Unverified Commit 7854e14e authored by Benjamin Neff's avatar Benjamin Neff
Browse files

Bump secure_headers

parent f8c9d2cc

Gemfile

+1 −1
Original line number Diff line number Diff line
@@ -152,7 +152,7 @@ gem "string-direction", "1.2.1" 


# Security Headers



gem "secure_headers", "3.7.1"

gem "secure_headers", "5.0.5"



# Services

Gemfile.lock

+4 −4
Original line number Diff line number Diff line
@@ -639,8 +639,8 @@ GEM 
    scss_lint (0.54.0)

      rake (>= 0.9, < 13)

      sass (~> 3.4.20)

    secure_headers (3.7.1)

      useragent

    secure_headers (5.0.5)

      useragent (>= 0.15.0)

    securecompare (1.0.0)

    shellany (0.0.1)

    shoulda-matchers (3.1.2)
@@ -730,7 +730,7 @@ GEM 
      get_process_mem (~> 0)

      unicorn (>= 4, < 6)

    url_safe_base64 (0.2.2)

    useragent (0.16.8)

    useragent (0.16.10)

    uuid (2.3.8)

      macaddr (~> 1.0)

    valid (1.2.0)
@@ -883,7 +883,7 @@ DEPENDENCIES 
  ruby-oembed (= 0.12.0)

  rubyzip (= 1.2.1)

  sass-rails (= 5.0.7)

  secure_headers (= 3.7.1)

  secure_headers (= 5.0.5)

  shoulda-matchers (= 3.1.2)

  sidekiq (= 5.1.3)

  sidekiq-cron (= 0.6.3)

config/initializers/secure_headers.rb

+3 −3
Original line number Diff line number Diff line
@@ -5,13 +5,13 @@ SecureHeaders::Configuration.default do |config| 


  csp = {

    default_src:     %w('none'),

    child_src:       %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com

                        player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com

                        www.instagram.com),

    connect_src:     %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com),

    font_src:        %w('self'),

    form_action:     %w('self' platform.twitter.com syndication.twitter.com),

    frame_ancestors: %w('self'),

    frame_src:       %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com

                        player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com

                        www.instagram.com),

    img_src:         %w('self' data: *),

    media_src:       %w(https:),

    script_src:      %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com