New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New API Implementation #191

Merged
merged 24 commits into from Dec 11, 2015

Conversation

Projects
None yet
4 participants
@oreoshake
Collaborator

oreoshake commented Nov 5, 2015

Followup to #181. As with the last PR, it's probably better to ignore the diff and look at the code directly.

The biggest change in this PR is the added support for "named overrides" - additional configuration objects that can be referenced by name. The header values are all precomputed so named overrides save the overhead of building a policy per request.

(from the readme

class ApplicationController < ActionController::Base
  SecureHeaders::Configuration.default do |config|
    config.csp = {
      default_src: %w('self'),
      script_src: %w(example.org)
    }
  end

  # override default configuration
  SecureHeaders::Configuration.override(:script_from_otherdomain_com) do |config|
    config.csp[:script_src] << "otherdomain.com"
  end

  # overrides the :script_from_otherdomain_com configuration
  SecureHeaders::Configuration.override(:another_config, :script_from_otherdomain_com) do |config|
    config.csp[:script_src] << "evenanotherdomain.com"
  end
end

class MyController < ApplicationController
  def index
    # Produces default-src 'self'; script-src example.org otherdomain.org
    use_secure_headers_override(:script_from_otherdomain_com)
  end

  def show
    # Produces default-src 'self'; script-src example.org otherdomain.org evenanotherdomain.com
    use_secure_headers_override(:another_config)
  end
end

oreoshake added some commits Oct 20, 2015

Merge pull request #184 from twitter/mutating-global-regression
fix regression with mutation of global state
Cache UserAgentParser instance
Thanks to @igrep for pointing this out.

Fixes #187
Merge pull request #188 from twitter/user-agent-parser
Cache UserAgentParser instance
Major rewrite:
Configure a global default and named overrides
Use helper methods to set/modify configurations at runtime
Set the headers in middleware based on the configuration saved to request.env

Configuration changes:
All headers require string values except for CSP and HPKP
CSP directives must be arrays of strings, no more support for space-delimited strings or procs

@oreoshake oreoshake referenced this pull request Nov 5, 2015

Closed

[WIP] New API Implementation #181

8 of 9 tasks complete
README.md Outdated
}
config.hpkp = {
:max_age => 60.days.to_i,
:include_subdomains => true,
:report_uri => '//example.com/uri-directive',
:report_uri => "https//example.com/uri-directive",

This comment has been minimized.

@stve

stve Nov 5, 2015

Contributor

missing a : here

oreoshake and others added some commits Nov 5, 2015

Keep unsafe-* around when a * is provided.
e.g.

default-src * 'unsafe-inline' 'unsafe-eval' host1.com http: https:

can be reduced to:

default-src * 'unsafe-inline' 'unsafe-eval'

Previously, the unsafe-* values were removed but * does not cover
the unsafe-* values.
Merge pull request #193 from twitter/calling-name-on-nil-value
Fix issue with opting out of headers when using header_hash method
@oreoshake

This comment has been minimized.

Collaborator

oreoshake commented Dec 11, 2015

This code is now running on github.com. I'll let it sit for a few days and release a 3.0 gem. I'll add an "upgrading to 3.0 wiki" entry in the meantime since it is very much a breaking change.

oreoshake added a commit that referenced this pull request Dec 11, 2015

@oreoshake oreoshake merged commit 1918ce2 into 3.x Dec 11, 2015

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@oreoshake oreoshake deleted the env-rack-config branch Dec 11, 2015

@reedloden

This comment has been minimized.

Contributor

reedloden commented on lib/secure_headers/railtie.rb in 32bb3f5 Feb 25, 2016

Just noticed 'X-Permitted-Cross-Domain-Policies' and 'X-Content-Type-Options' are listed twice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment