README.md in csp_report-0.4.0 vs README.md in csp_report-1.0.0

- old
+ new

@@ -2,36 +2,24 @@ ========= This gem provides a Rails engine that manages the CSP violations reported by the client browser (when supported). -This gem was started with CSP v1.0 specification. On Aug 9th, an editor's draft -of v1.1 was published. This gem currently has not been modified to support it. -However v1.1 of CSP is spec'd to be backward compatible and from my lecture of -the spec, I can't see anything that should not work if your browser ups to the -new version. +As of today (Sept 14th), a new editor's draft of CSP 1.1 is available and got +rid of the new proposed report elements. Therefore, as of today too, I'll +publish the current version of the gem as the csp_report 1.0 version. -**Disclaimer** - -This is a rough cut gem for the moment. It won't look like much in the report -page. However, elements have a class so you can add some CSS style before I - add some clean ones in the gem. - -I promise something cleaner when I'll get to v1. - [Installation](#install) | [Upgrade](#upgrade-notes) | [Configuration](#trying-it-out) | [Description](#what-is-csp) -**Careful**: If migrating from 0.1.x, please follow -[these instructions](#upgrade-from-01x) +**Careful**: If migrating from an earlier version, please look up the upgrage +instructions. -**Careful**: If migrating from 0.2.x or below, you can follow -[these instructions](#upgrade-from-02x-or-below). This is not mandatory. +Now that v1.0 is out, I would advise to redo an install from scratch or to +consult the new [INSTALL](./INSTALL.md) file for details of what should be +installed -**Careful**: If migrating from 0.3.x or below, you can follow -[these instructions](#upgrade-from-03x-or-below). This is mandatory. - What is CSP =========== CSP (Content Security Policy) is a way to limit cross site scripting by relying on the browser as a last line of defense. It does not mean the other anti XSS @@ -42,22 +30,21 @@ * [Wikipedia](http://en.wikipedia.org/wiki/Content_Security_Policy) * [The Google Chrome explanation](https://developer.chrome.com/extensions/contentSecurityPolicy.html) [Browser supporting CSP](http://caniuse.com/#search=csp) -Tested in Chrome 27 and shown to work with the *'Content-Security-Policy'* new +Tested in Chrome (since version 27) and shown to work with the *'Content-Security-Policy'* new directive. Safari 6 already supports it but with the *'X-Webkit-CSP'* directive. However, it seems the *report_uri* parameter is not yet supported there. Features ======== * Provides a *csp_report* resource that stores the reported violations. -* Displays the violation for analysis +* Displays the violation for analysis along with consolidated reports. * Keeps up-to-date with the CSP W3C RFC -* Future: provide visualization aids on the report data Why using this gem ================== CSP is yet another layer of protection, basically relying on the browser to do @@ -69,19 +56,21 @@ * First, when activating CSP directives on your existing site, it is likely that you'll have a hard time figuring out all the sources you are using. By recording all the breaches, this gem allows you to setup a policy, run a crawler for example, and then look at what is reported as breaches. It will help you getting rid of your -inline js and so on. +inline js and tuning your policy. * Second, in normal production mode, it'll help you monitor the situation and see if your server has been victim of some injection (if some input is not sanitize properly) or if your users are being attacked in some way (in which case you might gather stats and maybe warn them in one way or another). Install ======= +_(See the [INSTALL.md](./INSTALL.md) file for more details)_ + 1. In your *Gemfile*, add the following ``` gem csp_report ``` Don't forget to run `bundle install` afterwards @@ -93,12 +82,11 @@ param to the install generator and it will execute the csp_declaration generator too ```shell rails generate csp_report:install [mount_point_name] [-a] ``` -It retrieve the db migration files from the gem and copy them in the application -It mounts the engine in the application (see routes.rb) +Among other things, it retrieves the db migration files from the gem and copy them in the application *Don't forget to run the `rake db:migrate` command* 1. **EASY INSTALL**: if you used the *-a* parameter above, you can skip this Use the helper generator to get your CSP directive skeleton. It will use the mount point that you defined in the install. @@ -160,12 +148,15 @@ Careful though, this is going to remove all the styles definition, so you'll have to redefine every single one of them. #### Changing the CSP rule per controller/action -TODO - gbataille - Fill in this section +This is not tested, but by adding a before_filter to any of your controller, +you should be able to override the application level CSP directive. +TODO - gbataille - Test it + Utilities ========= * For general usage, a constant CspReport::MOUNT_POINT is defined with the namespace provided while running the install generator. This constant is @@ -177,10 +168,9 @@ To come ======= * Customization instructions * Support of CSP 1.1 draft spec -* Eased data mining Upgrade notes ============= Upgrade from 0.1.x