secure_headers 6.3.2 → 6.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +2 -2
- data/CHANGELOG.md +4 -0
- data/README.md +1 -1
- data/docs/per_action_configuration.md +2 -4
- data/lib/secure_headers/version.rb +1 -1
- data/lib/tasks/tasks.rake +6 -7
- metadata +2 -3
- data/.github/workflows/sync.yml +0 -20
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 19914a6c5043c42b398c52760c39a22b8246815d0dd4d2e7ec2feeec703da6c0
|
4
|
+
data.tar.gz: f52cf84fe9b6a798fd167be5158c32df83aef8db0887d6c94f8f8a3b53d4427f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 043f1bc47f10e8d306debedc2081c9962e5ce5f4768fd75d4af0e092cc5d80947eb128d1f847216ed83124a495dc83df20fafb2ae28a243dd5f6ea23453bcb69
|
7
|
+
data.tar.gz: a88e51c0a14725479a9746be98495d2fac931e6cc2824fc3f5601d00ef63a292917850a57856d5dc89a654fe9de05230712e1945e1ada4ed50d8561e6f891002
|
data/.github/workflows/build.yml
CHANGED
@@ -7,12 +7,12 @@ jobs:
|
|
7
7
|
runs-on: ubuntu-latest
|
8
8
|
strategy:
|
9
9
|
matrix:
|
10
|
-
ruby: [ '2.
|
10
|
+
ruby: [ '2.5', '2.6', '2.7', '3.0' ]
|
11
11
|
|
12
12
|
steps:
|
13
13
|
- uses: actions/checkout@v2
|
14
14
|
- name: Set up Ruby ${{ matrix.ruby }}
|
15
|
-
uses:
|
15
|
+
uses: ruby/setup-ruby@v1
|
16
16
|
with:
|
17
17
|
ruby-version: ${{ matrix.ruby }}
|
18
18
|
- name: Build and test with Rake
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -170,7 +170,7 @@ If you've made a contribution and see your name missing from the list, make a PR
|
|
170
170
|
* Node.js (express) [helmet](https://github.com/helmetjs/helmet) and [hood](https://github.com/seanmonstar/hood)
|
171
171
|
* Node.js (hapi) [blankie](https://github.com/nlf/blankie)
|
172
172
|
* ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
|
173
|
-
* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
|
173
|
+
* Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security), [secure](https://github.com/TypeError/secure)
|
174
174
|
* Go - [secureheader](https://github.com/kr/secureheader)
|
175
175
|
* Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
|
176
176
|
* Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
|
@@ -54,7 +54,7 @@ Code | Result
|
|
54
54
|
|
55
55
|
#### Nonce
|
56
56
|
|
57
|
-
You can use a view helper to automatically add nonces to script tags
|
57
|
+
You can use a view helper to automatically add nonces to script tags. Currently, using a nonce helper or calling `content_security_policy_nonce` will populate all configured CSP headers, including report-only and enforced policies.
|
58
58
|
|
59
59
|
```erb
|
60
60
|
<%= nonced_javascript_tag do %>
|
@@ -120,9 +120,7 @@ You can clear the browser cache after the logout request by using the following.
|
|
120
120
|
class ApplicationController < ActionController::Base
|
121
121
|
# Configuration override to send the Clear-Site-Data header.
|
122
122
|
SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
|
123
|
-
config.clear_site_data =
|
124
|
-
SecureHeaders::ClearSiteData::ALL_TYPES
|
125
|
-
]
|
123
|
+
config.clear_site_data = SecureHeaders::ClearSiteData::ALL_TYPES
|
126
124
|
end
|
127
125
|
|
128
126
|
|
data/lib/tasks/tasks.rake
CHANGED
@@ -20,10 +20,11 @@ namespace :secure_headers do
|
|
20
20
|
(is_erb?(filename) && inline_script =~ /<%.*%>/)
|
21
21
|
end
|
22
22
|
|
23
|
-
def find_inline_content(filename, regex, hashes)
|
23
|
+
def find_inline_content(filename, regex, hashes, strip_trailing_whitespace)
|
24
24
|
file = File.read(filename)
|
25
25
|
file.scan(regex) do # TODO don't use gsub
|
26
26
|
inline_script = Regexp.last_match.captures.last
|
27
|
+
inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
|
27
28
|
if dynamic_content?(filename, inline_script)
|
28
29
|
puts "Looks like there's some dynamic content inside of a tag :-/"
|
29
30
|
puts "That pretty much means the hash value will never match."
|
@@ -38,9 +39,8 @@ namespace :secure_headers do
|
|
38
39
|
def generate_inline_script_hashes(filename)
|
39
40
|
hashes = []
|
40
41
|
|
41
|
-
|
42
|
-
|
43
|
-
end
|
42
|
+
find_inline_content(filename, INLINE_SCRIPT_REGEX, hashes, false)
|
43
|
+
find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, hashes, true)
|
44
44
|
|
45
45
|
hashes
|
46
46
|
end
|
@@ -48,9 +48,8 @@ namespace :secure_headers do
|
|
48
48
|
def generate_inline_style_hashes(filename)
|
49
49
|
hashes = []
|
50
50
|
|
51
|
-
|
52
|
-
|
53
|
-
end
|
51
|
+
find_inline_content(filename, INLINE_STYLE_REGEX, hashes, false)
|
52
|
+
find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, hashes, true)
|
54
53
|
|
55
54
|
hashes
|
56
55
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secure_headers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.3.
|
4
|
+
version: 6.3.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-09-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -34,7 +34,6 @@ files:
|
|
34
34
|
- ".github/ISSUE_TEMPLATE.md"
|
35
35
|
- ".github/PULL_REQUEST_TEMPLATE.md"
|
36
36
|
- ".github/workflows/build.yml"
|
37
|
-
- ".github/workflows/sync.yml"
|
38
37
|
- ".gitignore"
|
39
38
|
- ".rspec"
|
40
39
|
- ".rubocop.yml"
|
data/.github/workflows/sync.yml
DELETED
@@ -1,20 +0,0 @@
|
|
1
|
-
# This workflow ensures the "master" branch is always up-to-date with the
|
2
|
-
# "main" branch (our default one)
|
3
|
-
name: sync_main_branch
|
4
|
-
on:
|
5
|
-
push:
|
6
|
-
branches: [ main ]
|
7
|
-
jobs:
|
8
|
-
catch_up:
|
9
|
-
runs-on: ubuntu-latest
|
10
|
-
steps:
|
11
|
-
- name: Check out the repository
|
12
|
-
uses: actions/checkout@v2
|
13
|
-
with:
|
14
|
-
fetch-depth: 0
|
15
|
-
- name: Merge development into master, then push it
|
16
|
-
run: |
|
17
|
-
git pull
|
18
|
-
git checkout master
|
19
|
-
git merge main
|
20
|
-
git push
|