Permalink
Commits on Aug 22, 2016
  1. Merge pull request #116 from sinatra/upstream

    Notice for upstream move
    zzak committed on GitHub Aug 22, 2016
  2. Notice for upstream move

    zzak committed Aug 22, 2016
Commits on Aug 1, 2016
  1. Merge pull request #114 from jkowens/cookie_tossing

    Remove extra calls to method that determines cookie paths
    zzak committed on GitHub Aug 1, 2016
Commits on Jul 31, 2016
  1. Merge pull request #113 from jkowens/cookie_tossing

    Add cookie tossing protection
    zzak committed on GitHub Jul 31, 2016
Commits on Jul 30, 2016
  1. Add cookie tossing protection

    Mitigate malicious session cookies set on a subdomain from
    being read by the parent domain.
    jkowens committed Jul 30, 2016
Commits on Jul 28, 2016
  1. Turn off CSP by default

    /cc mperham/sidekiq#3070
    
    Sorry for breaking stuff, Mike 🙇 🙇 🙇 🙇 🙇 🙇 🙇
    zzak committed Jul 28, 2016
  2. 💅

    zzak committed Jul 28, 2016
  3. Merge pull request #112 from jamesdabbs/master

    Enclose CSP self in quotes
    zzak committed on GitHub Jul 28, 2016
  4. Enclose CSP self in quotes

    per https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives,
    the quotes are required (see mpheram/sidekiq#3070)
    jamesdabbs committed Jul 28, 2016
Commits on Jul 27, 2016
  1. Merge branch 'allow-if' of https://github.com/nathanstitt/rack-protec…

    …tion into nathanstitt-allow-if
    zzak committed Jul 27, 2016
  2. Merge pull request #111 from jamesdabbs/master

    Add img-src CSP directive
    zzak committed on GitHub Jul 27, 2016
Commits on Jul 26, 2016
  1. Include img-src in expected test output

    Again, I'm assuming this is the intent, as `should allow changing ...` does
    try to change img-src
    jamesdabbs committed Jul 26, 2016
  2. Add img-src CSP directive

    It's in the list of defaults; I'm assuming it's just an oversight that
    it isn't in the list of allowed KEYs
    jamesdabbs committed Jul 26, 2016
  3. Merge pull request #99 from droppedoncaprica/tempFileFix

    Fix Tempfile reference being returned as nil
    zzak committed on GitHub Jul 26, 2016
  4. Merge branch 'tempFileFix' of https://github.com/droppedoncaprica/rac…

    …k-protection into droppedoncaprica/tempFileFix
    zzak committed Jul 26, 2016
  5. Fix spec from #78 rspec syntax

    zzak committed Jul 26, 2016
  6. Merge branch 'fix/csrf_missing_close' of https://github.com/finnlabs/…

    …rack-protection into finnlabs-fix/csrf_missing_close
    zzak committed Jul 26, 2016
  7. Add `:without_session` option to skip session based protection

    This includes:
    
    * Rack::Protection::SessionHijacking
    * Rack::Protection::RemoteToken
    
    Closes #47
    zzak committed Jul 26, 2016
  8. oops

    zzak committed Jul 26, 2016
  9. Update rspec syntax from #75

    zzak committed Jul 26, 2016
  10. Merge branch 'reevoo-master'

    zzak committed Jul 26, 2016
  11. Merge branch 'master' of https://github.com/reevoo/rack-protection in…

    …to reevoo-master
    zzak committed Jul 26, 2016
  12. Use secure_compare when checking CSRF token

    Since string comparisions may return early we want to use a constant
    time comparsion function to protect the CSRF token against timing
    attacks. Rack::Utils provides a such function.
    jeltz committed with zzak May 25, 2015
  13. Merge pull request #75 from mkristian/content-security-policy

    added content security policies
    zzak committed on GitHub Jul 26, 2016
Commits on Jul 25, 2016
  1. Update CI matrix to match current support by Sinatra

    Also test with sinatra master until release
    zzak committed Jul 25, 2016
  2. Bump version for developing 2.0.0 alpha

    Updated gemspec task to only add maintainers emails,
    probably not everyone wants their email publicly listed just for submitting a patch.
    
    Also replaced the file selection to manual, which leaves out spec files from the gem package.
    zzak committed Jul 25, 2016