RubyGems - shopify-sinatra-app - Versions diffs - 1.1.0 → 1.1.1 - Mend

shopify-sinatra-app 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG +4 -0
data/README.md +1 -1
data/example/test/test_helper.rb +1 -1
data/lib/sinatra/shopify-sinatra-app.rb +34 -1
data/shopify-sinatra-app.gemspec +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d4212df144a7d460c275e8f7cbfea4c5a0332d5293bb4ea3c1138764748bc37
-  data.tar.gz: 2f637570f3210796ec09f812e1c4c58b9110db590eeb7366eb2fc58286f20c84
+  metadata.gz: 734844728b60f961f5439fd7220d3fec58fd6f70cd71419ba9596d9c3686c592
+  data.tar.gz: c01746bc29a918be96c56b0c374c0c34108552eb5cc9090b73c24fe28cec735a
 SHA512:
-  metadata.gz: 4cfbca73509abcf9b7b77b9e73e2ee0694f2dc280797b8f9188a2adef9acc5c266dcce5503fa3df69e1269ad8db48e1daee27e63305dd65ce0e4f73a7fd41bc6
-  data.tar.gz: 5d85a7eafcfced73d5d08d9a8212d764c8ae3ca06b0e05849b6074bef007c5ec3dd3b42974e0c25d0a76c3062a2bb7dbc833fce41360c5114086297420371191
+  metadata.gz: c1b690cabf25ceed9607ab97faf426748793b3ab069ac75111c489e81da4ff950041d4efdaf5be7b8cd32da3cdf6c9b04e32dff2842e1363d007a978effa1d0e
+  data.tar.gz: 219d6efdfb4716e03d84773e31e8be04a403cfd36cff2bea04e6d7457148dad86c69deac9278a4095001b02b6b131e3296d405723f581ccbda37c0b22a64958f

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,7 @@
+1.1.1
+-----
+* fix how the CSP is set
 1.1.0
 -----
 * update to Shopify App Bridge 3

data/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-shopify-sinatra-app [![Build Status](https://travis-ci.org/kevinhughes27/shopify-tax-receipts.svg)](https://travis-ci.org/kevinhughes27/shopify-sinatra-app)
+shopify-sinatra-app [![CircleCI](https://dl.circleci.com/status-badge/img/gh/kevinhughes27/shopify-sinatra-app/tree/master.svg?style=svg)](https://dl.circleci.com/status-badge/redirect/gh/kevinhughes27/shopify-sinatra-app/tree/master)
 ===================
 "A classy shopify app"

data/example/test/test_helper.rb CHANGED Viewed

@@ -5,7 +5,7 @@ ENV['SECRET'] = 'secret'
 require 'minitest/autorun'
 require 'rack/test'
-require 'mocha/setup'
+require 'mocha/minitest'
 require 'fakeweb'
 FakeWeb.allow_net_connect = false

data/lib/sinatra/shopify-sinatra-app.rb CHANGED Viewed

@@ -117,6 +117,37 @@ module Sinatra
       end
     end
+    # needs to be dynamic to incude the current shop
+    class ContentSecurityPolicy < Rack::Protection::Base
+      def csp_policy(env)
+        "frame-ancestors: #{current_shop(env)} https://admin.shopify.com;"
+      end
+      def call(env)
+        status, headers, body = @app.call(env)
+        header = 'Content-Security-Policy'
+        headers[header] ||= csp_policy(env) if html? headers
+        [status, headers, body]
+      end
+      private
+      def current_shop(env)
+        s = session(env)
+        if s.has_key?("return_params")
+          "https://#{s["return_params"]["shop"]}"
+        elsif s.has_key?(:shopify)
+          "https://#{s[:shopify][:shop]}"
+        end
+      end
+      def html?(headers)
+        return false unless (header = headers.detect { |k, _v| k.downcase == 'content-type' })
+        options[:html_types].include? header.last[%r{^\w+/\w+}]
+      end
+    end
     def shopify_webhook(route, &blk)
       settings.webhook_routes << route
       post(route) do
@@ -135,7 +166,7 @@ module Sinatra
       app.set :public_folder, File.expand_path('public')
       app.enable :inline_templates
-      app.set :protection, except: :frame_options, frame_ancestors: "https://admin.shopify.com;"
+      app.set :protection, except: :frame_options
       app.set :api_version, '2019-07'
       app.set :scope, 'read_products, read_orders'
@@ -157,6 +188,8 @@ module Sinatra
                                      secret: app.settings.secret,
                                      expire_after: 60 * 30 # half an hour in seconds
+      app.use Shopify::ContentSecurityPolicy
       app.use Rack::Protection::AuthenticityToken, allow_if: lambda { |env|
         app.settings.webhook_routes.include?(env["PATH_INFO"])
       }

data/shopify-sinatra-app.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'shopify-sinatra-app'
-  s.version = '1.1.0'
+  s.version = '1.1.1'
   s.summary     = 'A classy shopify app'
   s.description = 'A Sinatra extension for building Shopify Apps. Akin to the shopify_app gem but for Sinatra'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify-sinatra-app
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Kevin Hughes
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-08 00:00:00.000000000 Z
+date: 2022-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra