Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modernize Rack::Protection::ContentSecurityPolicy #1202

Merged
merged 3 commits into from
Dec 25, 2016
Merged

Modernize Rack::Protection::ContentSecurityPolicy #1202

merged 3 commits into from
Dec 25, 2016

Conversation

grempe
Copy link
Contributor

@grempe grempe commented Nov 7, 2016

Issue #1201 Modernizes Rack::Protection::ContentSecurityPolicy to support current CSP2 and CSP3 directives.

Issue #1200 Fixes a minor security warning on bundle install in a fresh repo.

Removes inline docs which were incomplete and insufficient for what is now
quite complex in CSP2 and CSP3. Adds additional current links to excellent
doc resources and tools.

grempe added 2 commits November 6, 2016 17:40
@grempe
Fixes #1200, bundler security warning for github rack/rack sourced gem
e35dca6
@grempe
Fixes #1201, Modernize Rack::Protection::ContentSecurityPolicy
2b6e088 
Adds complete set of directives that are currently supported by
browsers that support CSP Level 2 and Level 3 (draft).

Also supports directives that don't take any arguments.

The directives in the content security policy output are now sorted.
@grempe
Copy link
Contributor Author

grempe commented Nov 7, 2016
edited
Loading

The Travis CI build failures above are unrelated to these commits.

From the build logs:

https://travis-ci.org/sinatra/sinatra/builds/173822296

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.
...
An error occurred while installing mini_racer (0.1.7), and Bundler

@grempe grempe mentioned this pull request Nov 7, 2016
Closed
@CGA1123
Copy link

CGA1123 commented Nov 9, 2016

Travis failing is related to #1199

@namusyaka
Copy link
Member

namusyaka commented Nov 19, 2016
edited
Loading

This will be succeed because g++-4.8 is now available on ubuntu-trusty.

esparta
esparta reviewed Nov 20, 2016
View reviewed changes
rack-protection/lib/rack/protection/content_security_policy.rb
img_src: "'self'", style_src: "'self'",
connect_src: "'self'", report_only: false

DIRECTIVES = [:base_uri, :child_src, :connect_src, :default_src,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about use %i(..) for the list directives ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, see d547b7f

@grempe grempe mentioned this pull request Dec 14, 2016
Closed
@zzak zzak merged commit 85dd923 into sinatra:master Dec 25, 2016
@zzak zzak mentioned this pull request Dec 25, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esparta esparta esparta left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@grempe @CGA1123 @namusyaka @esparta @zzak