13445b6e3
7
- data.tar.gz: 645a0f3aac96761574b57e4464b08c83cbf6839fc4a0503e54dedd768aebdb503a080ee368753add3ab0c2a3eeb31bd4f866f0e39ed7691c17587ad7125299eb
6
+ metadata.gz: 043f1bc47f10e8d306debedc2081c9962e5ce5f4768fd75d4af0e092cc5d80947eb128d1f847216ed83124a495dc83df20fafb2ae28a243dd5f6ea23453bcb69
7
+ data.tar.gz: a88e51c0a14725479a9746be98495d2fac931e6cc2824fc3f5601d00ef63a292917850a57856d5dc89a654fe9de05230712e1945e1ada4ed50d8561e6f891002
data/.github/workflows/build.yml CHANGED
@@ -7,12 +7,12 @@ jobs:
7
7
  runs-on: ubuntu-latest
8
8
  strategy:
9
9
  matrix:
10
- ruby: [ '2.4', '2.5', '2.6', '2.7' ]
10
+ ruby: [ '2.5', '2.6', '2.7', '3.0' ]
11
11
 
12
12
  steps:
13
13
  - uses: actions/checkout@v2
14
14
  - name: Set up Ruby ${{ matrix.ruby }}
15
- uses: actions/setup-ruby@v1
15
+ uses: ruby/setup-ruby@v1
16
16
  with:
17
17
  ruby-version: ${{ matrix.ruby }}
18
18
  - name: Build and test with Rake
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 6.3.3
2
+
3
+ Fix hash generation for indented helper methods (@rahearn)
4
+
1
5
  ## 6.3.2
2
6
 
3
7
  Add support for style-src-attr, style-src-elem, script-src-attr, and script-src-elem directives (@ggalmazor)
data/README.md CHANGED
@@ -170,7 +170,7 @@ If you've made a contribution and see your name missing from the list, make a PR
170
170
  * Node.js (express) [helmet](https://github.com/helmetjs/helmet) and [hood](https://github.com/seanmonstar/hood)
171
171
  * Node.js (hapi) [blankie](https://github.com/nlf/blankie)
172
172
  * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
173
- * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
173
+ * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security), [secure](https://github.com/TypeError/secure)
174
174
  * Go - [secureheader](https://github.com/kr/secureheader)
175
175
  * Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
176
176
  * Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
data/docs/per_action_configuration.md CHANGED
@@ -54,7 +54,7 @@ Code | Result
54
54
 
55
55
  #### Nonce
56
56
 
57
- You can use a view helper to automatically add nonces to script tags:
57
+ You can use a view helper to automatically add nonces to script tags. Currently, using a nonce helper or calling `content_security_policy_nonce` will populate all configured CSP headers, including report-only and enforced policies.
58
58
 
59
59
  ```erb
60
60
  <%= nonced_javascript_tag do %>
@@ -120,9 +120,7 @@ You can clear the browser cache after the logout request by using the following.
120
120
  class ApplicationController < ActionController::Base
121
121
  # Configuration override to send the Clear-Site-Data header.
122
122
  SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
123
- config.clear_site_data = [
124
- SecureHeaders::ClearSiteData::ALL_TYPES
125
- ]
123
+ config.clear_site_data = SecureHeaders::ClearSiteData::ALL_TYPES
126
124
  end
127
125
 
128
126
 
data/lib/secure_headers/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.3.2"
4
+ VERSION = "6.3.3"
5
5
  end
data/lib/tasks/tasks.rake CHANGED
@@ -20,10 +20,11 @@ namespace :secure_headers do
20
20
  (is_erb?(filename) && inline_script =~ /<%.*%>/)
21
21
  end
22
22
 
23
- def find_inline_content(filename, regex, hashes)
23
+ def find_inline_content(filename, regex, hashes, strip_trailing_whitespace)
24
24
  file = File.read(filename)
25
25
  file.scan(regex) do # TODO don't use gsub
26
26
  inline_script = Regexp.last_match.captures.last
27
+ inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
27
28
  if dynamic_content?(filename, inline_script)
28
29
  puts "Looks like there's some dynamic content inside of a tag :-/"
29
30
  puts "That pretty much means the hash value will never match."
@@ -38,9 +39,8 @@ namespace :secure_headers do
38
39
  def generate_inline_script_hashes(filename)
39
40
  hashes = []
40
41
 
41
- [INLINE_SCRIPT_REGEX, INLINE_HASH_SCRIPT_HELPER_REGEX].each do |regex|
42
- find_inline_content(filename, regex, hashes)
43
- end
42
+ find_inline_content(filename, INLINE_SCRIPT_REGEX, hashes, false)
43
+ find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, hashes, true)
44
44
 
45
45
  hashes
46
46
  end
@@ -48,9 +48,8 @@ namespace :secure_headers do
48
48
  def generate_inline_style_hashes(filename)
49
49
  hashes = []
50
50
 
51
- [INLINE_STYLE_REGEX, INLINE_HASH_STYLE_HELPER_REGEX].each do |regex|
52
- find_inline_content(filename, regex, hashes)
53
- end
51
+ find_inline_content(filename, INLINE_STYLE_REGEX, hashes, false)
52
+ find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, hashes, true)
54
53
 
55
54
  hashes
56
55
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.3.2
4
+ version: 6.3.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-02-09 00:00:00.000000000 Z
11
+ date: 2021-09-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -34,7 +34,6 @@ files:
34
34
  - ".github/ISSUE_TEMPLATE.md"
35
35
  - ".github/PULL_REQUEST_TEMPLATE.md"
36
36
  - ".github/workflows/build.yml"
37
- - ".github/workflows/sync.yml"
38
37
  - ".gitignore"
39
38
  - ".rspec"
40
39
  - ".rubocop.yml"
data/.github/workflows/sync.yml DELETED
@@ -1,20 +0,0 @@
1
- # This workflow ensures the "master" branch is always up-to-date with the
2
- # "main" branch (our default one)
3
- name: sync_main_branch
4
- on:
5
- push:
6
- branches: [ main ]
7
- jobs:
8
- catch_up:
9
- runs-on: ubuntu-latest
10
- steps:
11
- - name: Check out the repository
12
- uses: actions/checkout@v2
13
- with:
14
- fetch-depth: 0
15
- - name: Merge development into master, then push it
16
- run: |
17
- git pull
18
- git checkout master
19
- git merge main
20
- git push