secure_headers 5.1.0 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32ea96aca183a8341bec40b998486beed14d59e8
-  data.tar.gz: 3081354f4bd486f5ea49d22f680d1ac2d36de4aa
+  metadata.gz: 6d7392744d486b32bda2b91432d39ddfeee87dfd
+  data.tar.gz: 38328982bf71376b9412ed8c7d0652163741bf16
 SHA512:
-  metadata.gz: cc8c64abdabaab458be788ee09a18984bab17cb8a01ef6eb76c75099cfaa5b8fc5962f5094e39f7067ebece388794e7f53a2e44f2fecdbfe4146a59a981211df
-  data.tar.gz: f8c369a5a2ac0e7547e231100c2a946a9204684d4db33206cc3baf0dd786b99c5a6d05cdaaaca5fcb439530a6d385d029c265dbc84f9b6ff665df52ad1191537
+  metadata.gz: e08d9df89db6908d0c8419d0086bf8fb6c7e374c53e0bf774bd74d534094c66ef3cdcbac23e97c03b05d4045ba6878c3f6d8a17877146bdb6f2f0c15b57d1784
+  data.tar.gz: 304824374c236d11edc52049732a2ea133bbbdf611f35b2c5309a950125e879fb4016f0f15d7ad6c09310ab4b6080e966fac912147f43ed91989aa15898595a7

data/.travis.yml

@@ -2,9 +2,10 @@ language: ruby
 
 rvm:
   - ruby-head
-  - 2.6
-  - 2.5
-  - 2.4
+  - 2.5.0
+  - 2.4.3
+  - 2.3.6
+  - 2.2.9
   - jruby-head
 
 env:
@@ -18,7 +19,10 @@ matrix:
     - rvm: jruby-head
     - rvm: ruby-head
 
-before_install: gem update bundler
+before_install:
+  - gem update --system
+  - gem --version
+  - gem update bundler
 bundler_args: --without guard -j 3
 
 sudo: false

data/CHANGELOG.md

@@ -1,10 +1,10 @@
-## 5.1.0
+## 6.0
 
-Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
+- See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
 
 ## 5.0.5
 
-A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
+- A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
 
 ## 5.0.4
 

data/Gemfile

@@ -9,7 +9,7 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop", "< 0.68"
+  gem "rubocop"
   gem "rubocop-github"
   gem "term-ansicolor"
   gem "tins"

data/README.md

@@ -1,6 +1,6 @@
 # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
 
-**master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
+**master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
 
 **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
 
@@ -77,7 +77,7 @@ SecureHeaders::Configuration.default do |config|
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
 
     # directive values: these values will directly translate into source directives
-    default_src: %w(https: 'self'),
+    default_src: %w('none'),
     base_uri: %w('self'),
     block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
     child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.

data/docs/upgrading-to-6-0.md

@@ -0,0 +1,50 @@
+## Named overrides are now dynamically applied
+
+The original implementation of name overrides worked by making a copy of the default policy, applying the overrides, and storing the result for later use. But, this lead to unexpected results if named overrides were combined with a dynamic policy change. If a change was made to the default configuration during a request, followed by a named override, the dynamic changes would be lost. To keep things consistent named overrides have been rewritten to work the same as named appends in that they always operate on the configuration for the current request. As an example:
+
+```ruby
+class ApplicationController < ActionController::Base
+  Configuration.default do |config|
+    config.x_frame_options = OPT_OUT
+  end
+
+  SecureHeaders::Configuration.override(:dynamic_override) do |config|
+    config.x_content_type_options = "nosniff"
+  end
+end
+
+class FooController < ApplicationController
+  def bar
+    # Dynamically update the default config for this request
+    override_x_frame_options("DENY")
+    append_content_security_policy_directives(frame_src: "3rdpartyprovider.com")
+
+    # Override everything, discard modifications above
+    use_secure_headers_override(:dynamic_override)
+  end
+end
+```
+
+Prior to 6.0.0, the response would NOT include a `X-Frame-Options` header since the named override would be a copy of the default configuration, but with `X-Content-Type-Options` set to `nosniff`. As of 6.0.0, the above code results in both `X-Frame-Options` set to `DENY` AND `X-Content-Type-Options` set to `nosniff`.
+
+## `ContentSecurityPolicyConfig#merge` and `ContentSecurityPolicyReportOnlyConfig#merge` work more like `Hash#merge`
+
+These classes are typically not directly instantiated by users of SecureHeaders. But, if you access `config.csp` you end up accessing one of these objects. Prior to 6.0.0, `#merge` worked more like `#append` in that it would combine policies (i.e. if both policies contained the same key the values would be combined rather than overwritten). This was not consistent with `#merge!`, which worked more like ruby's `Hash#merge!` (overwriting duplicate keys). As of 6.0.0, `#merge` works the same as `#merge!`, but returns a new object instead of mutating `self`.
+
+## `Configuration#get` has been removed
+
+This method is not typically directly called by users of SecureHeaders. Given that named overrides are no longer statically stored, fetching them no longer makes sense.
+
+## Configuration headers are no longer cached
+
+Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded to the default configuration. The same was also done for named overrides. However, now that named overrides are applied dynamically, those can no longer be cached. As a result, caching has been removed in the name of simplicity. Some micro-benchmarks indicate this shouldn't be a performance problem and will help to eliminate a class of bugs entirely.
+
+## Configuration the default configuration more than once will result in an Exception
+
+Prior to 6.0.0 you could conceivably, though unlikely, have `Configure#default` called more than once. Because configurations are dynamic, configuring more than once could result in unexpected behavior. So, as of 6.0.0 we raise `AlreadyConfiguredError` if the default configuration is setup more than once.
+
+## All user agent sniffing has been removed
+
+The policy configured is the policy that is delivered in terms of which directives are sent. We still dedup, strip schemes, and look for other optimizations but we will not e.g. conditionally send `frame-src` / `child-src` or apply `nonce`s / `unsafe-inline`.
+
+The primary reason for these per-browser customization was to reduce console warnings. This has lead to many bugs and results inc confusing behavior. Also, console logs are incredibly noisy today and increasingly warn you about perfectly valid things (like sending `X-Frame-Options` and `frame-ancestors` together).

data/lib/secure_headers/configuration.rb

@@ -4,7 +4,8 @@ require "yaml"
 module SecureHeaders
   class Configuration
     DEFAULT_CONFIG = :default
-    NOOP_CONFIGURATION = "secure_headers_noop_config"
+    NOOP_OVERRIDE = "secure_headers_noop_override"
+    class AlreadyConfiguredError < StandardError; end
     class NotYetConfiguredError < StandardError; end
     class IllegalPolicyModificationError < StandardError; end
     class << self
@@ -14,9 +15,21 @@ module SecureHeaders
       #
       # Returns the newly created config.
       def default(&block)
-        config = new(&block)
-        add_noop_configuration
-        add_configuration(DEFAULT_CONFIG, config)
+        if defined?(@default_config)
+          raise AlreadyConfiguredError, "Policy already configured"
+        end
+
+        # Define a built-in override that clears all configuration options and
+        # results in no security headers being set.
+        override(NOOP_OVERRIDE) do |config|
+          CONFIG_ATTRIBUTES.each do |attr|
+            config.instance_variable_set("@#{attr}", OPT_OUT)
+          end
+        end
+
+        new_config = new(&block).freeze
+        new_config.validate_config!
+        @default_config = new_config
       end
       alias_method :configure, :default
 
@@ -27,28 +40,15 @@ module SecureHeaders
       # if no value is supplied.
       #
       # Returns: the newly created config
-      def override(name, base = DEFAULT_CONFIG, &block)
-        unless get(base, internal: true)
-          raise NotYetConfiguredError, "#{base} policy not yet supplied"
-        end
-        override = @configurations[base].dup
-        override.instance_eval(&block) if block_given?
-        add_configuration(name, override)
+      def override(name, &block)
+        @overrides ||= {}
+        raise "Provide a configuration block" unless block_given?
+        @overrides[name] = block
       end
 
-      # Public: retrieve a global configuration object
-      #
-      # Returns the configuration with a given name or raises a
-      # NotYetConfiguredError if `default` has not been called.
-      def get(name = DEFAULT_CONFIG, internal: false)
-        unless internal
-          Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#get` is deprecated. It will be removed in the next major release. Use SecureHeaders::Configuration.dup to retrieve the default config."
-        end
-
-        if @configurations.nil?
-          raise NotYetConfiguredError, "Default policy not yet supplied"
-        end
-        @configurations[name]
+      def overrides(name)
+        @overrides ||= {}
+        @overrides[name]
       end
 
       def named_appends(name)
@@ -56,44 +56,17 @@ module SecureHeaders
         @appends[name]
       end
 
-      def named_append(name, target = nil, &block)
+      def named_append(name, &block)
         @appends ||= {}
         raise "Provide a configuration block" unless block_given?
         @appends[name] = block
       end
 
-      private
-
-      # Private: add a valid configuration to the global set of named configs.
-      #
-      # config - the config to store
-      # name - the lookup value for this config
-      #
-      # Raises errors if the config is invalid or if a config named `name`
-      # already exists.
-      #
-      # Returns the config, if valid
-      def add_configuration(name, config)
-        config.validate_config!
-        @configurations ||= {}
-        config.send(:cache_headers!)
-        config.send(:cache_hpkp_report_host)
-        config.freeze
-        @configurations[name] = config
+      def dup
+        default_config.dup
       end
 
-      # Private: Automatically add an "opt-out of everything" override.
-      #
-      # Returns the noop config
-      def add_noop_configuration
-        noop_config = new do |config|
-          ALL_HEADER_CLASSES.each do |klass|
-            config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
-          end
-        end
-
-        add_configuration(NOOP_CONFIGURATION, noop_config)
-      end
+      private
 
       # Public: perform a basic deep dup. The shallow copy provided by dup/clone
       # can lead to modifying parent objects.
@@ -108,6 +81,17 @@ module SecureHeaders
         end
       end
 
+      # Private: Returns the internal default configuration. This should only
+      # ever be called by internal callers (or tests) that know the semantics
+      # of ensuring that the default config is never mutated and is dup(ed)
+      # before it is used in a request.
+      def default_config
+        unless defined?(@default_config)
+          raise NotYetConfiguredError, "Default policy not yet configured"
+        end
+        @default_config
+      end
+
       # Private: convenience method purely DRY things up. The value may not be a
       # hash (e.g. OPT_OUT, nil)
       def deep_copy_if_hash(value)
@@ -119,11 +103,31 @@ module SecureHeaders
       end
     end
 
-    attr_writer :hsts, :x_frame_options, :x_content_type_options,
-      :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
-      :referrer_policy, :clear_site_data, :expect_certificate_transparency
+    CONFIG_ATTRIBUTES_TO_HEADER_CLASSES = {
+      hsts: StrictTransportSecurity,
+      x_frame_options: XFrameOptions,
+      x_content_type_options: XContentTypeOptions,
+      x_xss_protection: XXssProtection,
+      x_download_options: XDownloadOptions,
+      x_permitted_cross_domain_policies: XPermittedCrossDomainPolicies,
+      referrer_policy: ReferrerPolicy,
+      clear_site_data: ClearSiteData,
+      expect_certificate_transparency: ExpectCertificateTransparency,
+      csp: ContentSecurityPolicy,
+      csp_report_only: ContentSecurityPolicy,
+      hpkp: PublicKeyPins,
+      cookies: Cookie,
+    }.freeze
+
+    CONFIG_ATTRIBUTES = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys.freeze
+
+    # The list of attributes that must respond to a `validate_config!` method
+    VALIDATABLE_ATTRIBUTES = CONFIG_ATTRIBUTES
 
-    attr_reader :cached_headers, :csp, :cookies, :csp_report_only, :hpkp, :hpkp_report_host
+    # The list of attributes that must respond to a `make_header` method
+    HEADERABLE_ATTRIBUTES = (CONFIG_ATTRIBUTES - [:cookies]).freeze
+
+    attr_accessor(*CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys)
 
     @script_hashes = nil
     @style_hashes = nil
@@ -140,7 +144,6 @@ module SecureHeaders
       @clear_site_data = nil
       @csp = nil
       @csp_report_only = nil
-      @hpkp_report_host = nil
       @hpkp = nil
       @hsts = nil
       @x_content_type_options = nil
@@ -158,7 +161,7 @@ module SecureHeaders
       instance_eval(&block) if block_given?
     end
 
-    # Public: copy everything but the cached headers
+    # Public: copy everything
     #
     # Returns a deep-dup'd copy of this configuration.
     def dup
@@ -166,7 +169,6 @@ module SecureHeaders
       copy.cookies = self.class.send(:deep_copy_if_hash, @cookies)
       copy.csp = @csp.dup if @csp
       copy.csp_report_only = @csp_report_only.dup if @csp_report_only
-      copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
       copy.x_content_type_options = @x_content_type_options
       copy.hsts = @hsts
       copy.x_frame_options = @x_frame_options
@@ -177,18 +179,39 @@ module SecureHeaders
       copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
       copy.hpkp = @hpkp
-      copy.hpkp_report_host = @hpkp_report_host
       copy
     end
 
+    # Public: Apply a named override to the current config
+    #
+    # Returns self
+    def override(name = nil, &block)
+      if override = self.class.overrides(name)
+        instance_eval(&override)
+      else
+        raise ArgumentError.new("no override by the name of #{name} has been configured")
+      end
+      self
+    end
+
+    def generate_headers
+      headers = {}
+      HEADERABLE_ATTRIBUTES.each do |attr|
+        klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
+        header_name, value = klass.make_header(instance_variable_get("@#{attr}"))
+        if header_name && value
+          headers[header_name] = value
+        end
+      end
+      headers
+    end
+
     def opt_out(header)
       send("#{header}=", OPT_OUT)
-      self.cached_headers.delete(header)
     end
 
     def update_x_frame_options(value)
       @x_frame_options = value
-      self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
     end
 
     # Public: validates all configurations values.
@@ -197,19 +220,10 @@ module SecureHeaders
     #
     # Returns nothing
     def validate_config!
-      StrictTransportSecurity.validate_config!(@hsts)
-      ContentSecurityPolicy.validate_config!(@csp)
-      ContentSecurityPolicy.validate_config!(@csp_report_only)
-      ReferrerPolicy.validate_config!(@referrer_policy)
-      XFrameOptions.validate_config!(@x_frame_options)
-      XContentTypeOptions.validate_config!(@x_content_type_options)
-      XXssProtection.validate_config!(@x_xss_protection)
-      XDownloadOptions.validate_config!(@x_download_options)
-      XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
-      ClearSiteData.validate_config!(@clear_site_data)
-      ExpectCertificateTransparency.validate_config!(@expect_certificate_transparency)
-      PublicKeyPins.validate_config!(@hpkp)
-      Cookie.validate_config!(@cookies)
+      VALIDATABLE_ATTRIBUTES.each do |attr|
+        klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
+        klass.validate_config!(instance_variable_get("@#{attr}"))
+      end
     end
 
     def secure_cookies=(secure_cookies)
@@ -217,15 +231,15 @@ module SecureHeaders
     end
 
     def csp=(new_csp)
-      if new_csp.respond_to?(:opt_out?)
-        @csp = new_csp.dup
+      case new_csp
+      when OPT_OUT
+        @csp = new_csp
+      when ContentSecurityPolicyConfig
+        @csp = new_csp
+      when Hash
+        @csp = ContentSecurityPolicyConfig.new(new_csp)
       else
-        if new_csp[:report_only]
-          # invalid configuration implies that CSPRO should be set, CSP should not - so opt out
-          raise ArgumentError, "#{Kernel.caller.first}: `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
-        else
-          @csp = ContentSecurityPolicyConfig.new(new_csp)
-        end
+        raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
     end
 
@@ -236,87 +250,23 @@ module SecureHeaders
     # configuring csp_report_only, the code will assume you mean to only use
     # report-only mode and you will be opted-out of enforce mode.
     def csp_report_only=(new_csp)
-      @csp_report_only = begin
-        if new_csp.is_a?(ContentSecurityPolicyConfig)
-          new_csp.make_report_only
-        elsif new_csp.respond_to?(:opt_out?)
-          new_csp.dup
-        else
-          if new_csp[:report_only] == false # nil is a valid value on which we do not want to raise
-            raise ContentSecurityPolicyConfigError, "`#csp_report_only=` was supplied a config with report_only: false. Use #csp="
-          else
-            ContentSecurityPolicyReportOnlyConfig.new(new_csp)
-          end
-        end
-      end
-    end
-
-    protected
-
-    def cookies=(cookies)
-      @cookies = cookies
-    end
-
-    def cached_headers=(headers)
-      @cached_headers = headers
-    end
-
-    def hpkp=(hpkp)
-      @hpkp = self.class.send(:deep_copy_if_hash, hpkp)
-    end
-
-    def hpkp_report_host=(hpkp_report_host)
-      @hpkp_report_host = hpkp_report_host
-    end
-
-    private
-
-    def cache_hpkp_report_host
-      has_report_uri = @hpkp && @hpkp != OPT_OUT && @hpkp[:report_uri]
-      self.hpkp_report_host = if has_report_uri
-        parsed_report_uri = URI.parse(@hpkp[:report_uri])
-        parsed_report_uri.host
-      end
-    end
-
-    # Public: Precompute the header names and values for this configuration.
-    # Ensures that headers generated at configure time, not on demand.
-    #
-    # Returns the cached headers
-    def cache_headers!
-      # generate defaults for the "easy" headers
-      headers = (ALL_HEADERS_BESIDES_CSP).each_with_object({}) do |klass, hash|
-        config = instance_variable_get("@#{klass::CONFIG_KEY}")
-        unless config == OPT_OUT
-          hash[klass::CONFIG_KEY] = klass.make_header(config).freeze
-        end
+      case new_csp
+      when OPT_OUT
+        @csp_report_only = new_csp
+      when ContentSecurityPolicyReportOnlyConfig
+        @csp_report_only = new_csp.dup
+      when ContentSecurityPolicyConfig
+        @csp_report_only = new_csp.make_report_only
+      when Hash
+        @csp_report_only = ContentSecurityPolicyReportOnlyConfig.new(new_csp)
+      else
+        raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
-
-      generate_csp_headers(headers)
-
-      headers.freeze
-      self.cached_headers = headers
     end
 
-    # Private: adds CSP headers for each variation of CSP support.
-    #
-    # headers - generated headers are added to this hash namespaced by The
-    #   different variations
-    #
-    # Returns nothing
-    def generate_csp_headers(headers)
-      generate_csp_headers_for_config(headers, ContentSecurityPolicyConfig::CONFIG_KEY, self.csp)
-      generate_csp_headers_for_config(headers, ContentSecurityPolicyReportOnlyConfig::CONFIG_KEY, self.csp_report_only)
-    end
-
-    def generate_csp_headers_for_config(headers, header_key, csp_config)
-      unless csp_config.opt_out?
-        headers[header_key] = {}
-        ContentSecurityPolicy::VARIATIONS.each_key do |name|
-          csp = ContentSecurityPolicy.make_header(csp_config, UserAgent.parse(name))
-          headers[header_key][name] = csp.freeze
-        end
-      end
+    def hpkp_report_host
+      return nil unless @hpkp && hpkp != OPT_OUT && @hpkp[:report_uri]
+      URI.parse(@hpkp[:report_uri]).host
     end
   end
 end

data/lib/secure_headers/headers/clear_site_data.rb

@@ -11,13 +11,11 @@ module SecureHeaders
     EXECUTION_CONTEXTS = "executionContexts".freeze
     ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
-    CONFIG_KEY = :clear_site_data
-
     class << self
       # Public: make an Clear-Site-Data header name, value pair
       #
       # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config = nil)
+      def make_header(config = nil, user_agent = nil)
         case config
         when nil, OPT_OUT, []
           # noop

data/lib/secure_headers/headers/content_security_policy.rb

@@ -1,18 +1,12 @@
 # frozen_string_literal: true
 require_relative "policy_management"
 require_relative "content_security_policy_config"
-require "useragent"
 
 module SecureHeaders
   class ContentSecurityPolicy
     include PolicyManagement
 
-    # constants to be used for version-specific UA sniffing
-    VERSION_46 = ::UserAgent::Version.new("46")
-    VERSION_10 = ::UserAgent::Version.new("10")
-    FALLBACK_VERSION = ::UserAgent::Version.new("0")
-
-    def initialize(config = nil, user_agent = OTHER)
+    def initialize(config = nil)
       @config = if config.is_a?(Hash)
         if config[:report_only]
           ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
@@ -25,12 +19,6 @@ module SecureHeaders
         config
       end
 
-      @parsed_ua = if user_agent.is_a?(UserAgent::Browsers::Base)
-        user_agent
-      else
-        UserAgent.parse(user_agent)
-      end
-      @frame_src = normalize_child_frame_src
       @preserve_schemes = @config.preserve_schemes
       @script_nonce = @config.script_nonce
       @style_nonce = @config.style_nonce
@@ -55,20 +43,10 @@ module SecureHeaders
 
     private
 
-    def normalize_child_frame_src
-      if @config.frame_src && @config.child_src && @config.frame_src != @config.child_src
-        raise ArgumentError, "#{Kernel.caller.first}: both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers."
-      end
-
-      @config.frame_src || @config.child_src
-    end
-
     # Private: converts the config object into a string representing a policy.
     # Places default-src at the first directive and report-uri as the last. All
     # others are presented in alphabetical order.
     #
-    # Unsupported directives are filtered based on the user agent.
-    #
     # Returns a content security policy header value.
     def build_value
       directives.map do |directive_name|
@@ -124,28 +102,11 @@ module SecureHeaders
     #
     # Returns a string representing a directive.
     def build_source_list_directive(directive)
-      source_list = case directive
-      when :child_src
-        if supported_directives.include?(:child_src)
-          @frame_src
-        end
-      when :frame_src
-        unless supported_directives.include?(:child_src)
-          @frame_src
-        end
-      else
-        @config.directive_value(directive)
-      end
+      source_list = @config.directive_value(directive)
 
       if source_list != OPT_OUT && source_list && source_list.any?
-        minified_source_list = minify_source_list(directive, source_list).join(" ")
-
-        if minified_source_list.include?(";")
-          Kernel.warn("#{directive} contains a ; in '#{minified_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
-        end
-
-        escaped_source_list = minified_source_list.gsub(";", " ")
-        [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
+        normalized_source_list = minify_source_list(directive, source_list)
+        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
       end
     end
 
@@ -218,23 +179,19 @@ module SecureHeaders
     # unsafe-inline, this is more concise.
     def append_nonce(source_list, nonce)
       if nonce
-        if nonces_supported?
-          source_list << "'nonce-#{nonce}'"
-        else
-          source_list << UNSAFE_INLINE
-        end
+        source_list.push("'nonce-#{nonce}'", UNSAFE_INLINE)
       end
 
       source_list
     end
 
-    # Private: return the list of directives that are supported by the user agent,
+    # Private: return the list of directives,
     # starting with default-src and ending with report-uri.
     def directives
       [
         DEFAULT_SRC,
-        BODY_DIRECTIVES.select { |key| supported_directives.include?(key) },
-        REPORT_URI
+        BODY_DIRECTIVES,
+        REPORT_URI,
       ].flatten
     end
 
@@ -243,29 +200,6 @@ module SecureHeaders
       source_list.map { |source_expression| source_expression.sub(HTTP_SCHEME_REGEX, "") }
     end
 
-    # Private: determine which directives are supported for the given user agent.
-    #
-    # Add UA-sniffing special casing here.
-    #
-    # Returns an array of symbols representing the directives.
-    def supported_directives
-      @supported_directives ||= if VARIATIONS[@parsed_ua.browser]
-        if @parsed_ua.browser == "Firefox" && ((@parsed_ua.version || FALLBACK_VERSION) >= VERSION_46)
-          VARIATIONS["FirefoxTransitional"]
-        elsif @parsed_ua.browser == "Safari" && ((@parsed_ua.version || FALLBACK_VERSION) >= VERSION_10)
-          VARIATIONS["SafariTransitional"]
-        else
-          VARIATIONS[@parsed_ua.browser]
-        end
-      else
-        VARIATIONS[OTHER]
-      end
-    end
-
-    def nonces_supported?
-      @nonces_supported ||= self.class.nonces_supported?(@parsed_ua)
-    end
-
     def symbol_to_hyphen_case(sym)
       sym.to_s.tr("_", "-")
     end