nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Bump secure_headers

Browse source
This commit is contained in:
Benjamin Neff 2018-04-08 00:47:19 +02:00
parent f8c9d2ccd9
commit 7854e14e07
No known key found for this signature in database
GPG key ID: 971464C3F1A90194
3 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Gemfile
View file

@ -152,7 +152,7 @@ gem "string-direction", "1.2.1"
# Security Headers
gem "secure_headers", "3.7.1"
gem "secure_headers", "5.0.5"
# Services

8
Gemfile.lock
View file

@ -639,8 +639,8 @@ GEM
scss_lint (0.54.0)
rake (>= 0.9, < 13)
sass (~> 3.4.20)
secure_headers (3.7.1)
useragent
secure_headers (5.0.5)
useragent (>= 0.15.0)
securecompare (1.0.0)
shellany (0.0.1)
shoulda-matchers (3.1.2)
@ -730,7 +730,7 @@ GEM
get_process_mem (~> 0)
unicorn (>= 4, < 6)
url_safe_base64 (0.2.2)
useragent (0.16.8)
useragent (0.16.10)
uuid (2.3.8)
macaddr (~> 1.0)
valid (1.2.0)
@ -883,7 +883,7 @@ DEPENDENCIES
ruby-oembed (= 0.12.0)
rubyzip (= 1.2.1)
sass-rails (= 5.0.7)
secure_headers (= 3.7.1)
secure_headers (= 5.0.5)
shoulda-matchers (= 3.1.2)
sidekiq (= 5.1.3)
sidekiq-cron (= 0.6.3)

6
config/initializers/secure_headers.rb
View file

@ -5,13 +5,13 @@ SecureHeaders::Configuration.default do |config|
csp = {
default_src: %w('none'),
child_src: %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
www.instagram.com),
connect_src: %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com),
font_src: %w('self'),
form_action: %w('self' platform.twitter.com syndication.twitter.com),
frame_ancestors: %w('self'),
frame_src: %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
www.instagram.com),
img_src: %w('self' data: *),
media_src: %w(https:),
script_src: %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com