secure_headers 6.3.2 → 6.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/build.yml +2 -2
  3. data/CHANGELOG.md +4 -0
  4. data/README.md +1 -1
  5. data/docs/per_action_configuration.md +2 -4
  6. data/lib/secure_headers/version.rb +1 -1
  7. data/lib/tasks/tasks.rake +6 -7
  8. metadata +2 -3
  9. data/.github/workflows/sync.yml +0 -20
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5e68ad14ceec22ceeeabe2f49b47ad9325f43585cbb688f9f6ffe9c9f3536abc
4
- data.tar.gz: ffab69d446b3935d4cf01ad21c660d8035ab8ecd4343d682841510509bb8b714
3
+ metadata.gz: 19914a6c5043c42b398c52760c39a22b8246815d0dd4d2e7ec2feeec703da6c0
4
+ data.tar.gz: f52cf84fe9b6a798fd167be5158c32df83aef8db0887d6c94f8f8a3b53d4427f
5
5
  SHA512:
6
- metadata.gz: 02a79d8c96fd8d64eba216bd8785ae2deee7dceb7ef388f65e100f1597ed1f3005ecbeb069e823beef5fcdf89a6998ea296d954e3d80de0ba61456a13445b6e3
7
- data.tar.gz: 645a0f3aac96761574b57e4464b08c83cbf6839fc4a0503e54dedd768aebdb503a080ee368753add3ab0c2a3eeb31bd4f866f0e39ed7691c17587ad7125299eb
6
+ metadata.gz: 043f1bc47f10e8d306debedc2081c9962e5ce5f4768fd75d4af0e092cc5d80947eb128d1f847216ed83124a495dc83df20fafb2ae28a243dd5f6ea23453bcb69
7
+ data.tar.gz: a88e51c0a14725479a9746be98495d2fac931e6cc2824fc3f5601d00ef63a292917850a57856d5dc89a654fe9de05230712e1945e1ada4ed50d8561e6f891002
data/.github/workflows/build.yml CHANGED
@@ -7,12 +7,12 @@ jobs:
7
7
  runs-on: ubuntu-latest
8
8
  strategy:
9
9
  matrix:
10
- ruby: [ '2.4', '2.5', '2.6', '2.7' ]
10
+ ruby: [ '2.5', '2.6', '2.7', '3.0' ]
11
11
 
12
12
  steps:
13
13
  - uses: actions/checkout@v2
14
14
  - name: Set up Ruby ${{ matrix.ruby }}
15
- uses: actions/setup-ruby@v1
15
+ uses: ruby/setup-ruby@v1
16
16
  with:
17
17
  ruby-version: ${{ matrix.ruby }}
18
18
  - name: Build and test with Rake
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 6.3.3
2
+
3
+ Fix hash generation for indented helper methods (@rahearn)
4
+
1
5
  ## 6.3.2
2
6
 
3
7
  Add support for style-src-attr, style-src-elem, script-src-attr, and script-src-elem directives (@ggalmazor)
data/README.md CHANGED
@@ -170,7 +170,7 @@ If you've made a contribution and see your name missing from the list, make a PR
170
170
  * Node.js (express) [helmet](https://github.com/helmetjs/helmet) and [hood](https://github.com/seanmonstar/hood)
171
171
  * Node.js (hapi) [blankie](https://github.com/nlf/blankie)
172
172
  * ASP.NET - [NWebsec](https://github.com/NWebsec/NWebsec/wiki)
173
- * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
173
+ * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security), [secure](https://github.com/TypeError/secure)
174
174
  * Go - [secureheader](https://github.com/kr/secureheader)
175
175
  * Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
176
176
  * Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
data/docs/per_action_configuration.md CHANGED
@@ -54,7 +54,7 @@ Code | Result
54
54
 
55
55
  #### Nonce
56
56
 
57
- You can use a view helper to automatically add nonces to script tags:
57
+ You can use a view helper to automatically add nonces to script tags. Currently, using a nonce helper or calling `content_security_policy_nonce` will populate all configured CSP headers, including report-only and enforced policies.
58
58
 
59
59
  ```erb
60
60
  <%= nonced_javascript_tag do %>
@@ -120,9 +120,7 @@ You can clear the browser cache after the logout request by using the following.
120
120
  class ApplicationController < ActionController::Base
121
121
  # Configuration override to send the Clear-Site-Data header.
122
122
  SecureHeaders::Configuration.override(:clear_browser_cache) do |config|
123
- config.clear_site_data = [
124
- SecureHeaders::ClearSiteData::ALL_TYPES
125
- ]
123
+ config.clear_site_data = SecureHeaders::ClearSiteData::ALL_TYPES
126
124
  end
127
125
 
128
126
 
data/lib/secure_headers/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.3.2"
4
+ VERSION = "6.3.3"
5
5
  end
data/lib/tasks/tasks.rake CHANGED
@@ -20,10 +20,11 @@ namespace :secure_headers do
20
20
  (is_erb?(filename) && inline_script =~ /<%.*%>/)
21
21
  end
22
22
 
23
- def find_inline_content(filename, regex, hashes)
23
+ def find_inline_content(filename, regex, hashes, strip_trailing_whitespace)
24
24
  file = File.read(filename)
25
25
  file.scan(regex) do # TODO don't use gsub
26
26
  inline_script = Regexp.last_match.captures.last
27
+ inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
27
28
  if dynamic_content?(filename, inline_script)
28
29
  puts "Looks like there's some dynamic content inside of a tag :-/"
29
30
  puts "That pretty much means the hash value will never match."
@@ -38,9 +39,8 @@ namespace :secure_headers do
38
39
  def generate_inline_script_hashes(filename)
39
40
  hashes = []
40
41
 
41
- [INLINE_SCRIPT_REGEX, INLINE_HASH_SCRIPT_HELPER_REGEX].each do |regex|
42
- find_inline_content(filename, regex, hashes)
43
- end
42
+ find_inline_content(filename, INLINE_SCRIPT_REGEX, hashes, false)
43
+ find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, hashes, true)
44
44
 
45
45
  hashes
46
46
  end
@@ -48,9 +48,8 @@ namespace :secure_headers do
48
48
  def generate_inline_style_hashes(filename)
49
49
  hashes = []
50
50
 
51
- [INLINE_STYLE_REGEX, INLINE_HASH_STYLE_HELPER_REGEX].each do |regex|
52
- find_inline_content(filename, regex, hashes)
53
- end
51
+ find_inline_content(filename, INLINE_STYLE_REGEX, hashes, false)
52
+ find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, hashes, true)
54
53
 
55
54
  hashes
56
55
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.3.2
4
+ version: 6.3.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-02-09 00:00:00.000000000 Z
11
+ date: 2021-09-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -34,7 +34,6 @@ files:
34
34
  - ".github/ISSUE_TEMPLATE.md"
35
35
  - ".github/PULL_REQUEST_TEMPLATE.md"
36
36
  - ".github/workflows/build.yml"
37
- - ".github/workflows/sync.yml"
38
37
  - ".gitignore"
39
38
  - ".rspec"
40
39
  - ".rubocop.yml"
data/.github/workflows/sync.yml DELETED
@@ -1,20 +0,0 @@
1
- # This workflow ensures the "master" branch is always up-to-date with the
2
- # "main" branch (our default one)
3
- name: sync_main_branch
4
- on:
5
- push:
6
- branches: [ main ]
7
- jobs:
8
- catch_up:
9
- runs-on: ubuntu-latest
10
- steps:
11
- - name: Check out the repository
12
- uses: actions/checkout@v2
13
- with:
14
- fetch-depth: 0
15
- - name: Merge development into master, then push it
16
- run: |
17
- git pull
18
- git checkout master
19
- git merge main
20
- git push