secure_headers 2.4.0 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bdc7e4cc47367102f2318244051b544e4bc5d611
-  data.tar.gz: f4bb9651462b15c056ab9720a0c079283e9c2462
+  metadata.gz: 36b98616c83ec1049b8f1bcc25671738da8d8bed
+  data.tar.gz: 730108ec10da36aeeb59049e88122a99987d1dcc
 SHA512:
-  metadata.gz: 888729b84ba1eb266c25c3bbc218c270f9e262bcbf490363a2daad6202803f4ba71a21f59c1a36e816a06c01ab8d28126ba81e05ae4f37ac36a53ee670af8420
-  data.tar.gz: 26640f0a917396faf083eaff557316d4a376e6956ae95915cfb5c815de3269a6ec5cb9a9f6a7684d871d8ff634dc586bb6a6a20dd79ece6cee034d5ec8f20648
+  metadata.gz: 854d9e8c9de09d5515dad3449726b4b2308b8a25b5dc702ed80da47fd3f94f983119531a4089877b215ee07dccfa8fec2766107891b018bcca376ec16ed95e8f
+  data.tar.gz: f0ec419ac593cdeb556dc852d6e2a3b8f5fcfe83c07b34ac8392fcb912004bbe1117ea9e473c068230a38c44c96a5e036dfde630ae5e7397203c9aed8babd741

data/.travis.yml

@@ -9,3 +9,4 @@ rvm:
 
 sudo: false
 cache: bundler
+before_install: gem update bundler

data/Gemfile

@@ -3,6 +3,7 @@ source 'https://rubygems.org'
 gemspec
 
 group :test do
+  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22]
   gem 'test-unit', '~> 3.0'
   gem 'rails', '3.2.22'
   gem 'sqlite3', :platforms => [:ruby, :mswin, :mingw]

data/Guardfile

@@ -0,0 +1,12 @@
+guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
+end

data/README.md

@@ -8,7 +8,7 @@ The gem will automatically apply several headers that are related to security.
 - X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
 - X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
-- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinnning  Specification](https://tools.ietf.org/html/rfc7469)
+- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorities. [Public Key Pinning  Specification](https://tools.ietf.org/html/rfc7469)
 
 ## Usage
 
@@ -61,6 +61,7 @@ The following methods are going to be called, unless they are provided in a `ski
     :form_action => "'self' github.com",
     :frame_ancestors => "'none'",
     :plugin_types => 'application/x-shockwave-flash',
+    :block_all_mixed_content => '' # see [http://www.w3.org/TR/mixed-content/]()
     :report_uri => '//example.com/uri-directive'
   }
   config.hpkp = {
@@ -99,7 +100,7 @@ Sometimes you need to override your content security policy for a given endpoint
 1. Override the `secure_header_options_for` class instance method. e.g.
 
 ```ruby
-class SomethingController < ApplicationController 
+class SomethingController < ApplicationController
   def wumbus
     # gets style-src override
   end

data/lib/secure_headers/headers/content_security_policy.rb

@@ -11,7 +11,9 @@ module SecureHeaders
       DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
       HEADER_NAME = "Content-Security-Policy"
       ENV_KEY = 'secure_headers.content_security_policy'
-      DIRECTIVES = [
+      USER_AGENT_PARSER = UserAgentParser::Parser.new
+
+      DIRECTIVES_1_0 = [
         :default_src,
         :connect_src,
         :font_src,
@@ -19,20 +21,53 @@ module SecureHeaders
         :img_src,
         :media_src,
         :object_src,
+        :sandbox,
         :script_src,
         :style_src,
+        :report_uri
+      ].freeze
+
+      DIRECTIVES_2_0 = [
+        DIRECTIVES_1_0,
         :base_uri,
         :child_src,
         :form_action,
         :frame_ancestors,
         :plugin_types
-      ]
+      ].flatten.freeze
 
-      OTHER = [
-        :report_uri
-      ]
 
-      ALL_DIRECTIVES = DIRECTIVES + OTHER
+      # All the directives currently under consideration for CSP level 3.
+      # https://w3c.github.io/webappsec/specs/CSP2/
+      DIRECTIVES_3_0 = [
+        DIRECTIVES_2_0,
+        :manifest_src,
+        :reflected_xss
+      ].flatten.freeze
+
+      # All the directives that are not currently in a formal spec, but have
+      # been implemented somewhere.
+      DIRECTIVES_DRAFT = [
+        :block_all_mixed_content,
+      ].freeze
+
+      SAFARI_DIRECTIVES = DIRECTIVES_1_0
+
+      FIREFOX_UNSUPPORTED_DIRECTIVES = [
+        :block_all_mixed_content,
+        :child_src,
+        :plugin_types
+      ].freeze
+
+      FIREFOX_DIRECTIVES = (
+        DIRECTIVES_2_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
+      ).freeze
+
+      CHROME_DIRECTIVES = (
+        DIRECTIVES_2_0 + DIRECTIVES_DRAFT
+      ).freeze
+
+      ALL_DIRECTIVES = [DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT].flatten.uniq.sort
       CONFIG_KEY = :csp
     end
 
@@ -102,10 +137,18 @@ module SecureHeaders
 
       # Config values can be string, array, or lamdba values
       @config = config.inject({}) do |hash, (key, value)|
-        config_val = value.respond_to?(:call) ? value.call(@controller) : value
+        config_val = if value.respond_to?(:call)
+          warn "[DEPRECATION] secure_headers 3.x will not support procs as config values."
+          value.call(@controller)
+        else
+          value
+        end
 
-        if DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
-          config_val = config_val.split if config_val.is_a? String
+        if ALL_DIRECTIVES.include?(key.to_sym) # directives need to be normalized to arrays of strings
+          if config_val.is_a? String
+            warn "[DEPRECATION] A String was supplied for directive #{key}. secure_headers 3.x will require all directives to be arrays of strings."
+            config_val = config_val.split
+          end
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|
               translate_dir_value(val)
@@ -118,14 +161,36 @@ module SecureHeaders
       end
 
       @http_additions = @config.delete(:http_additions)
-      @app_name = @config.delete(:app_name)
-      @report_uri = @config.delete(:report_uri)
-      @enforce = !!@config.delete(:enforce)
       @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
       @tag_report_uri = !!@config.delete(:tag_report_uri)
       @script_hashes = @config.delete(:script_hashes) || []
+      @app_name = @config.delete(:app_name)
+      @app_name = @app_name.call(@controller) if @app_name.respond_to?(:call)
+      @enforce = @config.delete(:enforce)
+      @enforce = @enforce.call(@controller) if @enforce.respond_to?(:call)
+      @enforce = !!@enforce
+
+      # normalize and tag the report-uri
+      if @config[:report_uri]
+        @config[:report_uri] = @config[:report_uri].map do |report_uri|
+          if report_uri.start_with?('//')
+            report_uri = if @ssl_request
+                           "https:" + report_uri
+                         else
+                           "http:" + report_uri
+                         end
+          end
+
+          if @tag_report_uri
+            report_uri = "#{report_uri}?enforce=#{@enforce}"
+            report_uri += "&app_name=#{@app_name}" if @app_name
+          end
+          report_uri
+        end
+      end
 
       add_script_hashes if @script_hashes.any?
+      strip_unsupported_directives
     end
 
     ##
@@ -160,13 +225,20 @@ module SecureHeaders
 
     def to_json
       build_value
-      @config.to_json.gsub(/(\w+)_src/, "\\1-src")
+      @config.inject({}) do |hash, (key, value)|
+        if ALL_DIRECTIVES.include?(key)
+          hash[key.to_s.gsub(/(\w+)_(\w+)/, "\\1-\\2")] = value
+        end
+        hash
+      end.to_json
     end
 
     def self.from_json(*json_configs)
       json_configs.inject({}) do |combined_config, one_config|
-        one_config = one_config.gsub(/(\w+)-src/, "\\1_src")
-        config = JSON.parse(one_config, :symbolize_names => true)
+        config = JSON.parse(one_config).inject({}) do |hash, (key, value)|
+          hash[key.gsub(/(\w+)-(\w+)/, "\\1_\\2").to_sym] = value
+          hash
+        end
         combined_config.merge(config) do |_, lhs, rhs|
           lhs | rhs
         end
@@ -182,10 +254,7 @@ module SecureHeaders
     def build_value
       raise "Expected to find default_src directive value" unless @config[:default_src]
       append_http_additions unless ssl_request?
-      header_value = [
-        generic_directives,
-        report_uri_directive
-      ].join.strip
+      generic_directives
     end
 
     def append_http_additions
@@ -198,13 +267,13 @@ module SecureHeaders
 
     def translate_dir_value val
       if %w{inline eval}.include?(val)
-        warn "[DEPRECATION] using inline/eval may not be supported in the future. Instead use 'unsafe-inline'/'unsafe-eval' instead."
+        warn "[DEPRECATION] using inline/eval is not suppored in secure_headers 3.x. Instead use 'unsafe-inline'/'unsafe-eval' instead."
         val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
       elsif %{self none}.include?(val)
-        warn "[DEPRECATION] using self/none may not be supported in the future. Instead use 'self'/'none' instead."
+        warn "[DEPRECATION] using self/none is not suppored in secure_headers 3.x. Instead use 'self'/'none' instead."
         "'#{val}'"
       elsif val == 'nonce'
-        if supports_nonces?(@ua)
+        if supports_nonces?
           self.class.set_nonce(@controller, nonce)
           ["'nonce-#{nonce}'", "'unsafe-inline'"]
         else
@@ -215,27 +284,9 @@ module SecureHeaders
       end
     end
 
-    def report_uri_directive
-      return '' if @report_uri.nil?
-
-      if @report_uri.start_with?('//')
-        @report_uri = if @ssl_request
-                        "https:" + @report_uri
-                      else
-                        "http:" + @report_uri
-                      end
-      end
-
-      if @tag_report_uri
-        @report_uri = "#{@report_uri}?enforce=#{@enforce}"
-        @report_uri += "&app_name=#{@app_name}" if @app_name
-      end
-
-      "report-uri #{@report_uri};"
-    end
-
+    # ensures defualt_src is first and report_uri is last
     def generic_directives
-      header_value = ''
+      header_value = build_directive(:default_src)
       data_uri = @disable_img_src_data_uri ? [] : ["data:"]
       if @config[:img_src]
         @config[:img_src] = @config[:img_src] + data_uri unless @config[:img_src].include?('data:')
@@ -243,19 +294,40 @@ module SecureHeaders
         @config[:img_src] = @config[:default_src] + data_uri
       end
 
-      DIRECTIVES.each do |directive_name|
-        header_value += build_directive(directive_name) if @config[directive_name]
+      (ALL_DIRECTIVES - [:default_src, :report_uri]).each do |directive_name|
+        if @config[directive_name]
+          header_value += build_directive(directive_name)
+        end
       end
 
-      header_value
+      header_value += build_directive(:report_uri) if @config[:report_uri]
+
+      header_value.strip
     end
 
     def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end
 
-    def supports_nonces?(user_agent)
-      parsed_ua = UserAgentParser.parse(user_agent)
+    def strip_unsupported_directives
+      @config.select! { |key, _| supported_directives.include?(key) }
+    end
+
+    def supported_directives
+      @supported_directives ||= case USER_AGENT_PARSER.parse(@ua).family
+      when "Chrome"
+        CHROME_DIRECTIVES
+      when "Safari"
+        SAFARI_DIRECTIVES
+      when "Firefox"
+        FIREFOX_DIRECTIVES
+      else
+        DIRECTIVES_1_0
+      end
+    end
+
+    def supports_nonces?
+      parsed_ua = USER_AGENT_PARSER.parse(@ua)
       ["Chrome", "Opera", "Firefox"].include?(parsed_ua.family)
     end
   end

data/lib/secure_headers/headers/strict_transport_security.rb

@@ -41,6 +41,7 @@ module SecureHeaders
 
     def validate_config
       if @config.is_a? Hash
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for StrictTransportSecurity config"
         if !@config[:max_age]
           raise STSBuildError.new("No max-age was supplied.")
         elsif @config[:max_age].to_s !~ /\A\d+\z/

data/lib/secure_headers/headers/x_content_type_options.rb

@@ -25,6 +25,7 @@ module SecureHeaders
       when String
         @config
       else
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XContentTypeOptions config"
         @config[:value]
       end
     end

data/lib/secure_headers/headers/x_download_options.rb

@@ -24,6 +24,7 @@ module SecureHeaders
       when String
         @config
       else
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XDownloadOptions config"
         @config[:value]
       end
     end

data/lib/secure_headers/headers/x_frame_options.rb

@@ -25,6 +25,7 @@ module SecureHeaders
       when String
         @config
       else
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XFrameOptions config"
         @config[:value]
       end
     end

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb

@@ -25,6 +25,7 @@ module SecureHeaders
       when String
         @config
       else
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XPermittedCrossDomainPolicies config"
         @config[:value]
       end
     end

data/lib/secure_headers/headers/x_xss_protection.rb

@@ -25,6 +25,7 @@ module SecureHeaders
       when String
         @config
       else
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XXssProtection config"
         value = @config[:value].to_s
         value += "; mode=#{@config[:mode]}" if @config[:mode]
         value += "; report=#{@config[:report_uri]}" if @config[:report_uri]

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.4.0"
+  VERSION = "2.5.0"
 end

data/lib/secure_headers/view_helper.rb

@@ -27,7 +27,6 @@ module SecureHeaders
           if raise_error_on_unrecognized_hash
             raise UnexpectedHashedScriptException.new(message)
           else
-            puts message
             request.env[HASHES_ENV_KEY] = (request.env[HASHES_ENV_KEY] || []) << hash_value
           end
         end

data/lib/secure_headers.rb

@@ -33,12 +33,18 @@ module SecureHeaders
         :x_xss_protection, :csp, :x_download_options, :script_hashes,
         :x_permitted_cross_domain_policies, :hpkp
 
-      def configure &block
+      # For preparation for the secure_headers 3.x change.
+      def default &block
         instance_eval &block
         if File.exists?(SCRIPT_HASH_CONFIG_FILE)
           ::SecureHeaders::Configuration.script_hashes = YAML.load(File.open(SCRIPT_HASH_CONFIG_FILE))
         end
       end
+
+      def configure &block
+        warn "[DEPRECATION] `configure` is removed in secure_headers 3.x. Instead use `default`."
+        default &block
+      end
     end
   end
 
@@ -52,21 +58,23 @@ module SecureHeaders
 
     def header_hash(options = nil)
       ALL_HEADER_CLASSES.inject({}) do |memo, klass|
-        config = if options.is_a?(Hash) && options[klass::Constants::CONFIG_KEY]
+        # must use !options[key].nil? because 'false' represents opting out, nil
+        # represents use global default.
+        config = if options.is_a?(Hash) && !options[klass::Constants::CONFIG_KEY].nil?
           options[klass::Constants::CONFIG_KEY]
         else
           ::SecureHeaders::Configuration.send(klass::Constants::CONFIG_KEY)
         end
 
         unless klass == SecureHeaders::PublicKeyPins && !config.is_a?(Hash)
-          header = get_a_header(klass::Constants::CONFIG_KEY, klass, config)
-          memo[header.name] = header.value
+          header = get_a_header(klass, config)
+          memo[header.name] = header.value if header
         end
         memo
       end
     end
 
-    def get_a_header(name, klass, options)
+    def get_a_header(klass, options)
       return if options == false
       klass.new(options)
     end
@@ -204,13 +212,14 @@ module SecureHeaders
     # we can't use ||= because I'm overloading false => disable, nil => default
     # both of which trigger the conditional assignment
     def secure_header_options_for(type, options)
+      warn "[DEPRECATION] secure_header_options_for will not be supported in secure_headers 3.x."
       options.nil? ? ::SecureHeaders::Configuration.send(type) : options
     end
 
     def set_a_header(name, klass, options=nil)
       options = secure_header_options_for(name, options)
       return if options == false
-      set_header(SecureHeaders::get_a_header(name, klass, options))
+      set_header(SecureHeaders::get_a_header(klass, options))
     end
 
     def set_header(name_or_header, value=nil)

data/secure_headers.gemspec

@@ -20,4 +20,5 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
   gem.add_dependency "user_agent_parser"
+  gem.post_install_message = "[DEPRECATION] Development has stopped on the 2.x line of secure_headers. It will be maintained, but new features will be added to the 3.x branch. A lot has changed in secure_headers 3.x. A migration guide can be found in the documentation: https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md."
 end

data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb

@@ -10,7 +10,6 @@ module SecureHeaders
 
     let(:default_config) do
       {
-        :disable_fill_missing => true,
         :default_src => 'https://*',
         :report_uri => '/csp_report',
         :script_src => "'unsafe-inline' 'unsafe-eval' https://* data:",

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -5,9 +5,10 @@ module SecureHeaders
     let(:default_opts) do
       {
         :default_src => 'https:',
-        :report_uri => '/csp_report',
+        :img_src => "https: data:",
         :script_src => "'unsafe-inline' 'unsafe-eval' https: data:",
-        :style_src => "'unsafe-inline' https: about:"
+        :style_src => "'unsafe-inline' https: about:",
+        :report_uri => '/csp_report'
       }
     end
     let(:controller) { DummyClass.new }
@@ -58,7 +59,7 @@ module SecureHeaders
 
     it "exports a policy to JSON" do
       policy = ContentSecurityPolicy.new(default_opts)
-      expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
+      expected = %({"default-src":["https:"],"img-src":["https:","data:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"report-uri":["/csp_report"]})
       expect(policy.to_json).to eq(expected)
     end
 
@@ -141,6 +142,35 @@ module SecureHeaders
     end
 
     describe "#value" do
+      it "does not mutate shared state" do
+        opts = default_opts.merge(enforce: true)
+        policy = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
+        expect(policy.name).to eq("Content-Security-Policy")
+        policy = ContentSecurityPolicy.new(opts, :request => request_for(CHROME))
+        expect(policy.name).to eq("Content-Security-Policy")
+      end
+
+      context "browser sniffing" do
+        let(:complex_opts) do
+          ALL_DIRECTIVES.inject({}) { |memo, directive| memo[directive] = "'self'"; memo }.merge(:block_all_mixed_content => '')
+        end
+
+        it "does not filter any directives for Chrome" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(CHROME))
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content ; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+
+        it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(FIREFOX))
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+
+        it "filters base-uri, blocked-all-mixed-content, child-src, form-action, frame-ancestors, and plugin-types for safari" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(SAFARI))
+          expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+      end
+
       it "raises an exception when default-src is missing" do
         csp = ContentSecurityPolicy.new({:script_src => 'anything'}, :request => request_for(CHROME))
         expect {
@@ -248,7 +278,7 @@ module SecureHeaders
 
         it "adds directive values for headers on http" do
           csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src https:; frame-src http:; img-src http: data:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
+          expect(csp.value).to eq("default-src https:; frame-src http:; img-src https: data: http:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
         end
 
         it "does not add the directive values if requesting https" do

data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb

@@ -1,3 +1,5 @@
+require 'spec_helper'
+
 module SecureHeaders
   describe XContentTypeOptions do
     specify{ expect(XContentTypeOptions.new.name).to eq("X-Content-Type-Options") }

data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb

@@ -1,3 +1,5 @@
+require 'spec_helper'
+
 module SecureHeaders
   describe XXssProtection do
     specify { expect(XXssProtection.new.name).to eq(X_XSS_PROTECTION_HEADER_NAME)}

data/spec/lib/secure_headers_spec.rb

@@ -8,6 +8,7 @@ describe SecureHeaders do
   let(:request) {double(:ssl? => true, :url => 'https://example.com')}
 
   before(:each) do
+    reset_config
     stub_user_agent(nil)
     allow(headers).to receive(:[])
     allow(subject).to receive(:response).and_return(response)
@@ -19,7 +20,7 @@ describe SecureHeaders do
   end
 
   def reset_config
-    ::SecureHeaders::Configuration.configure do |config|
+    ::SecureHeaders::Configuration.default do |config|
       config.hpkp = nil
       config.hsts = nil
       config.x_frame_options = nil
@@ -138,7 +139,7 @@ describe SecureHeaders do
 
     context "when disabled by configuration settings" do
       it "does not set any headers when disabled" do
-        ::SecureHeaders::Configuration.configure do |config|
+        ::SecureHeaders::Configuration.default do |config|
           config.hsts = false
           config.hpkp = false
           config.x_frame_options = false
@@ -166,13 +167,30 @@ describe SecureHeaders do
     end
 
     it "produces a hash of headers given a hash as config" do
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
       expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
       expect_default_values(hash)
     end
 
+    it "allows opting out" do
+      hash = SecureHeaders::header_hash(:csp => false, :hpkp => false)
+      expect(hash['Content-Security-Policy-Report-Only']).to be_nil
+      expect(hash['Content-Security-Policy']).to be_nil
+    end
+
+    it "allows opting out with config" do
+      ::SecureHeaders::Configuration.default do |config|
+        config.hsts = false
+        config.csp = false
+      end
+
+      hash = SecureHeaders::header_hash
+      expect(hash['Content-Security-Policy-Report-Only']).to be_nil
+      expect(hash['Content-Security-Policy']).to be_nil
+    end
+
     it "produces a hash with a mix of config values, override values, and default values" do
-      ::SecureHeaders::Configuration.configure do |config|
+      ::SecureHeaders::Configuration.default do |config|
         config.hsts = { :max_age => '123456'}
         config.hpkp = {
           :enforce => true,
@@ -186,8 +204,8 @@ describe SecureHeaders do
         }
       end
 
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
-      ::SecureHeaders::Configuration.configure do |config|
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
+      ::SecureHeaders::Configuration.default do |config|
         config.hsts = nil
         config.hpkp = nil
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.5.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-10-01 00:00:00.000000000 Z
+date: 2016-01-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -50,6 +50,7 @@ files:
 - ".ruby-version"
 - ".travis.yml"
 - Gemfile
+- Guardfile
 - LICENSE
 - README.md
 - Rakefile
@@ -170,7 +171,10 @@ homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
 metadata: {}
-post_install_message: 
+post_install_message: "[DEPRECATION] Development has stopped on the 2.x line of secure_headers.
+  It will be maintained, but new features will be added to the 3.x branch. A lot has
+  changed in secure_headers 3.x. A migration guide can be found in the documentation:
+  https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md."
 rdoc_options: []
 require_paths:
 - lib