secure_headers 5.2.0 → 6.0.0.alpha01

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1b901bf6e9f4127c81ec207e46599054feb18f32
-  data.tar.gz: 642585cfc04901c83ff5d90ea1600f5ef141fec4
+  metadata.gz: cd74fc8e9c9057255c1e6c75bc78554ec6751459
+  data.tar.gz: 2f72e782c0800b5bf124d841a0d556d321b1cb5f
 SHA512:
-  metadata.gz: 8e304a7d52e6dbf0a4fd2bb114201ba781e8565fd9ecbd4977e6169f922101f186c7024194c81ecd780376f2e4c18f7af3bd88f98cd2b86301b15de5e4148c44
-  data.tar.gz: 9d5e1e8f35954baea9e4fcec70af22e7f3c2d8b16deaa98d6c882c9373c9a76556a711696b081920d9279df96375dd6e2a473e265c9bfbf2e12a6f9a62da486f
+  metadata.gz: 53ff0d4849c3892fbf4e35270c011d9d6c8da3984958fdc17f9669b32f0d9d39542dc4411323fe93bbf21137f0c8cfe26565a5836548061414153a2abd2dd949
+  data.tar.gz: 7472a097ae0926655aace8f5f719a4306920b08e4a1b798a588034d51a1446f51f442deb7c3f298d23481d52f2aa1b210ffb40b629671f449f63b7570a7ec2b0

data/.travis.yml

@@ -2,9 +2,10 @@ language: ruby
 
 rvm:
   - ruby-head
-  - 2.6
-  - 2.5
-  - 2.4
+  - 2.5.0
+  - 2.4.3
+  - 2.3.6
+  - 2.2.9
   - jruby-head
 
 env:
@@ -18,7 +19,10 @@ matrix:
     - rvm: jruby-head
     - rvm: ruby-head
 
-before_install: gem update bundler
+before_install:
+  - gem update --system
+  - gem --version
+  - gem update bundler
 bundler_args: --without guard -j 3
 
 sudo: false

data/CHANGELOG.md

@@ -1,11 +1,7 @@
-## 5.2.0
-
-Fixes newline injection issue
-
-## 5.1.0
-
-Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
+## 6.0
 
+- See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
+=======
 ## 5.0.5
 
 A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x

data/Gemfile

@@ -9,7 +9,7 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop", "< 0.68"
+  gem "rubocop"
   gem "rubocop-github"
   gem "term-ansicolor"
   gem "tins"

data/docs/upgrading-to-6-0.md

@@ -0,0 +1,50 @@
+## Named overrides are now dynamically applied
+
+The original implementation of name overrides worked by making a copy of the default policy, applying the overrides, and storing the result for later use. But, this lead to unexpected results if named overrides were combined with a dynamic policy change. If a change was made to the default configuration during a request, followed by a named override, the dynamic changes would be lost. To keep things consistent named overrides have been rewritten to work the same as named appends in that they always operate on the configuration for the current request. As an example:
+
+```ruby
+class ApplicationController < ActionController::Base
+  Configuration.default do |config|
+    config.x_frame_options = OPT_OUT
+  end
+
+  SecureHeaders::Configuration.override(:dynamic_override) do |config|
+    config.x_content_type_options = "nosniff"
+  end
+end
+
+class FooController < ApplicationController
+  def bar
+    # Dynamically update the default config for this request
+    override_x_frame_options("DENY")
+    append_content_security_policy_directives(frame_src: "3rdpartyprovider.com")
+
+    # Override everything, discard modifications above
+    use_secure_headers_override(:dynamic_override)
+  end
+end
+```
+
+Prior to 6.0.0, the response would NOT include a `X-Frame-Options` header since the named override would be a copy of the default configuration, but with `X-Content-Type-Options` set to `nosniff`. As of 6.0.0, the above code results in both `X-Frame-Options` set to `DENY` AND `X-Content-Type-Options` set to `nosniff`.
+
+## `ContentSecurityPolicyConfig#merge` and `ContentSecurityPolicyReportOnlyConfig#merge` work more like `Hash#merge`
+
+These classes are typically not directly instantiated by users of SecureHeaders. But, if you access `config.csp` you end up accessing one of these objects. Prior to 6.0.0, `#merge` worked more like `#append` in that it would combine policies (i.e. if both policies contained the same key the values would be combined rather than overwritten). This was not consistent with `#merge!`, which worked more like ruby's `Hash#merge!` (overwriting duplicate keys). As of 6.0.0, `#merge` works the same as `#merge!`, but returns a new object instead of mutating `self`.
+
+## `Configuration#get` has been removed
+
+This method is not typically directly called by users of SecureHeaders. Given that named overrides are no longer statically stored, fetching them no longer makes sense.
+
+## Configuration headers are no longer cached
+
+Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded to the default configuration. The same was also done for named overrides. However, now that named overrides are applied dynamically, those can no longer be cached. As a result, caching has been removed in the name of simplicity. Some micro-benchmarks indicate this shouldn't be a performance problem and will help to eliminate a class of bugs entirely.
+
+## Configuration the default configuration more than once will result in an Exception
+
+Prior to 6.0.0 you could conceivably, though unlikely, have `Configure#default` called more than once. Because configurations are dynamic, configuring more than once could result in unexpected behavior. So, as of 6.0.0 we raise `AlreadyConfiguredError` if the default configuration is setup more than once.
+
+## Nonce behavior and console warnings
+
+Since the first commit, reducing browser console messages was a goal. It led to overly complicated and error-prone UA sniffing. Nowadays, consoles warn on completely legitimate use of features meant to be backwards compatible. So the goal is impossible and the impact is negative, so eliminating code using sniffing is a goal.
+
+The first example: we will now send `'unsafe-inline'` along with nonce source expressions. This will generate warnings in some consoles but is 100% valid use and was a design goal of CSP in the early days. The concept of versioning CSP lost out and so we're left with backward compatibility as our only option.

data/lib/secure_headers.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-require "secure_headers/configuration"
 require "secure_headers/hash_helper"
 require "secure_headers/headers/cookie"
 require "secure_headers/headers/public_key_pins"
@@ -18,6 +17,7 @@ require "secure_headers/railtie"
 require "secure_headers/view_helper"
 require "useragent"
 require "singleton"
+require "secure_headers/configuration"
 
 # All headers (except for hpkp) have a default value. Provide SecureHeaders::OPT_OUT
 # or ":optout_of_protection" as a config value to disable a given header
@@ -52,29 +52,9 @@ module SecureHeaders
   HTTPS = "https".freeze
   CSP = ContentSecurityPolicy
 
-  ALL_HEADER_CLASSES = [
-    ExpectCertificateTransparency,
-    ClearSiteData,
-    ContentSecurityPolicyConfig,
-    ContentSecurityPolicyReportOnlyConfig,
-    StrictTransportSecurity,
-    PublicKeyPins,
-    ReferrerPolicy,
-    XContentTypeOptions,
-    XDownloadOptions,
-    XFrameOptions,
-    XPermittedCrossDomainPolicies,
-    XXssProtection
-  ].freeze
-
-  ALL_HEADERS_BESIDES_CSP = (
-    ALL_HEADER_CLASSES -
-      [ContentSecurityPolicyConfig, ContentSecurityPolicyReportOnlyConfig]
-  ).freeze
-
   # Headers set on http requests (excludes STS and HPKP)
-  HTTP_HEADER_CLASSES =
-    (ALL_HEADER_CLASSES - [StrictTransportSecurity, PublicKeyPins]).freeze
+  HTTPS_HEADER_CLASSES =
+    [StrictTransportSecurity, PublicKeyPins].freeze
 
   class << self
     # Public: override a given set of directives for the current request. If a
@@ -153,7 +133,7 @@ module SecureHeaders
     # Public: opts out of setting all headers by telling secure_headers to use
     # the NOOP configuration.
     def opt_out_of_all_protection(request)
-      use_secure_headers_override(request, Configuration::NOOP_CONFIGURATION)
+      use_secure_headers_override(request, Configuration::NOOP_OVERRIDE)
     end
 
     # Public: Builds the hash of headers that should be applied base on the
@@ -168,27 +148,16 @@ module SecureHeaders
     def header_hash_for(request)
       prevent_dup = true
       config = config_for(request, prevent_dup)
-      headers = config.cached_headers
+      config.validate_config!
       user_agent = UserAgent.parse(request.user_agent)
+      headers = config.generate_headers(user_agent)
 
-      if !config.csp.opt_out? && config.csp.modified?
-        headers = update_cached_csp(config.csp, headers, user_agent)
-      end
-
-      if !config.csp_report_only.opt_out? && config.csp_report_only.modified?
-        headers = update_cached_csp(config.csp_report_only, headers, user_agent)
-      end
-
-      header_classes_for(request).each_with_object({}) do |klass, hash|
-        if header = headers[klass::CONFIG_KEY]
-          header_name, value = if klass == ContentSecurityPolicyConfig || klass == ContentSecurityPolicyReportOnlyConfig
-            csp_header_for_ua(header, user_agent)
-          else
-            header
-          end
-          hash[header_name] = value
+      if request.scheme != HTTPS
+        HTTPS_HEADER_CLASSES.each do |klass|
+          headers.delete(klass::HEADER_NAME)
         end
       end
+      headers
     end
 
     # Public: specify which named override will be used for this request.
@@ -196,11 +165,9 @@ module SecureHeaders
     #
     # name - the name of the previously configured override.
     def use_secure_headers_override(request, name)
-      if config = Configuration.get(name, internal: true)
-        override_secure_headers_request_config(request, config)
-      else
-        raise ArgumentError.new("no override by the name of #{name} has been configured")
-      end
+      config = config_for(request)
+      config.override(name)
+      override_secure_headers_request_config(request, config)
     end
 
     # Public: gets or creates a nonce for CSP.
@@ -228,7 +195,7 @@ module SecureHeaders
     # Falls back to the global config
     def config_for(request, prevent_dup = false)
       config = request.env[SECURE_HEADERS_CONFIG] ||
-        Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+        Configuration.send(:default_config)
 
 
       # Global configs are frozen, per-request configs are not. When we're not
@@ -285,35 +252,6 @@ module SecureHeaders
     def override_secure_headers_request_config(request, config)
       request.env[SECURE_HEADERS_CONFIG] = config
     end
-
-    # Private: determines which headers are applicable to a given request.
-    #
-    # Returns a list of classes whose corresponding header values are valid for
-    # this request.
-    def header_classes_for(request)
-      if request.scheme == HTTPS
-        ALL_HEADER_CLASSES
-      else
-        HTTP_HEADER_CLASSES
-      end
-    end
-
-    def update_cached_csp(config, headers, user_agent)
-      headers = Configuration.send(:deep_copy, headers)
-      headers[config.class::CONFIG_KEY] = {}
-      variation = ContentSecurityPolicy.ua_to_variation(user_agent)
-      headers[config.class::CONFIG_KEY][variation] = ContentSecurityPolicy.make_header(config, user_agent)
-      headers
-    end
-
-    # Private: chooses the applicable CSP header for the provided user agent.
-    #
-    # headers - a hash of header_config_key => [header_name, header_value]
-    #
-    # Returns a CSP [header, value] array
-    def csp_header_for_ua(headers, user_agent)
-      headers[ContentSecurityPolicy.ua_to_variation(user_agent)]
-    end
   end
 
   # These methods are mixed into controllers and delegate to the class method

data/lib/secure_headers/configuration.rb

@@ -4,7 +4,8 @@ require "yaml"
 module SecureHeaders
   class Configuration
     DEFAULT_CONFIG = :default
-    NOOP_CONFIGURATION = "secure_headers_noop_config"
+    NOOP_OVERRIDE = "secure_headers_noop_override"
+    class AlreadyConfiguredError < StandardError; end
     class NotYetConfiguredError < StandardError; end
     class IllegalPolicyModificationError < StandardError; end
     class << self
@@ -14,9 +15,21 @@ module SecureHeaders
       #
       # Returns the newly created config.
       def default(&block)
-        config = new(&block)
-        add_noop_configuration
-        add_configuration(DEFAULT_CONFIG, config)
+        if defined?(@default_config)
+          raise AlreadyConfiguredError, "Policy already configured"
+        end
+
+        # Define a built-in override that clears all configuration options and
+        # results in no security headers being set.
+        override(NOOP_OVERRIDE) do |config|
+          CONFIG_ATTRIBUTES.each do |attr|
+            config.instance_variable_set("@#{attr}", OPT_OUT)
+          end
+        end
+
+        new_config = new(&block).freeze
+        new_config.validate_config!
+        @default_config = new_config
       end
       alias_method :configure, :default
 
@@ -27,28 +40,15 @@ module SecureHeaders
       # if no value is supplied.
       #
       # Returns: the newly created config
-      def override(name, base = DEFAULT_CONFIG, &block)
-        unless get(base, internal: true)
-          raise NotYetConfiguredError, "#{base} policy not yet supplied"
-        end
-        override = @configurations[base].dup
-        override.instance_eval(&block) if block_given?
-        add_configuration(name, override)
+      def override(name, &block)
+        @overrides ||= {}
+        raise "Provide a configuration block" unless block_given?
+        @overrides[name] = block
       end
 
-      # Public: retrieve a global configuration object
-      #
-      # Returns the configuration with a given name or raises a
-      # NotYetConfiguredError if `default` has not been called.
-      def get(name = DEFAULT_CONFIG, internal: false)
-        unless internal
-          Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#get` is deprecated. It will be removed in the next major release. Use SecureHeaders::Configuration.dup to retrieve the default config."
-        end
-
-        if @configurations.nil?
-          raise NotYetConfiguredError, "Default policy not yet supplied"
-        end
-        @configurations[name]
+      def overrides(name)
+        @overrides ||= {}
+        @overrides[name]
       end
 
       def named_appends(name)
@@ -56,44 +56,17 @@ module SecureHeaders
         @appends[name]
       end
 
-      def named_append(name, target = nil, &block)
+      def named_append(name, &block)
         @appends ||= {}
         raise "Provide a configuration block" unless block_given?
         @appends[name] = block
       end
 
-      private
-
-      # Private: add a valid configuration to the global set of named configs.
-      #
-      # config - the config to store
-      # name - the lookup value for this config
-      #
-      # Raises errors if the config is invalid or if a config named `name`
-      # already exists.
-      #
-      # Returns the config, if valid
-      def add_configuration(name, config)
-        config.validate_config!
-        @configurations ||= {}
-        config.send(:cache_headers!)
-        config.send(:cache_hpkp_report_host)
-        config.freeze
-        @configurations[name] = config
+      def dup
+        default_config.dup
       end
 
-      # Private: Automatically add an "opt-out of everything" override.
-      #
-      # Returns the noop config
-      def add_noop_configuration
-        noop_config = new do |config|
-          ALL_HEADER_CLASSES.each do |klass|
-            config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
-          end
-        end
-
-        add_configuration(NOOP_CONFIGURATION, noop_config)
-      end
+      private
 
       # Public: perform a basic deep dup. The shallow copy provided by dup/clone
       # can lead to modifying parent objects.
@@ -108,6 +81,17 @@ module SecureHeaders
         end
       end
 
+      # Private: Returns the internal default configuration. This should only
+      # ever be called by internal callers (or tests) that know the semantics
+      # of ensuring that the default config is never mutated and is dup(ed)
+      # before it is used in a request.
+      def default_config
+        unless defined?(@default_config)
+          raise NotYetConfiguredError, "Default policy not yet configured"
+        end
+        @default_config
+      end
+
       # Private: convenience method purely DRY things up. The value may not be a
       # hash (e.g. OPT_OUT, nil)
       def deep_copy_if_hash(value)
@@ -119,11 +103,31 @@ module SecureHeaders
       end
     end
 
-    attr_writer :hsts, :x_frame_options, :x_content_type_options,
-      :x_xss_protection, :x_download_options, :x_permitted_cross_domain_policies,
-      :referrer_policy, :clear_site_data, :expect_certificate_transparency
+    CONFIG_ATTRIBUTES_TO_HEADER_CLASSES = {
+      hsts: StrictTransportSecurity,
+      x_frame_options: XFrameOptions,
+      x_content_type_options: XContentTypeOptions,
+      x_xss_protection: XXssProtection,
+      x_download_options: XDownloadOptions,
+      x_permitted_cross_domain_policies: XPermittedCrossDomainPolicies,
+      referrer_policy: ReferrerPolicy,
+      clear_site_data: ClearSiteData,
+      expect_certificate_transparency: ExpectCertificateTransparency,
+      csp: ContentSecurityPolicy,
+      csp_report_only: ContentSecurityPolicy,
+      hpkp: PublicKeyPins,
+      cookies: Cookie,
+    }.freeze
+
+    CONFIG_ATTRIBUTES = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys.freeze
+
+    # The list of attributes that must respond to a `validate_config!` method
+    VALIDATABLE_ATTRIBUTES = CONFIG_ATTRIBUTES
 
-    attr_reader :cached_headers, :csp, :cookies, :csp_report_only, :hpkp, :hpkp_report_host
+    # The list of attributes that must respond to a `make_header` method
+    HEADERABLE_ATTRIBUTES = (CONFIG_ATTRIBUTES - [:cookies]).freeze
+
+    attr_accessor(*CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys)
 
     @script_hashes = nil
     @style_hashes = nil
@@ -140,7 +144,6 @@ module SecureHeaders
       @clear_site_data = nil
       @csp = nil
       @csp_report_only = nil
-      @hpkp_report_host = nil
       @hpkp = nil
       @hsts = nil
       @x_content_type_options = nil
@@ -158,7 +161,7 @@ module SecureHeaders
       instance_eval(&block) if block_given?
     end
 
-    # Public: copy everything but the cached headers
+    # Public: copy everything
     #
     # Returns a deep-dup'd copy of this configuration.
     def dup
@@ -166,7 +169,6 @@ module SecureHeaders
       copy.cookies = self.class.send(:deep_copy_if_hash, @cookies)
       copy.csp = @csp.dup if @csp
       copy.csp_report_only = @csp_report_only.dup if @csp_report_only
-      copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
       copy.x_content_type_options = @x_content_type_options
       copy.hsts = @hsts
       copy.x_frame_options = @x_frame_options
@@ -177,18 +179,39 @@ module SecureHeaders
       copy.expect_certificate_transparency = @expect_certificate_transparency
       copy.referrer_policy = @referrer_policy
       copy.hpkp = @hpkp
-      copy.hpkp_report_host = @hpkp_report_host
       copy
     end
 
+    # Public: Apply a named override to the current config
+    #
+    # Returns self
+    def override(name = nil, &block)
+      if override = self.class.overrides(name)
+        instance_eval(&override)
+      else
+        raise ArgumentError.new("no override by the name of #{name} has been configured")
+      end
+      self
+    end
+
+    def generate_headers(user_agent)
+      headers = {}
+      HEADERABLE_ATTRIBUTES.each do |attr|
+        klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
+        header_name, value = klass.make_header(instance_variable_get("@#{attr}"), user_agent)
+        if header_name && value
+          headers[header_name] = value
+        end
+      end
+      headers
+    end
+
     def opt_out(header)
       send("#{header}=", OPT_OUT)
-      self.cached_headers.delete(header)
     end
 
     def update_x_frame_options(value)
       @x_frame_options = value
-      self.cached_headers[XFrameOptions::CONFIG_KEY] = XFrameOptions.make_header(value)
     end
 
     # Public: validates all configurations values.
@@ -197,19 +220,10 @@ module SecureHeaders
     #
     # Returns nothing
     def validate_config!
-      StrictTransportSecurity.validate_config!(@hsts)
-      ContentSecurityPolicy.validate_config!(@csp)
-      ContentSecurityPolicy.validate_config!(@csp_report_only)
-      ReferrerPolicy.validate_config!(@referrer_policy)
-      XFrameOptions.validate_config!(@x_frame_options)
-      XContentTypeOptions.validate_config!(@x_content_type_options)
-      XXssProtection.validate_config!(@x_xss_protection)
-      XDownloadOptions.validate_config!(@x_download_options)
-      XPermittedCrossDomainPolicies.validate_config!(@x_permitted_cross_domain_policies)
-      ClearSiteData.validate_config!(@clear_site_data)
-      ExpectCertificateTransparency.validate_config!(@expect_certificate_transparency)
-      PublicKeyPins.validate_config!(@hpkp)
-      Cookie.validate_config!(@cookies)
+      VALIDATABLE_ATTRIBUTES.each do |attr|
+        klass = CONFIG_ATTRIBUTES_TO_HEADER_CLASSES[attr]
+        klass.validate_config!(instance_variable_get("@#{attr}"))
+      end
     end
 
     def secure_cookies=(secure_cookies)
@@ -217,15 +231,15 @@ module SecureHeaders
     end
 
     def csp=(new_csp)
-      if new_csp.respond_to?(:opt_out?)
-        @csp = new_csp.dup
+      case new_csp
+      when OPT_OUT
+        @csp = new_csp
+      when ContentSecurityPolicyConfig
+        @csp = new_csp
+      when Hash
+        @csp = ContentSecurityPolicyConfig.new(new_csp)
       else
-        if new_csp[:report_only]
-          # invalid configuration implies that CSPRO should be set, CSP should not - so opt out
-          raise ArgumentError, "#{Kernel.caller.first}: `#csp=` was supplied a config with report_only: true. Use #csp_report_only="
-        else
-          @csp = ContentSecurityPolicyConfig.new(new_csp)
-        end
+        raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
     end
 
@@ -236,87 +250,23 @@ module SecureHeaders
     # configuring csp_report_only, the code will assume you mean to only use
     # report-only mode and you will be opted-out of enforce mode.
     def csp_report_only=(new_csp)
-      @csp_report_only = begin
-        if new_csp.is_a?(ContentSecurityPolicyConfig)
-          new_csp.make_report_only
-        elsif new_csp.respond_to?(:opt_out?)
-          new_csp.dup
-        else
-          if new_csp[:report_only] == false # nil is a valid value on which we do not want to raise
-            raise ContentSecurityPolicyConfigError, "`#csp_report_only=` was supplied a config with report_only: false. Use #csp="
-          else
-            ContentSecurityPolicyReportOnlyConfig.new(new_csp)
-          end
-        end
-      end
-    end
-
-    protected
-
-    def cookies=(cookies)
-      @cookies = cookies
-    end
-
-    def cached_headers=(headers)
-      @cached_headers = headers
-    end
-
-    def hpkp=(hpkp)
-      @hpkp = self.class.send(:deep_copy_if_hash, hpkp)
-    end
-
-    def hpkp_report_host=(hpkp_report_host)
-      @hpkp_report_host = hpkp_report_host
-    end
-
-    private
-
-    def cache_hpkp_report_host
-      has_report_uri = @hpkp && @hpkp != OPT_OUT && @hpkp[:report_uri]
-      self.hpkp_report_host = if has_report_uri
-        parsed_report_uri = URI.parse(@hpkp[:report_uri])
-        parsed_report_uri.host
-      end
-    end
-
-    # Public: Precompute the header names and values for this configuration.
-    # Ensures that headers generated at configure time, not on demand.
-    #
-    # Returns the cached headers
-    def cache_headers!
-      # generate defaults for the "easy" headers
-      headers = (ALL_HEADERS_BESIDES_CSP).each_with_object({}) do |klass, hash|
-        config = instance_variable_get("@#{klass::CONFIG_KEY}")
-        unless config == OPT_OUT
-          hash[klass::CONFIG_KEY] = klass.make_header(config).freeze
-        end
+      case new_csp
+      when OPT_OUT
+        @csp_report_only = new_csp
+      when ContentSecurityPolicyReportOnlyConfig
+        @csp_report_only = new_csp.dup
+      when ContentSecurityPolicyConfig
+        @csp_report_only = new_csp.make_report_only
+      when Hash
+        @csp_report_only = ContentSecurityPolicyReportOnlyConfig.new(new_csp)
+      else
+        raise ArgumentError, "Must provide either an existing CSP config or a CSP config hash"
       end
-
-      generate_csp_headers(headers)
-
-      headers.freeze
-      self.cached_headers = headers
     end
 
-    # Private: adds CSP headers for each variation of CSP support.
-    #
-    # headers - generated headers are added to this hash namespaced by The
-    #   different variations
-    #
-    # Returns nothing
-    def generate_csp_headers(headers)
-      generate_csp_headers_for_config(headers, ContentSecurityPolicyConfig::CONFIG_KEY, self.csp)
-      generate_csp_headers_for_config(headers, ContentSecurityPolicyReportOnlyConfig::CONFIG_KEY, self.csp_report_only)
-    end
-
-    def generate_csp_headers_for_config(headers, header_key, csp_config)
-      unless csp_config.opt_out?
-        headers[header_key] = {}
-        ContentSecurityPolicy::VARIATIONS.each_key do |name|
-          csp = ContentSecurityPolicy.make_header(csp_config, UserAgent.parse(name))
-          headers[header_key][name] = csp.freeze
-        end
-      end
+    def hpkp_report_host
+      return nil unless @hpkp && hpkp != OPT_OUT && @hpkp[:report_uri]
+      URI.parse(@hpkp[:report_uri]).host
     end
   end
 end