secure_headers 3.7.2 → 4.0.0

data/spec/lib/secure_headers_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
 module SecureHeaders
   describe SecureHeaders do
@@ -30,16 +31,16 @@ module SecureHeaders
     describe "#header_hash_for" do
       it "allows you to opt out of individual headers via API" do
         Configuration.default do |config|
-          config.csp = { default_src: %w('self')}
+          config.csp = { default_src: %w('self'), script_src: %w('self')}
           config.csp_report_only = config.csp
         end
         SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyConfig::CONFIG_KEY)
         SecureHeaders.opt_out_of_header(request, ContentSecurityPolicyReportOnlyConfig::CONFIG_KEY)
         SecureHeaders.opt_out_of_header(request, XContentTypeOptions::CONFIG_KEY)
         hash = SecureHeaders.header_hash_for(request)
-        expect(hash['Content-Security-Policy-Report-Only']).to be_nil
-        expect(hash['Content-Security-Policy']).to be_nil
-        expect(hash['X-Content-Type-Options']).to be_nil
+        expect(hash["Content-Security-Policy-Report-Only"]).to be_nil
+        expect(hash["Content-Security-Policy"]).to be_nil
+        expect(hash["X-Content-Type-Options"]).to be_nil
       end
 
       it "Carries options over when using overrides" do
@@ -54,15 +55,15 @@ module SecureHeaders
 
         SecureHeaders.use_secure_headers_override(request, :api)
         hash = SecureHeaders.header_hash_for(request)
-        expect(hash['X-Download-Options']).to be_nil
-        expect(hash['X-Permitted-Cross-Domain-Policies']).to be_nil
-        expect(hash['X-Frame-Options']).to be_nil
+        expect(hash["X-Download-Options"]).to be_nil
+        expect(hash["X-Permitted-Cross-Domain-Policies"]).to be_nil
+        expect(hash["X-Frame-Options"]).to be_nil
       end
 
       it "allows you to opt out entirely" do
         # configure the disabled-by-default headers to ensure they also do not get set
         Configuration.default do |config|
-          config.csp = { :default_src => ["example.com"] }
+          config.csp = { default_src: ["example.com"], script_src: %w('self') }
           config.csp_report_only = config.csp
           config.hpkp = {
             report_only: false,
@@ -108,6 +109,7 @@ module SecureHeaders
         Configuration.default do |config|
           config.csp = {
             default_src: %w('self'),
+            script_src: %w('self'),
             child_src: %w('self')
           }
         end
@@ -144,10 +146,10 @@ module SecureHeaders
           config.hpkp = {
             max_age: 1_000_000,
             include_subdomains: true,
-            report_uri: '//example.com/uri-directive',
+            report_uri: "//example.com/uri-directive",
             pins: [
-              { sha256: 'abc' },
-              { sha256: '123' }
+              { sha256: "abc" },
+              { sha256: "123" }
             ]
           }
         end
@@ -173,42 +175,32 @@ module SecureHeaders
           expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; script-src mycdn.com 'unsafe-inline' anothercdn.com")
         end
 
-        it "appends child-src to frame-src" do
+        it "child-src and frame-src must match" do
           Configuration.default do |config|
             config.csp = {
               default_src: %w('self'),
-              frame_src: %w(frame_src.com)
+              frame_src: %w(frame_src.com),
+              script_src: %w('self')
             }
           end
 
           SecureHeaders.append_content_security_policy_directives(chrome_request, child_src: %w(child_src.com))
-          hash = SecureHeaders.header_hash_for(chrome_request)
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; child-src frame_src.com child_src.com")
-        end
-
-        it "appends frame-src to child-src" do
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              child_src: %w(child_src.com)
-            }
-          end
 
-          safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari6]))
-          SecureHeaders.append_content_security_policy_directives(safari_request, frame_src: %w(frame_src.com))
-          hash = SecureHeaders.header_hash_for(safari_request)
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self'; frame-src child_src.com frame_src.com")
+          expect {
+            SecureHeaders.header_hash_for(chrome_request)
+          }.to raise_error(ArgumentError)
         end
 
         it "supports named appends" do
           Configuration.default do |config|
             config.csp = {
-              default_src: %w('self')
+              default_src: %w('self'),
+              script_src: %w('self')
             }
           end
 
           Configuration.named_append(:moar_default_sources) do |request|
-            { default_src: %w(https:)}
+            { default_src: %w(https:), style_src: %w('self')}
           end
 
           Configuration.named_append(:how_about_a_script_src_too) do |request|
@@ -219,13 +211,14 @@ module SecureHeaders
           SecureHeaders.use_content_security_policy_named_append(request, :how_about_a_script_src_too)
           hash = SecureHeaders.header_hash_for(request)
 
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self' https:; script-src 'self' https: 'unsafe-inline'")
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'self' https:; script-src 'self' 'unsafe-inline'; style-src 'self'")
         end
 
         it "appends a nonce to a missing script-src value" do
           Configuration.default do |config|
             config.csp = {
-              default_src: %w('self')
+              default_src: %w('self'),
+              script_src: %w('self')
             }
           end
 
@@ -237,7 +230,8 @@ module SecureHeaders
         it "appends a hash to a missing script-src value" do
           Configuration.default do |config|
             config.csp = {
-              default_src: %w('self')
+              default_src: %w('self'),
+              script_src: %w('self')
             }
           end
 
@@ -249,24 +243,26 @@ module SecureHeaders
         it "overrides individual directives" do
           Configuration.default do |config|
             config.csp = {
-              default_src: %w('self')
+              default_src: %w('self'),
+              script_src: %w('self')
             }
           end
           SecureHeaders.override_content_security_policy_directives(request, default_src: %w('none'))
           hash = SecureHeaders.header_hash_for(request)
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'none'")
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src 'none'; script-src 'self'")
         end
 
         it "overrides non-existant directives" do
           Configuration.default do |config|
             config.csp = {
-              default_src: %w(https:)
+              default_src: %w(https:),
+              script_src: %w('self')
             }
           end
           SecureHeaders.override_content_security_policy_directives(request, img_src: [ContentSecurityPolicy::DATA_PROTOCOL])
           hash = SecureHeaders.header_hash_for(request)
           expect(hash[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to be_nil
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src https:; img-src data:")
+          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to eq("default-src https:; img-src data:; script-src 'self'")
         end
 
         it "does not append a nonce when the browser does not support it" do
@@ -301,7 +297,7 @@ module SecureHeaders
           SecureHeaders.content_security_policy_script_nonce(chrome_request)
 
           hash = SecureHeaders.header_hash_for(chrome_request)
-          expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
+          expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'; style-src 'self'")
         end
 
         it "uses a nonce for safari 10+" do
@@ -315,25 +311,18 @@ module SecureHeaders
           safari_request = Rack::Request.new(request.env.merge("HTTP_USER_AGENT" => USER_AGENTS[:safari10]))
           nonce = SecureHeaders.content_security_policy_script_nonce(safari_request)
           hash = SecureHeaders.header_hash_for(safari_request)
-          expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'")
+          expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src mycdn.com 'nonce-#{nonce}'")
         end
 
-        it "supports the deprecated `report_only: true` format" do
-          expect(Kernel).to receive(:warn).once
-
-          Configuration.default do |config|
-            config.csp = {
-              default_src: %w('self'),
-              report_only: true
-            }
-          end
-
-          expect(Configuration.get.csp).to eq(OPT_OUT)
-          expect(Configuration.get.csp_report_only).to be_a(ContentSecurityPolicyReportOnlyConfig)
-
-          hash = SecureHeaders.header_hash_for(request)
-          expect(hash[ContentSecurityPolicyConfig::HEADER_NAME]).to be_nil
-          expect(hash[ContentSecurityPolicyReportOnlyConfig::HEADER_NAME]).to eq("default-src 'self'")
+        it "does not support the deprecated `report_only: true` format" do
+          expect {
+            Configuration.default do |config|
+              config.csp = {
+                default_src: %w('self'),
+                report_only: true
+              }
+            end
+          }.to raise_error(ArgumentError)
         end
 
         it "Raises an error if csp_report_only is used with `report_only: false`" do
@@ -341,6 +330,7 @@ module SecureHeaders
             Configuration.default do |config|
               config.csp_report_only = {
                 default_src: %w('self'),
+                script_src: %w('self'),
                 report_only: false
               }
             end
@@ -351,7 +341,8 @@ module SecureHeaders
           before(:each) do
             Configuration.default do |config|
               config.csp = {
-                default_src: %w('self')
+                default_src: %w('self'),
+                script_src: %w('self')
               }
               config.csp_report_only = config.csp
             end
@@ -360,155 +351,136 @@ module SecureHeaders
           it "sets identical values when the configs are the same" do
             Configuration.default do |config|
               config.csp = {
-                default_src: %w('self')
+                default_src: %w('self'),
+                script_src: %w('self')
               }
               config.csp_report_only = {
-                default_src: %w('self')
+                default_src: %w('self'),
+                script_src: %w('self')
               }
             end
 
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+            expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self'")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self'")
           end
 
           it "sets different headers when the configs are different" do
             Configuration.default do |config|
               config.csp = {
-                default_src: %w('self')
+                default_src: %w('self'),
+                script_src: %w('self')
               }
-              config.csp_report_only = config.csp.merge({script_src: %w('self')})
+              config.csp_report_only = config.csp.merge({script_src: %w(foo.com)})
             end
 
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src 'self'")
+            expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self'")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self' foo.com")
           end
 
           it "allows you to opt-out of enforced CSP" do
             Configuration.default do |config|
               config.csp = SecureHeaders::OPT_OUT
               config.csp_report_only = {
-                default_src: %w('self')
-              }
-            end
-
-            hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to be_nil
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
-          end
-
-          it "opts-out of enforced CSP when only csp_report_only is set" do
-            expect(Kernel).to receive(:warn).once
-            Configuration.default do |config|
-              config.csp_report_only = {
-                default_src: %w('self')
-              }
-            end
-
-            hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to be_nil
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
-          end
-
-          it "allows you to set csp_report_only before csp" do
-            expect(Kernel).to receive(:warn).once
-            Configuration.default do |config|
-              config.csp_report_only = {
-                default_src: %w('self')
+                default_src: %w('self'),
+                script_src: %w('self')
               }
-              config.csp = config.csp_report_only.merge({script_src: %w('unsafe-inline')})
             end
 
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src 'self' 'unsafe-inline'")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+            expect(hash["Content-Security-Policy"]).to be_nil
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self'")
           end
 
           it "allows appending to the enforced policy" do
             SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :enforced)
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+            expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self'")
           end
 
           it "allows appending to the report only policy" do
             SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :report_only)
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+            expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self'")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
           end
 
           it "allows appending to both policies" do
             SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :both)
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+            expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
           end
 
           it "allows overriding the enforced policy" do
             SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :enforced)
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src anothercdn.com")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'")
+            expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src anothercdn.com")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self'")
           end
 
           it "allows overriding the report only policy" do
             SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :report_only)
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src anothercdn.com")
+            expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self'")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src anothercdn.com")
           end
 
           it "allows overriding both policies" do
             SecureHeaders.override_content_security_policy_directives(request, {script_src: %w(anothercdn.com)}, :both)
             hash = SecureHeaders.header_hash_for(request)
-            expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src anothercdn.com")
-            expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src anothercdn.com")
+            expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src anothercdn.com")
+            expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src anothercdn.com")
           end
 
           context "when inferring which config to modify" do
             it "updates the enforced header when configured" do
               Configuration.default do |config|
                 config.csp = {
-                  default_src: %w('self')
+                  default_src: %w('self'),
+                  script_src: %w('self')
                 }
               end
               SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
 
               hash = SecureHeaders.header_hash_for(request)
-              expect(hash['Content-Security-Policy']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
-              expect(hash['Content-Security-Policy-Report-Only']).to be_nil
+              expect(hash["Content-Security-Policy"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+              expect(hash["Content-Security-Policy-Report-Only"]).to be_nil
             end
 
             it "updates the report only header when configured" do
               Configuration.default do |config|
                 config.csp = OPT_OUT
                 config.csp_report_only = {
-                  default_src: %w('self')
+                  default_src: %w('self'),
+                  script_src: %w('self')
                 }
               end
               SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
 
               hash = SecureHeaders.header_hash_for(request)
-              expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; script-src 'self' anothercdn.com")
-              expect(hash['Content-Security-Policy']).to be_nil
+              expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; script-src 'self' anothercdn.com")
+              expect(hash["Content-Security-Policy"]).to be_nil
             end
 
             it "updates both headers if both are configured" do
               Configuration.default do |config|
                 config.csp = {
-                  default_src: %w(enforced.com)
+                  default_src: %w(enforced.com),
+                  script_src: %w('self')
                 }
                 config.csp_report_only = {
-                  default_src: %w(reportonly.com)
+                  default_src: %w(reportonly.com),
+                  script_src: %w('self')
                 }
               end
               SecureHeaders.append_content_security_policy_directives(request, {script_src: %w(anothercdn.com)})
 
               hash = SecureHeaders.header_hash_for(request)
-              expect(hash['Content-Security-Policy']).to eq("default-src enforced.com; script-src enforced.com anothercdn.com")
-              expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src reportonly.com; script-src reportonly.com anothercdn.com")
+              expect(hash["Content-Security-Policy"]).to eq("default-src enforced.com; script-src 'self' anothercdn.com")
+              expect(hash["Content-Security-Policy-Report-Only"]).to eq("default-src reportonly.com; script-src 'self' anothercdn.com")
             end
 
           end
@@ -520,7 +492,7 @@ module SecureHeaders
       it "validates your hsts config upon configuration" do
         expect do
           Configuration.default do |config|
-            config.hsts = 'lol'
+            config.hsts = "lol"
           end
         end.to raise_error(STSConfigError)
       end
@@ -528,7 +500,7 @@ module SecureHeaders
       it "validates your csp config upon configuration" do
         expect do
           Configuration.default do |config|
-            config.csp = { ContentSecurityPolicy::DEFAULT_SRC => '123456' }
+            config.csp = { ContentSecurityPolicy::DEFAULT_SRC => "123456" }
           end
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
@@ -536,7 +508,7 @@ module SecureHeaders
       it "raises errors for unknown directives" do
         expect do
           Configuration.default do |config|
-            config.csp = { made_up_directive: '123456' }
+            config.csp = { made_up_directive: "123456" }
           end
         end.to raise_error(ContentSecurityPolicyConfigError)
       end

data/spec/spec_helper.rb

@@ -1,12 +1,11 @@
-require 'rubygems'
-require 'rspec'
-require 'rack'
-require 'pry-nav'
-
-require 'coveralls'
+# frozen_string_literal: true
+require "rubygems"
+require "rspec"
+require "rack"
+require "coveralls"
 Coveralls.wear!
 
-require File.join(File.dirname(__FILE__), '..', 'lib', 'secure_headers')
+require File.join(File.dirname(__FILE__), "..", "lib", "secure_headers")
 
 
 
@@ -14,9 +13,9 @@ USER_AGENTS = {
   edge: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
   firefox: "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1",
   firefox46: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0",
-  chrome: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5',
-  ie: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)',
-  opera: 'Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00',
+  chrome: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5",
+  ie: "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)",
+  opera: "Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00",
   ios5: "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3",
   ios6: "Mozilla/5.0 (iPhone; CPU iPhone OS 614 like Mac OS X) AppleWebKit/536.26 (KHTML like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25",
   safari5: "Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3",
@@ -50,15 +49,3 @@ end
 def reset_config
   SecureHeaders::Configuration.clear_configurations
 end
-
-def capture_warning
-  begin
-    old_stderr = $stderr
-    $stderr = StringIO.new
-    yield
-    result = $stderr.string
-  ensure
-    $stderr = old_stderr
-  end
-  result
-end

data/upgrading-to-4-0.md

@@ -0,0 +1,55 @@
+### Breaking Changes
+
+The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
+
+## All cookies default to secure/httponly/SameSite=Lax
+
+By default, *all* cookies will be marked as `SameSite=lax`,`secure`, and `httponly`. To opt-out, supply `OPT_OUT` as the value for `SecureHeaders.cookies` or the individual configs. Setting these values to `false` will raise an error.
+
+```ruby
+# specific opt outs
+config.cookies = {
+  secure: OPT_OUT,
+  httponly: OPT_OUT,
+  samesite: OPT_OUT,
+}
+
+# nuclear option, just make things work again
+config.cookies = OPT_OUT
+```
+
+## script_src must be set
+
+Not setting a `script_src` value means your policy falls back to whatever `default_src` (also required) is set to. This can be very dangerous and indicates the policy is too loose. 
+
+However, sometimes you really don't need a `script-src` e.g. API responses (`default-src 'none'`) so you can set `script_src: SecureHeaders::OPT_OUT` to work around this.
+
+## Default Content Security Policy
+
+The default CSP has changed to be more universal without sacrificing too much security.
+
+* Flash/Java disabled by default
+* `img-src` allows data: images and favicons (among others)
+* `style-src` allows inline CSS by default (most find it impossible/impractical to remove inline content today)
+* `form-action` (not governed by `default-src`, practically treated as `*`) is set to `'self'`
+
+Previously, the default CSP was:
+
+`Content-Security-Policy: default-src 'self'`
+
+The new default policy is:
+
+`default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:`
+
+## CSP configuration
+
+* Setting `report_only: true` in a CSP config will raise an error. Instead, set `csp_report_only`.
+* Setting `frame_src` and `child_src` when values don't match will raise an error. Just use `frame_src`.
+
+## config.secure_cookies removed
+
+Use `config.cookies` instead.
+
+## Supported ruby versions
+
+We've dropped support for ruby versions <= 2.2. Sorry.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.7.2
+  version: 4.0.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-03 00:00:00.000000000 Z
+date: 2017-09-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.15.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.15.0
 description: Manages application of security headers with many safe defaults.
 email:
 - neil.matatall@gmail.com
@@ -49,6 +49,7 @@ files:
 - ".github/PULL_REQUEST_TEMPLATE.md"
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".ruby-gemset"
 - ".ruby-version"
 - ".travis.yml"
@@ -108,11 +109,17 @@ files:
 - spec/lib/secure_headers_spec.rb
 - spec/spec_helper.rb
 - upgrading-to-3-0.md
+- upgrading-to-4-0.md
 homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
 metadata: {}
-post_install_message: 
+post_install_message: |2+
+
+  **********
+  :wave: secure_headers 4.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/upgrading-to-4-0.md
+  **********
+
 rdoc_options: []
 require_paths:
 - lib
@@ -128,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Add easily configured security headers to responses including content-security-policy,