secure_headers 6.5.0 → 6.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/dependabot.yml +6 -0
- data/.github/workflows/build.yml +2 -2
- data/README.md +3 -1
- data/lib/secure_headers/headers/content_security_policy_config.rb +0 -1
- data/lib/secure_headers/headers/cookie.rb +2 -2
- data/lib/secure_headers/headers/policy_management.rb +1 -4
- data/lib/secure_headers/version.rb +1 -1
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +4 -4
- data/spec/lib/secure_headers/headers/policy_management_spec.rb +4 -11
- metadata +7 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2afd142dc54275ace387af0a964bba3918655513474a14f11959532616108d58
|
|
4
|
+
data.tar.gz: f520ab4f191710af2d78bc662319b02ab7819bba57a091c921822984393f18e5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3fe9df12ae44cabd372f84e8eebd47946e6102d8c920cf48752e3f36bcd1db3e429cbc47e54dda8f8194b4ae2cb90c583eec38b0e7906bac8f0fb9337eb7ecad
|
|
7
|
+
data.tar.gz: 56a30016b7f290693c89d8f8e2fd4e3d8425962a2dcb0fb75c96bd6b2fc8b85b890373a4ebd160e7cf2896e494697a563dd882f11f7527da9c29234d41bd2b17
|
data/.github/workflows/build.yml
CHANGED
|
@@ -7,10 +7,10 @@ jobs:
|
|
|
7
7
|
runs-on: ubuntu-latest
|
|
8
8
|
strategy:
|
|
9
9
|
matrix:
|
|
10
|
-
ruby: [ '2.6', '2.7', '3.0', '3.1' ]
|
|
10
|
+
ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
|
|
11
11
|
|
|
12
12
|
steps:
|
|
13
|
-
- uses: actions/checkout@
|
|
13
|
+
- uses: actions/checkout@v3
|
|
14
14
|
- name: Set up Ruby ${{ matrix.ruby }}
|
|
15
15
|
uses: ruby/setup-ruby@v1
|
|
16
16
|
with:
|
data/README.md
CHANGED
|
@@ -62,7 +62,6 @@ SecureHeaders::Configuration.default do |config|
|
|
|
62
62
|
# directive values: these values will directly translate into source directives
|
|
63
63
|
default_src: %w('none'),
|
|
64
64
|
base_uri: %w('self'),
|
|
65
|
-
block_all_mixed_content: true, # see https://www.w3.org/TR/mixed-content/
|
|
66
65
|
child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
|
|
67
66
|
connect_src: %w(wss:),
|
|
68
67
|
font_src: %w('self' data:),
|
|
@@ -92,6 +91,9 @@ SecureHeaders::Configuration.default do |config|
|
|
|
92
91
|
end
|
|
93
92
|
```
|
|
94
93
|
|
|
94
|
+
### Deprecated Configuration Values
|
|
95
|
+
* `block_all_mixed_content` - this value is deprecated in favor of `upgrade_insecure_requests`. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content for more information.
|
|
96
|
+
|
|
95
97
|
## Default values
|
|
96
98
|
|
|
97
99
|
All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:
|
|
@@ -80,9 +80,9 @@ module SecureHeaders
|
|
|
80
80
|
end
|
|
81
81
|
|
|
82
82
|
def conditionally_flag?(configuration)
|
|
83
|
-
if(Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
|
|
83
|
+
if (Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
|
|
84
84
|
true
|
|
85
|
-
elsif(Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
|
|
85
|
+
elsif (Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
|
|
86
86
|
true
|
|
87
87
|
else
|
|
88
88
|
false
|
|
@@ -71,7 +71,6 @@ module SecureHeaders
|
|
|
71
71
|
|
|
72
72
|
# All the directives currently under consideration for CSP level 3.
|
|
73
73
|
# https://w3c.github.io/webappsec/specs/CSP2/
|
|
74
|
-
BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
|
|
75
74
|
MANIFEST_SRC = :manifest_src
|
|
76
75
|
NAVIGATE_TO = :navigate_to
|
|
77
76
|
PREFETCH_SRC = :prefetch_src
|
|
@@ -85,7 +84,6 @@ module SecureHeaders
|
|
|
85
84
|
|
|
86
85
|
DIRECTIVES_3_0 = [
|
|
87
86
|
DIRECTIVES_2_0,
|
|
88
|
-
BLOCK_ALL_MIXED_CONTENT,
|
|
89
87
|
MANIFEST_SRC,
|
|
90
88
|
NAVIGATE_TO,
|
|
91
89
|
PREFETCH_SRC,
|
|
@@ -118,7 +116,6 @@ module SecureHeaders
|
|
|
118
116
|
|
|
119
117
|
DIRECTIVE_VALUE_TYPES = {
|
|
120
118
|
BASE_URI => :source_list,
|
|
121
|
-
BLOCK_ALL_MIXED_CONTENT => :boolean,
|
|
122
119
|
CHILD_SRC => :source_list,
|
|
123
120
|
CONNECT_SRC => :source_list,
|
|
124
121
|
DEFAULT_SRC => :source_list,
|
|
@@ -241,7 +238,7 @@ module SecureHeaders
|
|
|
241
238
|
#
|
|
242
239
|
# raises an error if the original config is OPT_OUT
|
|
243
240
|
#
|
|
244
|
-
# 1. for non-source-list values (report_only,
|
|
241
|
+
# 1. for non-source-list values (report_only, upgrade_insecure_requests),
|
|
245
242
|
# additions will overwrite the original value.
|
|
246
243
|
# 2. if a value in additions does not exist in the original config, the
|
|
247
244
|
# default-src value is included to match original behavior.
|
|
@@ -92,13 +92,13 @@ module SecureHeaders
|
|
|
92
92
|
end
|
|
93
93
|
|
|
94
94
|
it "does add a boolean directive if the value is true" do
|
|
95
|
-
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"],
|
|
96
|
-
expect(csp.value).to eq("default-src example.org;
|
|
95
|
+
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], upgrade_insecure_requests: true)
|
|
96
|
+
expect(csp.value).to eq("default-src example.org; upgrade-insecure-requests")
|
|
97
97
|
end
|
|
98
98
|
|
|
99
99
|
it "does not add a boolean directive if the value is false" do
|
|
100
|
-
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"],
|
|
101
|
-
expect(csp.value).to eq("default-src example.org
|
|
100
|
+
csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], upgrade_insecure_requests: false)
|
|
101
|
+
expect(csp.value).to eq("default-src example.org")
|
|
102
102
|
end
|
|
103
103
|
|
|
104
104
|
it "handles wildcard subdomain with wildcard port" do
|
|
@@ -30,7 +30,6 @@ module SecureHeaders
|
|
|
30
30
|
default_src: %w(https: 'self'),
|
|
31
31
|
|
|
32
32
|
base_uri: %w('self'),
|
|
33
|
-
block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
|
|
34
33
|
connect_src: %w(wss:),
|
|
35
34
|
child_src: %w('self' *.twimg.com itunes.apple.com),
|
|
36
35
|
font_src: %w('self' data:),
|
|
@@ -92,12 +91,6 @@ module SecureHeaders
|
|
|
92
91
|
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
93
92
|
end
|
|
94
93
|
|
|
95
|
-
it "requires :block_all_mixed_content to be a boolean value" do
|
|
96
|
-
expect do
|
|
97
|
-
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(block_all_mixed_content: "steve")))
|
|
98
|
-
end.to raise_error(ContentSecurityPolicyConfigError)
|
|
99
|
-
end
|
|
100
|
-
|
|
101
94
|
it "requires :upgrade_insecure_requests to be a boolean value" do
|
|
102
95
|
expect do
|
|
103
96
|
ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
|
|
@@ -244,18 +237,18 @@ module SecureHeaders
|
|
|
244
237
|
expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
|
|
245
238
|
end
|
|
246
239
|
|
|
247
|
-
it "overrides the :
|
|
240
|
+
it "overrides the :upgrade_insecure_requests flag" do
|
|
248
241
|
Configuration.default do |config|
|
|
249
242
|
config.csp = {
|
|
250
243
|
default_src: %w(https:),
|
|
251
244
|
script_src: %w('self'),
|
|
252
|
-
|
|
245
|
+
upgrade_insecure_requests: false
|
|
253
246
|
}
|
|
254
247
|
end
|
|
255
248
|
default_policy = Configuration.dup
|
|
256
|
-
combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h,
|
|
249
|
+
combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, upgrade_insecure_requests: true)
|
|
257
250
|
csp = ContentSecurityPolicy.new(combined_config)
|
|
258
|
-
expect(csp.value).to eq("default-src https:;
|
|
251
|
+
expect(csp.value).to eq("default-src https:; script-src 'self'; upgrade-insecure-requests")
|
|
259
252
|
end
|
|
260
253
|
|
|
261
254
|
it "raises an error if appending to a OPT_OUT policy" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secure_headers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.
|
|
4
|
+
version: 6.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-08-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -36,6 +36,7 @@ extra_rdoc_files: []
|
|
|
36
36
|
files:
|
|
37
37
|
- ".github/ISSUE_TEMPLATE.md"
|
|
38
38
|
- ".github/PULL_REQUEST_TEMPLATE.md"
|
|
39
|
+
- ".github/dependabot.yml"
|
|
39
40
|
- ".github/workflows/build.yml"
|
|
40
41
|
- ".github/workflows/github-release.yml"
|
|
41
42
|
- ".gitignore"
|
|
@@ -104,7 +105,7 @@ homepage: https://github.com/twitter/secureheaders
|
|
|
104
105
|
licenses:
|
|
105
106
|
- MIT
|
|
106
107
|
metadata: {}
|
|
107
|
-
post_install_message:
|
|
108
|
+
post_install_message:
|
|
108
109
|
rdoc_options: []
|
|
109
110
|
require_paths:
|
|
110
111
|
- lib
|
|
@@ -119,8 +120,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
119
120
|
- !ruby/object:Gem::Version
|
|
120
121
|
version: '0'
|
|
121
122
|
requirements: []
|
|
122
|
-
rubygems_version: 3.3.
|
|
123
|
-
signing_key:
|
|
123
|
+
rubygems_version: 3.0.3.1
|
|
124
|
+
signing_key:
|
|
124
125
|
specification_version: 4
|
|
125
126
|
summary: Manages application of security headers with many safe defaults.
|
|
126
127
|
test_files:
|