roda 3.6.0 → 3.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f461d51ffcff3abee852c79773a13d87f2ffc5fea2c6a27346bfb2755b318e1e
-  data.tar.gz: c30fafc14125ef2b100bce74762193cb0f09776805732c284b7d7cd0472f07c5
+  metadata.gz: d7fe20c8d9a31f311d69cac5c073690374859342d995f97183abeda25e84c2e8
+  data.tar.gz: d8b584c5768ef36fc60cd495d51285446c9cdd7e94a56668758b9c38253413a4
 SHA512:
-  metadata.gz: 428d1c607d27a5f90b4c5c992e8f8f3ea33cf8dd7c49e2a0920e49e4b97de34532eb9177aae04ad1efa9a229d747a6e5a744334ae803edbaf60e1e51cf154552
-  data.tar.gz: dd85d32aedb8b2c09fc757bd1cbc0f92dce99849841e4ab2e78f47589de8670c87023eb9d6a144efd1c7ff06f08f705589e2510cb7c4383cba13b40020b2d489
+  metadata.gz: 90e1c33010e0cd7d21fbf434c88bbad41dc069c746bb7eb58b1ae8b982f48320316eabf7f95d8af9376d76cc6d5d88fcb216c3859df5199f6a98bcf86830b5f3
+  data.tar.gz: 1a2d6dda37a5a49871af93894e5b32e553cdac5baa34d5c0a441481101bbc88353e3b8120deeaf7afcfeaae48c1c7cb48ea525a27c8db8e3d212e7945e75fb8d

data/CHANGELOG

@@ -1,3 +1,9 @@
+= 3.7.0 (2018-04-20)
+
+* Make response_request plugin work with error_handler and class_level_routing plugins (jeremyevans)
+
+* Add content_security_policy plugin for setting an appropriate Content-Security-Policy header (jeremyevans)
+
 = 3.6.0 (2018-03-26)
 
 * Add :wrap option to json_parser plugin, for whether/how to wrap the uploaded JSON object (jeremyevans) (#142)

data/doc/release_notes/3.7.0.txt

@@ -0,0 +1,123 @@
+= New Features
+
+* A content_security_policy plugin has been added for setting up an
+  appropriate Content-Security-Policy header.  To configure the
+  default policy, load the plugin with a block:
+
+    plugin :content_security_policy do |csp|
+      csp.default_src :none
+      csp.img_src :self
+      csp.style_src :self, 'fonts.googleapis.com'
+      csp.script_src :self
+      csp.font_src :self, 'fonts.gstatic.com'
+      csp.form_action :self
+      csp.base_uri :none
+      csp.frame_ancestors :none
+      csp.block_all_mixed_content
+    end
+
+  It's recommended that use use a default_src of :none at the top
+  of the policy, then explicitly change other settings (e.g. img_src)
+  when you want to allow content.
+
+  Anywhere in the routing tree, you can use the content_security_policy
+  method to override the default policy.  You can pass this method a
+  block:
+
+    r.get 'foo' do
+      content_security_policy do |csp|
+        csp.object_src :self
+        csp.add_style_src 'bar.com'
+      end
+      # ...
+    end
+
+  Or just call a method on it:
+
+    r.get 'foo' do
+      content_security_policy.script_src :self, 'example.com', [:nonce, 'foobarbaz']
+      # ...
+    end
+
+  The following methods exist for configuring the content security policy, they set
+  the appropriate directive, with the underscores replaced by a dash.
+  
+  * base_uri
+  * child_src
+  * connect_src
+  * default_src
+  * font_src
+  * form_action
+  * frame_ancestors
+  * frame_src
+  * img_src
+  * manifest_src
+  * media_src
+  * object_src
+  * plugin_types
+  * report_uri
+  * require_sri_for
+  * sandbox
+  * script_src
+  * style_src
+  * worker_src
+
+  All of these methods support any number of arguments, and each argument
+  should be one of the following types:
+  
+  String :: used verbatim
+  Symbol :: Substitutes underscore with dash and surrounds with single
+            quotes
+  Array :: only accepts 2 element arrays, joins elements with a dash
+           and surrounds them with single quotes
+ 
+  Example:
+  
+    content_security_policy.script_src :self, :unsafe_eval,
+      'example.com', [:nonce, 'foobarbaz']
+    # script-src 'self' 'unsafe-eval' example.com 'nonce-foobarbaz'; 
+   
+  When calling a method with no arguments, the setting is removed from
+  the policy instead of being left empty, since all of these setting
+  require at least one value.  Likewise, if the policy does not have
+  any settings, the header will not be added.
+
+  Calling the method overrides any previous setting.  Each of the
+  methods has a add_* method (e.g. add_script_src) for appending to the
+  current setting, and a get_* method (e.g. get_script_src) for
+  retrieving the current value of the setting, or nil if it is not
+  defined.
+
+    content_security_policy.script_src :self, :unsafe_eval
+    # script-src 'self' 'unsafe-eval'; 
+    content_security_policy.add_script_src 'example.com', [:nonce, 'foobarbaz']
+    # script-src 'self' 'unsafe-eval' example.com 'nonce-foobarbaz'; 
+  
+    content_security_policy.get_script_src 'example.com', [:nonce, 'foobarbaz']
+    # => [:self, :unsafe_eval, 'example.com', [:nonce, 'foobarbaz']]
+
+  The clear method can be used to remove all settings from the policy.
+  
+  The following methods to set boolean directives are also defined:
+ 
+  * block_all_mixed_content
+  * upgrade_insecure_requests
+ 
+  Calling these methods will turn on the related setting.  To turn the
+  setting off again, you can call them with a false argument (e.g.
+  block_all_mixed_content(false)).  Each method also an *? method
+  (e.g. block_all_mixed_content?) for returning whether the setting is
+  currently enabled.
+  
+  Likewise there is also a report_only method for turning on report
+  only mode (the default is enforcement mode), or turning off report
+  only mode if a false argument is given.  Also, there is a
+  report_only? method for returning whether report only mode is
+  enabled. In report only mode, the Content-Security-Policy-Report-Only
+  header is used.
+
+= Other Improvements
+
+* The response_request plugin now integrates with the error_handler and
+  class_level_routing plugins.  Those plugins now reinitialize the
+  current response object instead of creating a new response object.

data/lib/roda/plugins/class_level_routing.rb

@@ -86,7 +86,7 @@ class Roda
           if result[0] == 404 && (v = result[2]).is_a?(Array) && v.empty?
             # Reset the response so it doesn't inherit the status or any headers from
             # the original response.
-            @_response = self.class::RodaResponse.new
+            @_response.send(:initialize)
             super do |r|
               opts[:class_level_routes].each do |meth, args, blk|
                 req.instance_variable_set(:@remaining_path, rp)

data/lib/roda/plugins/content_security_policy.rb

@@ -0,0 +1,317 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The content_security_policy plugin allows you to easily set a Content-Security-Policy
+    # header for the application, which modern browsers will use to control access to specific
+    # types of page content.
+    #
+    # You would generally call the plugin with a block to set the default policy:
+    #
+    #   plugin :content_security_policy do |csp|
+    #     csp.default_src :none
+    #     csp.img_src :self
+    #     csp.style_src :self
+    #     csp.script_src :self
+    #     csp.font_src :self
+    #     csp.form_action :self
+    #     csp.base_uri :none
+    #     csp.frame_ancestors :none
+    #     csp.block_all_mixed_content
+    #   end
+    #
+    # Then, anywhere in the routing tree, you can customize the policy for just that
+    # branch or action using the same block syntax:
+    #
+    #   r.get 'foo' do
+    #     content_security_policy do |csp|
+    #       csp.object_src :self
+    #       csp.add_style_src 'bar.com'
+    #     end
+    #     # ...
+    #   end
+    #
+    # In addition to using a block, you can also call methods on the object returned
+    # by the method:
+    #
+    #   r.get 'foo' do
+    #     content_security_policy.script_src :self, 'example.com', [:nonce, 'foobarbaz']
+    #     # ...
+    #   end
+    #
+    # The following methods are available for configuring the content security policy,
+    # which specify the setting (substituting _ with -): 
+    #
+    # * base_uri
+    # * child_src
+    # * connect_src
+    # * default_src
+    # * font_src
+    # * form_action
+    # * frame_ancestors
+    # * frame_src
+    # * img_src
+    # * manifest_src
+    # * media_src
+    # * object_src
+    # * plugin_types
+    # * report_uri
+    # * require_sri_for
+    # * sandbox
+    # * script_src
+    # * style_src
+    # * worker_src
+    #
+    # All of these methods support any number of arguments, and each argument should
+    # be one of the following types:
+    #
+    # String :: used verbatim
+    # Symbol :: Substitutes +_+ with +-+ and surrounds with <tt>'</tt>
+    # Array :: only accepts 2 element arrays, joins elements with +-+ and
+    #          surrounds the result with <tt>'</tt>
+    #
+    # Example:
+    #
+    #   content_security_policy.script_src :self, :unsafe_eval, 'example.com', [:nonce, 'foobarbaz']
+    #   # script-src 'self' 'unsafe-eval' example.com 'nonce-foobarbaz'; 
+    #  
+    # When calling a method with no arguments, the setting is removed from the policy instead
+    # of being left empty, since all of these setting require at least one value.  Likewise,
+    # if the policy does not have any settings, the header will not be added.
+    #
+    # Calling the method overrides any previous setting.  Each of the methods has +add_*+ and
+    # +get_*+ methods defined. The +add_*+ method appends to any existing setting, and the +get_*+ method
+    # returns the current value for the setting.
+    #
+    #   content_security_policy.script_src :self, :unsafe_eval
+    #   content_security_policy.add_script_src 'example.com', [:nonce, 'foobarbaz']
+    #   # script-src 'self' 'unsafe-eval' example.com 'nonce-foobarbaz'; 
+    #
+    #   content_security_policy.get_script_src 'example.com', [:nonce, 'foobarbaz']
+    #   # => [:self, :unsafe_eval, 'example.com', [:nonce, 'foobarbaz']]
+    #
+    # The clear method can be used to remove all settings from the policy.
+    #
+    # The following methods to set boolean settings are also defined:
+    #
+    # * block_all_mixed_content
+    # * upgrade_insecure_requests
+    #
+    # Calling these methods will turn on the related setting.  To turn the setting
+    # off again, you can call them with a +false+ argument. There is also a <tt>*?</tt> method
+    # for each setting for returning whether the setting is currently enabled.
+    #
+    # Likewise there is also a +report_only+ method for turning on report only mode (the
+    # default is enforcement mode), or turning off report only mode if a false argument
+    # is given.  Also, there is a +report_only?+ method for returning whether report only
+    # mode is enabled.
+    module ContentSecurityPolicy
+      # Represents a content security policy.
+      class Policy
+        '
+        base-uri
+        child-src
+        connect-src
+        default-src
+        font-src
+        form-action
+        frame-ancestors
+        frame-src
+        img-src
+        manifest-src
+        media-src
+        object-src
+        plugin-types
+        report-uri
+        require-sri-for
+        sandbox
+        script-src
+        style-src
+        worker-src
+        '.split.each(&:freeze).each do |setting|
+          meth = setting.gsub('-', '_').freeze
+
+          # Setting method name sets the setting value, or removes it if no args are given.
+          define_method(meth) do |*args|
+            if args.empty?
+              @opts.delete(setting)
+            else
+              @opts[setting] = args.freeze
+            end
+            nil
+          end
+
+          # add_* method name adds to the setting value, or clears setting if no values
+          # are given.
+          define_method("add_#{meth}") do |*args|
+            if args.empty?
+              @opts[setting]
+            else
+              @opts[setting] ||= EMPTY_ARRAY
+              @opts[setting] += args
+              @opts[setting].freeze
+            end
+            nil
+          end
+
+          # get_* method always returns current setting value.
+          define_method("get_#{meth}") do
+            @opts[setting]
+          end
+        end
+
+        %w'block-all-mixed-content upgrade-insecure-requests'.each(&:freeze).each do |setting|
+          meth = setting.gsub('-', '_').freeze
+
+          # Setting method name turns on setting if true or no argument given,
+          # or removes setting if false is given.
+          define_method(meth) do |arg=true|
+            if arg
+              @opts[setting] = true
+            else
+              @opts.delete(setting)
+            end
+
+            nil
+          end
+
+          # *? method returns true or false depending on whether setting is enabled.
+          define_method("#{meth}?") do
+            !!@opts[setting]
+          end
+        end
+
+        def initialize
+          clear
+        end
+
+        # Clear all settings, useful to remove any inherited settings.
+        def clear
+          @opts = {}
+        end
+
+        # Do not allow future modifications to any settings.
+        def freeze
+          @opts.freeze
+          header_value.freeze
+          super
+        end
+
+        # The header name to use, depends on whether report only mode has been enabled.
+        def header_key
+          @report_only ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        end
+
+        # The header value to use.
+        def header_value
+          return @header_value if @header_value
+
+          s = String.new
+          @opts.each do |k, vs|
+            s << k
+            unless vs == true
+              vs.each{|v| append_formatted_value(s, v)}
+            end
+            s << '; '
+          end
+          @header_value = s
+        end
+
+        # Set whether the Content-Security-Policy-Report-Only header instead of the
+        # default Content-Security-Policy header.
+        def report_only(report=true)
+          @report_only = report
+        end
+
+        # Whether this policy uses report only mode.
+        def report_only?
+          !!@report_only
+        end
+
+        # Set the current policy in the headers hash.  If no settings have been made
+        # in the policy, does not set a header.
+        def set_header(headers)
+          return if @opts.empty?
+          headers[header_key] ||= header_value
+        end
+
+        private
+
+        # Handle three types of values when formatting the header:
+        # String :: used verbatim
+        # Symbol :: Substitutes _ with - and surrounds with '
+        # Array :: only accepts 2 element arrays, joins them with - and
+        #          surrounds them with '
+        def append_formatted_value(s, v)
+          case v
+          when String
+            s << ' ' << v
+          when Array
+            case v.length
+            when 2
+              s << " '" << v.join('-') << "'"
+            else
+              raise RodaError, "unsupported CSP value used: #{v.inspect}"
+            end
+          when Symbol
+            s << " '" << v.to_s.gsub('_', '-') << "'"
+          else
+            raise RodaError, "unsupported CSP value used: #{v.inspect}"
+          end
+        end
+
+        # Make object copy use copy of settings, and remove cached header value.
+        def initialize_copy(_)
+          super
+          @opts = @opts.dup
+          @header_value = nil
+        end
+      end
+
+
+      # Yield the current Content Security Policy to the block.
+      def self.configure(app)
+        policy = app.opts[:content_security_policy] = if policy = app.opts[:content_security_policy]
+          policy.dup
+        else
+          Policy.new
+        end
+
+        yield policy if block_given?
+        policy.freeze
+      end
+
+      module InstanceMethods
+        # If a block is given, yield the current content security policy.  Returns the
+        # current content security policy.
+        def content_security_policy
+          policy = @_response.content_security_policy
+          yield policy if block_given?
+          policy
+        end
+      end
+
+      module ResponseMethods
+        # Unset any content security policy when reinitializing
+        def initialize
+          super
+          @content_security_policy &&= nil
+        end
+
+        # The current content security policy to be used for this response.
+        def content_security_policy
+          @content_security_policy ||= roda_class.opts[:content_security_policy].dup
+        end
+
+        # Set the appropriate content security policy header.
+        def set_default_headers
+          super
+          (@content_security_policy || roda_class.opts[:content_security_policy]).set_header(@headers)
+        end
+      end
+    end
+
+    register_plugin(:content_security_policy, ContentSecurityPolicy)
+  end
+end

data/lib/roda/plugins/error_handler.rb

@@ -64,8 +64,8 @@ class Roda
         def call
           super
         rescue *opts[:error_handler_classes] => e
-          res = @_response = self.class::RodaResponse.new
-          res.status = 500
+          @_response.send(:initialize)
+          @_response.status = 500
           super{handle_error(e)}
         end
 

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 6
+  RodaMinorVersion = 7
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

data/spec/plugin/content_security_policy_spec.rb

@@ -0,0 +1,175 @@
+require_relative "../spec_helper"
+
+describe "content_security_policy plugin" do 
+  it "does not add header if no options are set" do
+    app(:content_security_policy){'a'}
+    header('Content-Security-Policy', "/a").must_be_nil
+  end
+
+  it "sets Content-Security-Policy header" do
+    app(:bare) do
+      plugin :content_security_policy do |csp|
+        csp.default_src :self
+        csp.img_src :self, 'example.com'
+        csp.style_src [:sha256, 'abc']
+      end
+
+      route do |r|
+        r.get 'ro' do
+          content_security_policy.report_only
+          ''
+        end
+
+        r.get 'nro' do
+          content_security_policy.report_only
+          content_security_policy.report_only(false)
+          content_security_policy.report_only?.inspect
+        end
+
+        r.get 'get' do
+          content_security_policy.get_default_src.inspect
+        end
+
+        r.get 'add' do
+          content_security_policy.add_default_src('foo.com', 'bar.com')
+          ''
+        end
+
+        r.get 'empty' do
+          content_security_policy.add_default_src
+          ''
+        end
+
+        r.get 'set' do
+          content_security_policy.default_src('foo.com', 'bar.com')
+          ''
+        end
+
+        r.get 'bool' do
+          content_security_policy.block_all_mixed_content
+          content_security_policy.upgrade_insecure_requests(false)
+          content_security_policy.block_all_mixed_content?.inspect
+        end
+
+        r.get 'block' do
+          content_security_policy do |csp|
+            csp.block_all_mixed_content
+            csp.add_default_src('foo.com', 'bar.com')
+            csp.img_src :none
+            csp.style_src
+            csp.report_only
+          end
+          ''
+        end
+
+        r.get 'clear' do
+          content_security_policy do |csp|
+            csp.clear
+            csp.add_default_src('foo.com', 'bar.com')
+          end
+          ''
+        end
+
+        'a'
+      end
+    end
+
+    v = "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; "
+
+    header('Content-Security-Policy', "/a").must_equal v
+
+    header('Content-Security-Policy', "/nro").must_equal v
+    header('Content-Security-Policy-Report-Only', "/nro").must_be_nil
+    body("/nro").must_equal 'false'
+
+    header('Content-Security-Policy-Report-Only', "/ro").must_equal v
+    header('Content-Security-Policy', "/ro").must_be_nil
+
+    body('/get').must_equal '[:self]'
+
+    header('Content-Security-Policy', "/add").must_equal "default-src 'self' foo.com bar.com; img-src 'self' example.com; style-src 'sha256-abc'; "
+
+    header('Content-Security-Policy', "/empty").must_equal "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; "
+
+    header('Content-Security-Policy', "/set").must_equal "default-src foo.com bar.com; img-src 'self' example.com; style-src 'sha256-abc'; "
+
+    body('/bool').must_equal 'true'
+    header('Content-Security-Policy', "/bool").must_equal "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; block-all-mixed-content; "
+
+    header('Content-Security-Policy-Report-Only', "/block").must_equal "default-src 'self' foo.com bar.com; img-src 'none'; block-all-mixed-content; "
+
+    header('Content-Security-Policy', "/clear").must_equal "default-src foo.com bar.com; "
+  end
+
+  it "raises error for unsupported CSP values" do
+    app{}
+    proc{app.plugin(:content_security_policy){|csp| csp.default_src Object.new}}.must_raise Roda::RodaError
+    proc{app.plugin(:content_security_policy){|csp| csp.default_src []}}.must_raise Roda::RodaError
+    proc{app.plugin(:content_security_policy){|csp| csp.default_src [:a]}}.must_raise Roda::RodaError
+    proc{app.plugin(:content_security_policy){|csp| csp.default_src [:a, :b, :c]}}.must_raise Roda::RodaError
+  end
+
+  it "supports all documented settings" do
+    app(:content_security_policy) do |r|
+      content_security_policy.send(r.path[1..-1], :self)
+    end
+
+    '
+    base_uri
+    child_src
+    connect_src
+    default_src
+    font_src
+    form_action
+    frame_ancestors
+    frame_src
+    img_src
+    manifest_src
+    media_src
+    object_src
+    plugin_types
+    report_uri
+    require_sri_for
+    sandbox
+    script_src
+    style_src
+    worker_src
+    '.split.each do |setting|
+      header('Content-Security-Policy', "/#{setting}").must_equal "#{setting.gsub('_', '-')} 'self'; "
+    end
+  end
+
+  it "does not override existing heading" do
+    app(:content_security_policy) do |r|
+      content_security_policy.default_src :self
+      response['Content-Security-Policy'] = "default_src 'none';"
+      ''
+    end
+    header('Content-Security-Policy').must_equal "default_src 'none';"
+  end
+
+  it "works with error_handler" do
+    app(:bare) do
+      plugin(:error_handler){|_| ''}
+      plugin :content_security_policy do |csp|
+        csp.default_src :self
+        csp.img_src :self, 'example.com'
+        csp.style_src [:sha256, 'abc']
+      end
+
+      route do |r|
+        r.get 'a' do
+          content_security_policy.default_src 'foo.com'
+          raise
+        end
+
+        raise
+      end
+    end
+
+    header('Content-Security-Policy').must_equal "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; "
+
+    # Don't include updates before the error
+    header('Content-Security-Policy', '/a').must_equal "default-src 'self'; img-src 'self' example.com; style-src 'sha256-abc'; "
+  end
+end

data/spec/plugin/response_request_spec.rb

@@ -9,4 +9,35 @@ describe "response_request plugin" do
     body.must_equal "a"
     body('REQUEST_METHOD'=>'POST').must_equal "b"
   end
+
+  it "should work with error_handler plugin" do
+    app(:bare) do
+      plugin :response_request
+
+      plugin :error_handler do |_|
+        response.request.post? ? "b" : "a"
+      end
+      
+      route{raise}
+    end
+
+    body.must_equal "a"
+    body('REQUEST_METHOD'=>'POST').must_equal "b"
+  end
+
+  it "should work with class_level_routing plugin" do
+    app(:bare) do
+      plugin :response_request
+      plugin :class_level_routing
+      
+      is '' do |_|
+        response.request.post? ? "b" : "a"
+      end
+      
+      route{}
+    end
+
+    body.must_equal "a"
+    body('REQUEST_METHOD'=>'POST').must_equal "b"
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.6.0
+  version: 3.7.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-26 00:00:00.000000000 Z
+date: 2018-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -160,21 +160,13 @@ extra_rdoc_files:
 - MIT-LICENSE
 - CHANGELOG
 - doc/conventions.rdoc
+- doc/release_notes/3.7.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
-- doc/release_notes/2.2.0.txt
-- doc/release_notes/2.3.0.txt
-- doc/release_notes/2.4.0.txt
-- doc/release_notes/2.5.0.txt
-- doc/release_notes/2.5.1.txt
-- doc/release_notes/2.6.0.txt
-- doc/release_notes/2.7.0.txt
-- doc/release_notes/2.8.0.txt
-- doc/release_notes/2.9.0.txt
 - doc/release_notes/2.10.0.txt
 - doc/release_notes/2.11.0.txt
 - doc/release_notes/2.12.0.txt
@@ -185,6 +177,7 @@ extra_rdoc_files:
 - doc/release_notes/2.17.0.txt
 - doc/release_notes/2.18.0.txt
 - doc/release_notes/2.19.0.txt
+- doc/release_notes/2.2.0.txt
 - doc/release_notes/2.20.0.txt
 - doc/release_notes/2.21.0.txt
 - doc/release_notes/2.22.0.txt
@@ -195,6 +188,14 @@ extra_rdoc_files:
 - doc/release_notes/2.27.0.txt
 - doc/release_notes/2.28.0.txt
 - doc/release_notes/2.29.0.txt
+- doc/release_notes/2.3.0.txt
+- doc/release_notes/2.4.0.txt
+- doc/release_notes/2.5.0.txt
+- doc/release_notes/2.5.1.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
+- doc/release_notes/2.9.0.txt
 - doc/release_notes/3.0.0.txt
 - doc/release_notes/3.1.0.txt
 - doc/release_notes/3.2.0.txt
@@ -250,6 +251,7 @@ files:
 - doc/release_notes/3.4.0.txt
 - doc/release_notes/3.5.0.txt
 - doc/release_notes/3.6.0.txt
+- doc/release_notes/3.7.0.txt
 - lib/roda.rb
 - lib/roda/plugins/_symbol_regexp_matchers.rb
 - lib/roda/plugins/all_verbs.rb
@@ -262,6 +264,7 @@ files:
 - lib/roda/plugins/class_level_routing.rb
 - lib/roda/plugins/class_matchers.rb
 - lib/roda/plugins/content_for.rb
+- lib/roda/plugins/content_security_policy.rb
 - lib/roda/plugins/cookies.rb
 - lib/roda/plugins/csrf.rb
 - lib/roda/plugins/default_headers.rb
@@ -358,6 +361,7 @@ files:
 - spec/plugin/class_level_routing_spec.rb
 - spec/plugin/class_matchers_spec.rb
 - spec/plugin/content_for_spec.rb
+- spec/plugin/content_security_policy_spec.rb
 - spec/plugin/cookies_spec.rb
 - spec/plugin/csrf_spec.rb
 - spec/plugin/default_headers_spec.rb
@@ -478,7 +482,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Routing tree web toolkit