secure_headers 6.5.0 → 6.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bafd5e6390db0f1975599ab34f1293986a5c0a1ced14f6cfeca47fd114ce87d4
4
- data.tar.gz: 177dc27fa8238fe1a8baa238f6baa244b2c03393f61269e9b417e5ea3a4a4bba
3
+ metadata.gz: 2afd142dc54275ace387af0a964bba3918655513474a14f11959532616108d58
4
+ data.tar.gz: f520ab4f191710af2d78bc662319b02ab7819bba57a091c921822984393f18e5
5
5
  SHA512:
6
- metadata.gz: 7a24f853958892e2780dec3cfd8f631d394c959cda6d3f8be5d701792fc1ce57d4141ca88e7b0980fcac979cc855a0c5bc9165a05b314fe281ce092a438f1fe1
7
- data.tar.gz: c082a3ee192452712f8e9c7ed18d5c21b5b3eb1712c3d9a4df44220093cf1be09a8e5384f5c8a8909820f1e0048c6d3b6915cc29081288bcf13361bf8cf7dbed
6
+ metadata.gz: 3fe9df12ae44cabd372f84e8eebd47946e6102d8c920cf48752e3f36bcd1db3e429cbc47e54dda8f8194b4ae2cb90c583eec38b0e7906bac8f0fb9337eb7ecad
7
+ data.tar.gz: 56a30016b7f290693c89d8f8e2fd4e3d8425962a2dcb0fb75c96bd6b2fc8b85b890373a4ebd160e7cf2896e494697a563dd882f11f7527da9c29234d41bd2b17
@@ -0,0 +1,6 @@
1
+ version: 2
2
+ updates:
3
+ - package-ecosystem: "github-actions"
4
+ directory: "/"
5
+ schedule:
6
+ interval: "weekly"
@@ -7,10 +7,10 @@ jobs:
7
7
  runs-on: ubuntu-latest
8
8
  strategy:
9
9
  matrix:
10
- ruby: [ '2.6', '2.7', '3.0', '3.1' ]
10
+ ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
11
11
 
12
12
  steps:
13
- - uses: actions/checkout@v2
13
+ - uses: actions/checkout@v3
14
14
  - name: Set up Ruby ${{ matrix.ruby }}
15
15
  uses: ruby/setup-ruby@v1
16
16
  with:
data/README.md CHANGED
@@ -62,7 +62,6 @@ SecureHeaders::Configuration.default do |config|
62
62
  # directive values: these values will directly translate into source directives
63
63
  default_src: %w('none'),
64
64
  base_uri: %w('self'),
65
- block_all_mixed_content: true, # see https://www.w3.org/TR/mixed-content/
66
65
  child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
67
66
  connect_src: %w(wss:),
68
67
  font_src: %w('self' data:),
@@ -92,6 +91,9 @@ SecureHeaders::Configuration.default do |config|
92
91
  end
93
92
  ```
94
93
 
94
+ ### Deprecated Configuration Values
95
+ * `block_all_mixed_content` - this value is deprecated in favor of `upgrade_insecure_requests`. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content for more information.
96
+
95
97
  ## Default values
96
98
 
97
99
  All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:
@@ -16,7 +16,6 @@ module SecureHeaders
16
16
 
17
17
  def initialize(hash)
18
18
  @base_uri = nil
19
- @block_all_mixed_content = nil
20
19
  @child_src = nil
21
20
  @connect_src = nil
22
21
  @default_src = nil
@@ -80,9 +80,9 @@ module SecureHeaders
80
80
  end
81
81
 
82
82
  def conditionally_flag?(configuration)
83
- if(Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
83
+ if (Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
84
84
  true
85
- elsif(Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
85
+ elsif (Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
86
86
  true
87
87
  else
88
88
  false
@@ -71,7 +71,6 @@ module SecureHeaders
71
71
 
72
72
  # All the directives currently under consideration for CSP level 3.
73
73
  # https://w3c.github.io/webappsec/specs/CSP2/
74
- BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
75
74
  MANIFEST_SRC = :manifest_src
76
75
  NAVIGATE_TO = :navigate_to
77
76
  PREFETCH_SRC = :prefetch_src
@@ -85,7 +84,6 @@ module SecureHeaders
85
84
 
86
85
  DIRECTIVES_3_0 = [
87
86
  DIRECTIVES_2_0,
88
- BLOCK_ALL_MIXED_CONTENT,
89
87
  MANIFEST_SRC,
90
88
  NAVIGATE_TO,
91
89
  PREFETCH_SRC,
@@ -118,7 +116,6 @@ module SecureHeaders
118
116
 
119
117
  DIRECTIVE_VALUE_TYPES = {
120
118
  BASE_URI => :source_list,
121
- BLOCK_ALL_MIXED_CONTENT => :boolean,
122
119
  CHILD_SRC => :source_list,
123
120
  CONNECT_SRC => :source_list,
124
121
  DEFAULT_SRC => :source_list,
@@ -241,7 +238,7 @@ module SecureHeaders
241
238
  #
242
239
  # raises an error if the original config is OPT_OUT
243
240
  #
244
- # 1. for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),
241
+ # 1. for non-source-list values (report_only, upgrade_insecure_requests),
245
242
  # additions will overwrite the original value.
246
243
  # 2. if a value in additions does not exist in the original config, the
247
244
  # default-src value is included to match original behavior.
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.5.0"
4
+ VERSION = "6.6.0"
5
5
  end
@@ -92,13 +92,13 @@ module SecureHeaders
92
92
  end
93
93
 
94
94
  it "does add a boolean directive if the value is true" do
95
- csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: true)
96
- expect(csp.value).to eq("default-src example.org; block-all-mixed-content; upgrade-insecure-requests")
95
+ csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], upgrade_insecure_requests: true)
96
+ expect(csp.value).to eq("default-src example.org; upgrade-insecure-requests")
97
97
  end
98
98
 
99
99
  it "does not add a boolean directive if the value is false" do
100
- csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: false)
101
- expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
100
+ csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], upgrade_insecure_requests: false)
101
+ expect(csp.value).to eq("default-src example.org")
102
102
  end
103
103
 
104
104
  it "handles wildcard subdomain with wildcard port" do
@@ -30,7 +30,6 @@ module SecureHeaders
30
30
  default_src: %w(https: 'self'),
31
31
 
32
32
  base_uri: %w('self'),
33
- block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
34
33
  connect_src: %w(wss:),
35
34
  child_src: %w('self' *.twimg.com itunes.apple.com),
36
35
  font_src: %w('self' data:),
@@ -92,12 +91,6 @@ module SecureHeaders
92
91
  end.to raise_error(ContentSecurityPolicyConfigError)
93
92
  end
94
93
 
95
- it "requires :block_all_mixed_content to be a boolean value" do
96
- expect do
97
- ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(block_all_mixed_content: "steve")))
98
- end.to raise_error(ContentSecurityPolicyConfigError)
99
- end
100
-
101
94
  it "requires :upgrade_insecure_requests to be a boolean value" do
102
95
  expect do
103
96
  ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
@@ -244,18 +237,18 @@ module SecureHeaders
244
237
  expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
245
238
  end
246
239
 
247
- it "overrides the :block_all_mixed_content flag" do
240
+ it "overrides the :upgrade_insecure_requests flag" do
248
241
  Configuration.default do |config|
249
242
  config.csp = {
250
243
  default_src: %w(https:),
251
244
  script_src: %w('self'),
252
- block_all_mixed_content: false
245
+ upgrade_insecure_requests: false
253
246
  }
254
247
  end
255
248
  default_policy = Configuration.dup
256
- combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, block_all_mixed_content: true)
249
+ combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, upgrade_insecure_requests: true)
257
250
  csp = ContentSecurityPolicy.new(combined_config)
258
- expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
251
+ expect(csp.value).to eq("default-src https:; script-src 'self'; upgrade-insecure-requests")
259
252
  end
260
253
 
261
254
  it "raises an error if appending to a OPT_OUT policy" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.5.0
4
+ version: 6.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-10-25 00:00:00.000000000 Z
11
+ date: 2024-08-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -36,6 +36,7 @@ extra_rdoc_files: []
36
36
  files:
37
37
  - ".github/ISSUE_TEMPLATE.md"
38
38
  - ".github/PULL_REQUEST_TEMPLATE.md"
39
+ - ".github/dependabot.yml"
39
40
  - ".github/workflows/build.yml"
40
41
  - ".github/workflows/github-release.yml"
41
42
  - ".gitignore"
@@ -104,7 +105,7 @@ homepage: https://github.com/twitter/secureheaders
104
105
  licenses:
105
106
  - MIT
106
107
  metadata: {}
107
- post_install_message:
108
+ post_install_message:
108
109
  rdoc_options: []
109
110
  require_paths:
110
111
  - lib
@@ -119,8 +120,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
119
120
  - !ruby/object:Gem::Version
120
121
  version: '0'
121
122
  requirements: []
122
- rubygems_version: 3.3.7
123
- signing_key:
123
+ rubygems_version: 3.0.3.1
124
+ signing_key:
124
125
  specification_version: 4
125
126
  summary: Manages application of security headers with many safe defaults.
126
127
  test_files: