Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge rack protection #1167

Merged
merged 230 commits into from Aug 16, 2016
Merged

Merge rack protection #1167

merged 230 commits into from Aug 16, 2016

Conversation

zzak
Copy link
Member

@zzak zzak commented Aug 12, 2016

No description provided.

rkh added 30 commits May 23, 2011 10:07
@rkh
initial commit
0985552
@rkh
Move X-Frame-Options logic to FramOptions
eb81b26
@rkh
set up testing infrastructure and shared tests
5152b0e
@rkh
have mock_app duck typing the block passed to it
3384ede
@rkh
fix default options not overriding options
40f5a0c
@rkh
fix mock_app
7b70a79
@rkh
use Rack::Lint for testing
f347748
@rkh
specs for XSSHeader
50f25ad
@rkh
docs for XSSHeader
defd82d
@rkh
specs for FrameOptions
b046e5f
@rkh
docs for FrameOptions
113c20a
@rkh
reorder comments
c50169f
@rkh
add dummy for access control
6072730
@rkh
add links to more infos
f341cf7
@rkh
add docs to all middleware
d923026
@rkh
note about firesheep
37c4d91
@rkh
AccessControl has been removed
5c7d5ba
@rkh
implement PathTraversal
5535bf8
@rkh
implement escaped params
2f2a95d
@rkh
only do html escaping by default
a1a5378
@rkh
typo
b822958
@rkh
implement NoReferrer
725d26b
@rkh
check correct env behavior of all middleware
647d168
@rkh
feed some input that might change into dummy requests
b3dbbb8
@rkh
add comment
474ca8d
@rkh
add escape_utils as dependency
b75b5a5
@rkh
import authenticity token implementation
ab17770
@rkh
move stuff around, add remote_token protection
3588ba5
@rkh
implement session hijacking prevention
012cd7b
@rkh
whitespace
899fa10
Zachary Scott and others added 24 commits July 26, 2016 17:37
Add :without_session option to skip session based protection
46b1d85 
This includes:

* Rack::Protection::SessionHijacking
* Rack::Protection::RemoteToken

Closes #47
Merge branch 'fix/csrf_missing_close' of https://github.com/finnlabs/…
d08b784 
…rack-protection into finnlabs-fix/csrf_missing_close
Merge branch 'finnlabs-fix/csrf_missing_close'
a101947
Fix spec from #78 rspec syntax
5acc6b2
Merge branch 'tempFileFix' of https://github.com/droppedoncaprica/rac…
19c36cc 
…k-protection into droppedoncaprica/tempFileFix
Merge branch 'droppedoncaprica/tempFileFix'
46e3db2
Merge pull request #99 from droppedoncaprica/tempFileFix
7ebd1a1 
Fix Tempfile reference being returned as nil
@jamesdabbs
Add img-src CSP directive
19ad671 
It's in the list of defaults; I'm assuming it's just an oversight that
it isn't in the list of allowed KEYs
@jamesdabbs
Include img-src in expected test output
44916e0 
Again, I'm assuming this is the intent, as `should allow changing ...` does
try to change img-src
Merge pull request #111 from jamesdabbs/master
6646fbb 
Add img-src CSP directive
Merge branch 'master' of github.com:sinatra/rack-protection
b92595c
Merge branch 'allow-if' of https://github.com/nathanstitt/rack-protec…
4b7db03 
…tion into nathanstitt-allow-if
Merge branch 'nathanstitt-allow-if'
b525d19
Document Chrome is also supported by XSSHeader [ci skip]
8fd566e 
Closes #48
@jamesdabbs
Enclose CSP self in quotes
af6902e 
per https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives,
the quotes are required (see mpheram/sidekiq#3070)
Merge pull request #112 from jamesdabbs/master
c7a5187 
Enclose CSP self in quotes
💅
0a0932e
Turn off CSP by default
3c69609 
/cc sidekiq/sidekiq#3070

Sorry for breaking stuff, Mike 🙇 🙇 🙇 🙇 🙇 🙇 🙇
@jkowens
Add cookie tossing protection
cd5028b 
Mitigate malicious session cookies set on a subdomain from
being read by the parent domain.
Merge pull request #113 from jkowens/cookie_tossing
3899d62 
Add cookie tossing protection
@jkowens
Remove extra calls to method that determines cookie paths
0002738
Merge pull request #114 from jkowens/cookie_tossing
0bfaab4 
Remove extra calls to method that determines cookie paths
Document :origin_whitelist option for HttpOrigin and pointer from J…
66786ba 
…sonCsrf

closes #63
Merge rack-protection source into tree
2807afc
@zzak zzak added this to the 2.0.0 milestone Aug 12, 2016
@zzak zzak mentioned this pull request Aug 16, 2016
Closed
@zzak zzak merged commit aa1f6f9 into master Aug 16, 2016
@zzak zzak deleted the merge-rack-protection branch August 16, 2016 05:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
rack-protection
Projects
None yet
Milestone
2.0.0
Development

Successfully merging this pull request may close these issues.

None yet