secure_headers 6.4.0 → 6.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/build.yml +2 -2
- data/.ruby-version +1 -1
- data/CHANGELOG.md +4 -0
- data/lib/secure_headers/headers/content_security_policy.rb +1 -19
- data/lib/secure_headers/headers/policy_management.rb +2 -2
- data/lib/secure_headers/version.rb +1 -1
- data/secure_headers.gemspec +3 -3
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +11 -6
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +1 -1
- metadata +12 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bafd5e6390db0f1975599ab34f1293986a5c0a1ced14f6cfeca47fd114ce87d4
|
|
4
|
+
data.tar.gz: 177dc27fa8238fe1a8baa238f6baa244b2c03393f61269e9b417e5ea3a4a4bba
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7a24f853958892e2780dec3cfd8f631d394c959cda6d3f8be5d701792fc1ce57d4141ca88e7b0980fcac979cc855a0c5bc9165a05b314fe281ce092a438f1fe1
|
|
7
|
+
data.tar.gz: c082a3ee192452712f8e9c7ed18d5c21b5b3eb1712c3d9a4df44220093cf1be09a8e5384f5c8a8909820f1e0048c6d3b6915cc29081288bcf13361bf8cf7dbed
|
data/.github/workflows/build.yml
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
name: Build + Test
|
|
2
|
-
on: [pull_request]
|
|
2
|
+
on: [pull_request, push]
|
|
3
3
|
|
|
4
4
|
jobs:
|
|
5
5
|
build:
|
|
@@ -7,7 +7,7 @@ jobs:
|
|
|
7
7
|
runs-on: ubuntu-latest
|
|
8
8
|
strategy:
|
|
9
9
|
matrix:
|
|
10
|
-
ruby: [ '2.
|
|
10
|
+
ruby: [ '2.6', '2.7', '3.0', '3.1' ]
|
|
11
11
|
|
|
12
12
|
steps:
|
|
13
13
|
- uses: actions/checkout@v2
|
data/.ruby-version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
|
|
1
|
+
3.1.1
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 6.5.0
|
|
2
|
+
|
|
3
|
+
- CSP: Remove source expression deduplication. (@lgarron) https://github.com/github/secure_headers/pull/499
|
|
4
|
+
|
|
1
5
|
## 6.4.0
|
|
2
6
|
|
|
3
7
|
- CSP: Add support for trusted-types, require-trusted-types-for directive (@JackMc): https://github.com/github/secure_headers/pull/486
|
|
@@ -133,7 +133,7 @@ module SecureHeaders
|
|
|
133
133
|
unless directive == REPORT_URI || @preserve_schemes
|
|
134
134
|
source_list = strip_source_schemes(source_list)
|
|
135
135
|
end
|
|
136
|
-
|
|
136
|
+
source_list.uniq
|
|
137
137
|
end
|
|
138
138
|
end
|
|
139
139
|
|
|
@@ -151,24 +151,6 @@ module SecureHeaders
|
|
|
151
151
|
end
|
|
152
152
|
end
|
|
153
153
|
|
|
154
|
-
# Removes duplicates and sources that already match an existing wild card.
|
|
155
|
-
#
|
|
156
|
-
# e.g. *.github.com asdf.github.com becomes *.github.com
|
|
157
|
-
def dedup_source_list(sources)
|
|
158
|
-
sources = sources.uniq
|
|
159
|
-
wild_sources = sources.select { |source| source =~ STAR_REGEXP }
|
|
160
|
-
|
|
161
|
-
if wild_sources.any?
|
|
162
|
-
schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
|
|
163
|
-
sources.reject do |source|
|
|
164
|
-
!wild_sources.include?(source) &&
|
|
165
|
-
wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
|
|
166
|
-
end
|
|
167
|
-
else
|
|
168
|
-
sources
|
|
169
|
-
end
|
|
170
|
-
end
|
|
171
|
-
|
|
172
154
|
# Private: append a nonce to the script/style directories if script_nonce
|
|
173
155
|
# or style_nonce are provided.
|
|
174
156
|
def populate_nonces(directive, source_list)
|
|
@@ -189,7 +189,7 @@ module SecureHeaders
|
|
|
189
189
|
].freeze
|
|
190
190
|
|
|
191
191
|
REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
|
|
192
|
-
REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w(script))
|
|
192
|
+
REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w('script'))
|
|
193
193
|
|
|
194
194
|
module ClassMethods
|
|
195
195
|
# Public: generate a header name, value array that is user-agent-aware.
|
|
@@ -393,7 +393,7 @@ module SecureHeaders
|
|
|
393
393
|
|
|
394
394
|
# Private: validates that a require trusted types for expression:
|
|
395
395
|
# 1. is an array of strings
|
|
396
|
-
# 2. is a subset of ["script"]
|
|
396
|
+
# 2. is a subset of ["'script'"]
|
|
397
397
|
def validate_require_trusted_types_for_source_expression!(directive, require_trusted_types_for_expression)
|
|
398
398
|
ensure_array_of_strings!(directive, require_trusted_types_for_expression)
|
|
399
399
|
unless require_trusted_types_for_expression.to_set.subset?(REQUIRE_TRUSTED_TYPES_FOR_VALUES)
|
data/secure_headers.gemspec
CHANGED
|
@@ -9,12 +9,12 @@ Gem::Specification.new do |gem|
|
|
|
9
9
|
gem.version = SecureHeaders::VERSION
|
|
10
10
|
gem.authors = ["Neil Matatall"]
|
|
11
11
|
gem.email = ["neil.matatall@gmail.com"]
|
|
12
|
-
gem.
|
|
13
|
-
gem.
|
|
12
|
+
gem.summary = "Manages application of security headers with many safe defaults."
|
|
13
|
+
gem.description = 'Add easily configured security headers to responses
|
|
14
14
|
including content-security-policy, x-frame-options,
|
|
15
15
|
strict-transport-security, etc.'
|
|
16
16
|
gem.homepage = "https://github.com/twitter/secureheaders"
|
|
17
|
-
gem.license = "
|
|
17
|
+
gem.license = "MIT"
|
|
18
18
|
gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
|
|
19
19
|
gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
|
|
20
20
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
|
@@ -48,12 +48,12 @@ module SecureHeaders
|
|
|
48
48
|
expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval' data: blob:")
|
|
49
49
|
end
|
|
50
50
|
|
|
51
|
-
it "
|
|
51
|
+
it "does not minify source expressions based on overlapping wildcards" do
|
|
52
52
|
config = {
|
|
53
53
|
default_src: %w(a.example.org b.example.org *.example.org https://*.example.org)
|
|
54
54
|
}
|
|
55
55
|
csp = ContentSecurityPolicy.new(config)
|
|
56
|
-
expect(csp.value).to eq("default-src *.example.org")
|
|
56
|
+
expect(csp.value).to eq("default-src a.example.org b.example.org *.example.org")
|
|
57
57
|
end
|
|
58
58
|
|
|
59
59
|
it "removes http/s schemes from hosts" do
|
|
@@ -101,8 +101,13 @@ module SecureHeaders
|
|
|
101
101
|
expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
|
|
102
102
|
end
|
|
103
103
|
|
|
104
|
-
it "
|
|
105
|
-
csp = ContentSecurityPolicy.new(default_src: %w(example.org
|
|
104
|
+
it "handles wildcard subdomain with wildcard port" do
|
|
105
|
+
csp = ContentSecurityPolicy.new(default_src: %w(https://*.example.org:*))
|
|
106
|
+
expect(csp.value).to eq("default-src *.example.org:*")
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
it "deduplicates source expressions that match exactly (after scheme stripping)" do
|
|
110
|
+
csp = ContentSecurityPolicy.new(default_src: %w(example.org https://example.org example.org))
|
|
106
111
|
expect(csp.value).to eq("default-src example.org")
|
|
107
112
|
end
|
|
108
113
|
|
|
@@ -197,8 +202,8 @@ module SecureHeaders
|
|
|
197
202
|
end
|
|
198
203
|
|
|
199
204
|
it "supports trusted-types directive with 'none'" do
|
|
200
|
-
csp = ContentSecurityPolicy.new({trusted_types: %w(none)})
|
|
201
|
-
expect(csp.value).to eq("trusted-types none")
|
|
205
|
+
csp = ContentSecurityPolicy.new({trusted_types: %w('none')})
|
|
206
|
+
expect(csp.value).to eq("trusted-types 'none'")
|
|
202
207
|
end
|
|
203
208
|
|
|
204
209
|
it "allows duplicate policy names in trusted-types directive" do
|
|
@@ -45,7 +45,7 @@ module SecureHeaders
|
|
|
45
45
|
plugin_types: %w(application/x-shockwave-flash),
|
|
46
46
|
prefetch_src: %w(fetch.com),
|
|
47
47
|
require_sri_for: %w(script style),
|
|
48
|
-
require_trusted_types_for: %w(script),
|
|
48
|
+
require_trusted_types_for: %w('script'),
|
|
49
49
|
script_src: %w('self'),
|
|
50
50
|
style_src: %w('unsafe-inline'),
|
|
51
51
|
upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.
|
|
4
|
+
version: 6.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-10-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -24,7 +24,10 @@ dependencies:
|
|
|
24
24
|
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0'
|
|
27
|
-
description:
|
|
27
|
+
description: |-
|
|
28
|
+
Add easily configured security headers to responses
|
|
29
|
+
including content-security-policy, x-frame-options,
|
|
30
|
+
strict-transport-security, etc.
|
|
28
31
|
email:
|
|
29
32
|
- neil.matatall@gmail.com
|
|
30
33
|
executables: []
|
|
@@ -99,9 +102,9 @@ files:
|
|
|
99
102
|
- spec/spec_helper.rb
|
|
100
103
|
homepage: https://github.com/twitter/secureheaders
|
|
101
104
|
licenses:
|
|
102
|
-
-
|
|
105
|
+
- MIT
|
|
103
106
|
metadata: {}
|
|
104
|
-
post_install_message:
|
|
107
|
+
post_install_message:
|
|
105
108
|
rdoc_options: []
|
|
106
109
|
require_paths:
|
|
107
110
|
- lib
|
|
@@ -116,11 +119,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
116
119
|
- !ruby/object:Gem::Version
|
|
117
120
|
version: '0'
|
|
118
121
|
requirements: []
|
|
119
|
-
rubygems_version: 3.
|
|
120
|
-
signing_key:
|
|
122
|
+
rubygems_version: 3.3.7
|
|
123
|
+
signing_key:
|
|
121
124
|
specification_version: 4
|
|
122
|
-
summary:
|
|
123
|
-
x-frame-options, strict-transport-security, etc.
|
|
125
|
+
summary: Manages application of security headers with many safe defaults.
|
|
124
126
|
test_files:
|
|
125
127
|
- spec/lib/secure_headers/configuration_spec.rb
|
|
126
128
|
- spec/lib/secure_headers/headers/clear_site_data_spec.rb
|