secure_headers 6.3.3 → 6.3.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/github-release.yml +28 -0
- data/CHANGELOG.md +4 -0
- data/Gemfile +1 -1
- data/README.md +2 -2
- data/lib/secure_headers/headers/content_security_policy.rb +2 -1
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +5 -0
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3953b8d0c4ce0a01012d4d6475ad94c60ce4b06b9d93994ef14cc2474ced6177
|
|
4
|
+
data.tar.gz: 3aa96804cacf26d4a275b19e870755313a3afd055b598014749d0338e4f0f4af
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b04fd60ff28519273f29d335b81b44ebfe938d4e97d82d31b69d8596dc84e38c812573248e7b70bb142fecebab357c7f34f9f10934edaf354e3174915220580f
|
|
7
|
+
data.tar.gz: 10748a3ff12365fffe42828fe324e0bfbb3f146635b095a9e8a13b5a57b5bdfe17a5463df3b5009d8591dbc88494c45036a12dd061fc6b8e921c4c99a0d523ef
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
name: GitHub Release
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
tags:
|
|
6
|
+
- v*
|
|
7
|
+
|
|
8
|
+
jobs:
|
|
9
|
+
Publish:
|
|
10
|
+
permissions:
|
|
11
|
+
contents: write
|
|
12
|
+
runs-on: ubuntu-latest
|
|
13
|
+
if: startsWith(github.ref, 'refs/tags/v')
|
|
14
|
+
steps:
|
|
15
|
+
- name: Calculate release name
|
|
16
|
+
run: |
|
|
17
|
+
GITHUB_REF=${{ github.ref }}
|
|
18
|
+
RELEASE_NAME=${GITHUB_REF#"refs/tags/"}
|
|
19
|
+
echo "RELEASE_NAME=${RELEASE_NAME}" >> $GITHUB_ENV
|
|
20
|
+
- name: Publish release
|
|
21
|
+
uses: actions/create-release@v1
|
|
22
|
+
env:
|
|
23
|
+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
24
|
+
with:
|
|
25
|
+
tag_name: ${{ github.ref }}
|
|
26
|
+
release_name: ${{ env.RELEASE_NAME }}
|
|
27
|
+
draft: false
|
|
28
|
+
prerelease: false
|
data/CHANGELOG.md
CHANGED
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
**main branch represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
|
|
4
4
|
|
|
5
5
|
The gem will automatically apply several headers that are related to security. This includes:
|
|
6
|
-
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](
|
|
6
|
+
- Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. [CSP 2 Specification](https://www.w3.org/TR/CSP2/)
|
|
7
7
|
- https://csp.withgoogle.com
|
|
8
8
|
- https://csp.withgoogle.com/docs/strict-csp.html
|
|
9
9
|
- https://csp-evaluator.withgoogle.com
|
|
@@ -62,7 +62,7 @@ SecureHeaders::Configuration.default do |config|
|
|
|
62
62
|
# directive values: these values will directly translate into source directives
|
|
63
63
|
default_src: %w('none'),
|
|
64
64
|
base_uri: %w('self'),
|
|
65
|
-
block_all_mixed_content: true, # see
|
|
65
|
+
block_all_mixed_content: true, # see https://www.w3.org/TR/mixed-content/
|
|
66
66
|
child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
|
|
67
67
|
connect_src: %w(wss:),
|
|
68
68
|
font_src: %w('self' data:),
|
|
@@ -155,9 +155,10 @@ module SecureHeaders
|
|
|
155
155
|
wild_sources = sources.select { |source| source =~ STAR_REGEXP }
|
|
156
156
|
|
|
157
157
|
if wild_sources.any?
|
|
158
|
+
schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
|
|
158
159
|
sources.reject do |source|
|
|
159
160
|
!wild_sources.include?(source) &&
|
|
160
|
-
wild_sources.any? { |pattern| File.fnmatch(pattern, source) }
|
|
161
|
+
wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
|
|
161
162
|
end
|
|
162
163
|
else
|
|
163
164
|
sources
|
|
@@ -106,6 +106,11 @@ module SecureHeaders
|
|
|
106
106
|
expect(csp.value).to eq("default-src example.org")
|
|
107
107
|
end
|
|
108
108
|
|
|
109
|
+
it "does not deduplicate non-matching schema source expressions" do
|
|
110
|
+
csp = ContentSecurityPolicy.new(default_src: %w(*.example.org wss://example.example.org))
|
|
111
|
+
expect(csp.value).to eq("default-src *.example.org wss://example.example.org")
|
|
112
|
+
end
|
|
113
|
+
|
|
109
114
|
it "creates maximally strict sandbox policy when passed no sandbox token values" do
|
|
110
115
|
csp = ContentSecurityPolicy.new(default_src: %w(example.org), sandbox: [])
|
|
111
116
|
expect(csp.value).to eq("default-src example.org; sandbox")
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.3.
|
|
4
|
+
version: 6.3.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-06-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -34,6 +34,7 @@ files:
|
|
|
34
34
|
- ".github/ISSUE_TEMPLATE.md"
|
|
35
35
|
- ".github/PULL_REQUEST_TEMPLATE.md"
|
|
36
36
|
- ".github/workflows/build.yml"
|
|
37
|
+
- ".github/workflows/github-release.yml"
|
|
37
38
|
- ".gitignore"
|
|
38
39
|
- ".rspec"
|
|
39
40
|
- ".rubocop.yml"
|
|
@@ -115,7 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
115
116
|
- !ruby/object:Gem::Version
|
|
116
117
|
version: '0'
|
|
117
118
|
requirements: []
|
|
118
|
-
rubygems_version: 3.0.3
|
|
119
|
+
rubygems_version: 3.0.3.1
|
|
119
120
|
signing_key:
|
|
120
121
|
specification_version: 4
|
|
121
122
|
summary: Add easily configured security headers to responses including content-security-policy,
|