secure_headers 6.0.0 → 6.7.0

data/lib/secure_headers/headers/content_security_policy.rb

@@ -7,21 +7,22 @@ module SecureHeaders
     include PolicyManagement
 
     def initialize(config = nil)
-      @config = if config.is_a?(Hash)
-        if config[:report_only]
-          ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
+      @config =
+        if config.is_a?(Hash)
+          if config[:report_only]
+            ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
+          else
+            ContentSecurityPolicyConfig.new(config || DEFAULT_CONFIG)
+          end
+        elsif config.nil?
+          ContentSecurityPolicyConfig.new(DEFAULT_CONFIG)
         else
-          ContentSecurityPolicyConfig.new(config || DEFAULT_CONFIG)
+          config
         end
-      elsif config.nil?
-        ContentSecurityPolicyConfig.new(DEFAULT_CONFIG)
-      else
-        config
-      end
 
-      @preserve_schemes = @config.preserve_schemes
-      @script_nonce = @config.script_nonce
-      @style_nonce = @config.style_nonce
+      @preserve_schemes = @config[:preserve_schemes]
+      @script_nonce = @config[:script_nonce]
+      @style_nonce = @config[:style_nonce]
     end
 
     ##
@@ -34,11 +35,12 @@ module SecureHeaders
     ##
     # Return the value of the CSP header
     def value
-      @value ||= if @config
-        build_value
-      else
-        DEFAULT_VALUE
-      end
+      @value ||=
+        if @config
+          build_value
+        else
+          DEFAULT_VALUE
+        end
     end
 
     private
@@ -51,14 +53,16 @@ module SecureHeaders
     def build_value
       directives.map do |directive_name|
         case DIRECTIVE_VALUE_TYPES[directive_name]
+        when :source_list,
+             :require_sri_for_list, # require_sri is a simple set of strings that don't need to deal with symbol casing
+             :require_trusted_types_for_list
+          build_source_list_directive(directive_name)
         when :boolean
           symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)
         when :sandbox_list
           build_sandbox_list_directive(directive_name)
         when :media_type_list
           build_media_type_list_directive(directive_name)
-        when :source_list
-          build_source_list_directive(directive_name)
         end
       end.compact.join("; ")
     end
@@ -103,10 +107,15 @@ module SecureHeaders
     # Returns a string representing a directive.
     def build_source_list_directive(directive)
       source_list = @config.directive_value(directive)
-
       if source_list != OPT_OUT && source_list && source_list.any?
-        normalized_source_list = minify_source_list(directive, source_list)
-        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
+        minified_source_list = minify_source_list(directive, source_list).join(" ")
+
+        if minified_source_list =~ /(\n|;)/
+          Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
+        end
+
+        escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
+        [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
       end
     end
 
@@ -124,7 +133,7 @@ module SecureHeaders
         unless directive == REPORT_URI || @preserve_schemes
           source_list = strip_source_schemes(source_list)
         end
-        dedup_source_list(source_list)
+        source_list.uniq
       end
     end
 
@@ -142,23 +151,6 @@ module SecureHeaders
       end
     end
 
-    # Removes duplicates and sources that already match an existing wild card.
-    #
-    # e.g. *.github.com asdf.github.com becomes *.github.com
-    def dedup_source_list(sources)
-      sources = sources.uniq
-      wild_sources = sources.select { |source| source =~ STAR_REGEXP }
-
-      if wild_sources.any?
-        sources.reject do |source|
-          !wild_sources.include?(source) &&
-            wild_sources.any? { |pattern| File.fnmatch(pattern, source) }
-        end
-      else
-        sources
-      end
-    end
-
     # Private: append a nonce to the script/style directories if script_nonce
     # or style_nonce are provided.
     def populate_nonces(directive, source_list)
@@ -179,7 +171,8 @@ module SecureHeaders
     # unsafe-inline, this is more concise.
     def append_nonce(source_list, nonce)
       if nonce
-        source_list.push("'nonce-#{nonce}'", UNSAFE_INLINE)
+        source_list.push("'nonce-#{nonce}'")
+        source_list.push(UNSAFE_INLINE) unless @config[:disable_nonce_backwards_compatibility]
       end
 
       source_list

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -1,56 +1,23 @@
 # frozen_string_literal: true
 module SecureHeaders
   module DynamicConfig
-    def self.included(base)
-      base.send(:attr_reader, *base.attrs)
-      base.attrs.each do |attr|
-        base.send(:define_method, "#{attr}=") do |value|
-          if self.class.attrs.include?(attr)
-            write_attribute(attr, value)
-          else
-            raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
-          end
-        end
-      end
-    end
-
     def initialize(hash)
-      @base_uri = nil
-      @block_all_mixed_content = nil
-      @child_src = nil
-      @connect_src = nil
-      @default_src = nil
-      @font_src = nil
-      @form_action = nil
-      @frame_ancestors = nil
-      @frame_src = nil
-      @img_src = nil
-      @manifest_src = nil
-      @media_src = nil
-      @object_src = nil
-      @plugin_types = nil
-      @preserve_schemes = nil
-      @report_only = nil
-      @report_uri = nil
-      @sandbox = nil
-      @script_nonce = nil
-      @script_src = nil
-      @style_nonce = nil
-      @style_src = nil
-      @worker_src = nil
-      @upgrade_insecure_requests = nil
+      @config = {}
 
       from_hash(hash)
     end
 
+    def initialize_copy(hash)
+      @config = hash.to_h
+    end
+
     def update_directive(directive, value)
-      self.send("#{directive}=", value)
+      @config[directive] = value
     end
 
     def directive_value(directive)
-      if self.class.attrs.include?(directive)
-        self.send(directive)
-      end
+      # No need to check attrs, as we only assign valid keys
+      @config[directive]
     end
 
     def merge(new_hash)
@@ -68,10 +35,7 @@ module SecureHeaders
     end
 
     def to_h
-      self.class.attrs.each_with_object({}) do |key, hash|
-        value = self.send(key)
-        hash[key] = value unless value.nil?
-      end
+      @config.dup
     end
 
     def dup
@@ -104,8 +68,11 @@ module SecureHeaders
 
     def write_attribute(attr, value)
       value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
-      attr_variable = "@#{attr}"
-      self.instance_variable_set(attr_variable, value)
+      if value.nil?
+        @config.delete(attr)
+      else
+        @config[attr] = value
+      end
     end
   end
 
@@ -113,7 +80,7 @@ module SecureHeaders
   class ContentSecurityPolicyConfig
     HEADER_NAME = "Content-Security-Policy".freeze
 
-    ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
+    ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
     def self.attrs
       ATTRS
     end

data/lib/secure_headers/headers/cookie.rb

@@ -80,9 +80,9 @@ module SecureHeaders
     end
 
     def conditionally_flag?(configuration)
-      if(Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
+      if (Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
         true
-      elsif(Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
+      elsif (Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
         true
       else
         false
@@ -94,12 +94,14 @@ module SecureHeaders
         "SameSite=Lax"
       elsif flag_samesite_strict?
         "SameSite=Strict"
+      elsif flag_samesite_none?
+        "SameSite=None"
       end
     end
 
     def flag_samesite?
       return false if config == OPT_OUT || config[:samesite] == OPT_OUT
-      flag_samesite_lax? || flag_samesite_strict?
+      flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
     end
 
     def flag_samesite_lax?
@@ -110,6 +112,10 @@ module SecureHeaders
       flag_samesite_enforcement?(:strict)
     end
 
+    def flag_samesite_none?
+      flag_samesite_enforcement?(:none)
+    end
+
     def flag_samesite_enforcement?(mode)
       return unless config[:samesite]
 

data/lib/secure_headers/headers/policy_management.rb

@@ -1,4 +1,7 @@
 # frozen_string_literal: true
+
+require "set"
+
 module SecureHeaders
   module PolicyManagement
     def self.included(base)
@@ -68,20 +71,44 @@ module SecureHeaders
 
     # All the directives currently under consideration for CSP level 3.
     # https://w3c.github.io/webappsec/specs/CSP2/
-    BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
     MANIFEST_SRC = :manifest_src
+    NAVIGATE_TO = :navigate_to
+    PREFETCH_SRC = :prefetch_src
+    REQUIRE_SRI_FOR = :require_sri_for
     UPGRADE_INSECURE_REQUESTS = :upgrade_insecure_requests
     WORKER_SRC = :worker_src
+    SCRIPT_SRC_ELEM = :script_src_elem
+    SCRIPT_SRC_ATTR = :script_src_attr
+    STYLE_SRC_ELEM = :style_src_elem
+    STYLE_SRC_ATTR = :style_src_attr
 
     DIRECTIVES_3_0 = [
       DIRECTIVES_2_0,
-      BLOCK_ALL_MIXED_CONTENT,
       MANIFEST_SRC,
+      NAVIGATE_TO,
+      PREFETCH_SRC,
+      REQUIRE_SRI_FOR,
       WORKER_SRC,
-      UPGRADE_INSECURE_REQUESTS
+      UPGRADE_INSECURE_REQUESTS,
+      SCRIPT_SRC_ELEM,
+      SCRIPT_SRC_ATTR,
+      STYLE_SRC_ELEM,
+      STYLE_SRC_ATTR
     ].flatten.freeze
 
-    ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0).uniq.sort
+    # Experimental directives - these vary greatly in support
+    # See MDN for details.
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types
+    TRUSTED_TYPES = :trusted_types
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for
+    REQUIRE_TRUSTED_TYPES_FOR = :require_trusted_types_for
+
+    DIRECTIVES_EXPERIMENTAL = [
+      TRUSTED_TYPES,
+      REQUIRE_TRUSTED_TYPES_FOR,
+    ].flatten.freeze
+
+    ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_EXPERIMENTAL).uniq.sort
 
     # Think of default-src and report-uri as the beginning and end respectively,
     # everything else is in between.
@@ -89,7 +116,6 @@ module SecureHeaders
 
     DIRECTIVE_VALUE_TYPES = {
       BASE_URI                  => :source_list,
-      BLOCK_ALL_MIXED_CONTENT   => :boolean,
       CHILD_SRC                 => :source_list,
       CONNECT_SRC               => :source_list,
       DEFAULT_SRC               => :source_list,
@@ -100,14 +126,23 @@ module SecureHeaders
       IMG_SRC                   => :source_list,
       MANIFEST_SRC              => :source_list,
       MEDIA_SRC                 => :source_list,
+      NAVIGATE_TO               => :source_list,
       OBJECT_SRC                => :source_list,
       PLUGIN_TYPES              => :media_type_list,
+      REQUIRE_SRI_FOR           => :require_sri_for_list,
+      REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
       REPORT_URI                => :source_list,
+      PREFETCH_SRC              => :source_list,
       SANDBOX                   => :sandbox_list,
       SCRIPT_SRC                => :source_list,
+      SCRIPT_SRC_ELEM           => :source_list,
+      SCRIPT_SRC_ATTR           => :source_list,
       STYLE_SRC                 => :source_list,
+      STYLE_SRC_ELEM            => :source_list,
+      STYLE_SRC_ATTR            => :source_list,
+      TRUSTED_TYPES             => :source_list,
       WORKER_SRC                => :source_list,
-      UPGRADE_INSECURE_REQUESTS => :boolean
+      UPGRADE_INSECURE_REQUESTS => :boolean,
     }.freeze
 
     # These are directives that don't have use a source list, and hence do not
@@ -122,7 +157,8 @@ module SecureHeaders
       BASE_URI,
       FORM_ACTION,
       FRAME_ANCESTORS,
-      REPORT_URI
+      NAVIGATE_TO,
+      REPORT_URI,
     ]
 
     FETCH_SOURCES = ALL_DIRECTIVES - NON_FETCH_SOURCES - NON_SOURCE_LIST_SOURCES
@@ -140,7 +176,8 @@ module SecureHeaders
 
     META_CONFIGS = [
       :report_only,
-      :preserve_schemes
+      :preserve_schemes,
+      :disable_nonce_backwards_compatibility
     ].freeze
 
     NONCES = [
@@ -148,6 +185,9 @@ module SecureHeaders
       :style_nonce
     ].freeze
 
+    REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
+    REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w('script'))
+
     module ClassMethods
       # Public: generate a header name, value array that is user-agent-aware.
       #
@@ -198,7 +238,7 @@ module SecureHeaders
       #
       # raises an error if the original config is OPT_OUT
       #
-      # 1. for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),
+      # 1. for non-source-list values (report_only, upgrade_insecure_requests),
       # additions will overwrite the original value.
       # 2. if a value in additions does not exist in the original config, the
       # default-src value is included to match original behavior.
@@ -241,7 +281,9 @@ module SecureHeaders
       def list_directive?(directive)
         source_list?(directive) ||
           sandbox_list?(directive) ||
-          media_type_list?(directive)
+          media_type_list?(directive) ||
+          require_sri_for_list?(directive) ||
+          require_trusted_types_for_list?(directive)
       end
 
       # For each directive in additions that does not exist in the original config,
@@ -249,11 +291,12 @@ module SecureHeaders
       def populate_fetch_source_with_default!(original, additions)
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.each_key do |directive|
-          directive = if directive.to_s.end_with?("_nonce")
-            directive.to_s.gsub(/_nonce/, "_src").to_sym
-          else
-            directive
-          end
+          directive =
+            if directive.to_s.end_with?("_nonce")
+              directive.to_s.gsub(/_nonce/, "_src").to_sym
+            else
+              directive
+            end
           # Don't set a default if directive has an existing value
           next if original[directive]
           if FETCH_SOURCES.include?(directive)
@@ -274,11 +317,21 @@ module SecureHeaders
         DIRECTIVE_VALUE_TYPES[directive] == :media_type_list
       end
 
+      def require_sri_for_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :require_sri_for_list
+      end
+
+      def require_trusted_types_for_list?(directive)
+        DIRECTIVE_VALUE_TYPES[directive] == :require_trusted_types_for_list
+      end
+
       # Private: Validates that the configuration has a valid type, or that it is a valid
       # source expression.
       def validate_directive!(directive, value)
         ensure_valid_directive!(directive)
         case ContentSecurityPolicy::DIRECTIVE_VALUE_TYPES[directive]
+        when :source_list
+          validate_source_expression!(directive, value)
         when :boolean
           unless boolean?(value)
             raise ContentSecurityPolicyConfigError.new("#{directive} must be a boolean. Found #{value.class} value")
@@ -287,8 +340,10 @@ module SecureHeaders
           validate_sandbox_expression!(directive, value)
         when :media_type_list
           validate_media_type_expression!(directive, value)
-        when :source_list
-          validate_source_expression!(directive, value)
+        when :require_sri_for_list
+          validate_require_sri_source_expression!(directive, value)
+        when :require_trusted_types_for_list
+          validate_require_trusted_types_for_source_expression!(directive, value)
         else
           raise ContentSecurityPolicyConfigError.new("Unknown directive #{directive}")
         end
@@ -323,6 +378,26 @@ module SecureHeaders
         end
       end
 
+      # Private: validates that a require sri for expression:
+      # 1. is an array of strings
+      # 2. is a subset of ["string", "style"]
+      def validate_require_sri_source_expression!(directive, require_sri_for_expression)
+        ensure_array_of_strings!(directive, require_sri_for_expression)
+        unless require_sri_for_expression.to_set.subset?(REQUIRE_SRI_FOR_VALUES)
+          raise ContentSecurityPolicyConfigError.new(%(require-sri for must be a subset of #{REQUIRE_SRI_FOR_VALUES.to_a} but was #{require_sri_for_expression}))
+        end
+      end
+
+      # Private: validates that a require trusted types for expression:
+      # 1. is an array of strings
+      # 2. is a subset of ["'script'"]
+      def validate_require_trusted_types_for_source_expression!(directive, require_trusted_types_for_expression)
+        ensure_array_of_strings!(directive, require_trusted_types_for_expression)
+        unless require_trusted_types_for_expression.to_set.subset?(REQUIRE_TRUSTED_TYPES_FOR_VALUES)
+          raise ContentSecurityPolicyConfigError.new(%(require-trusted-types-for for must be a subset of #{REQUIRE_TRUSTED_TYPES_FOR_VALUES.to_a} but was #{require_trusted_types_for_expression}))
+        end
+      end
+
       # Private: validates that a source expression:
       # 1. is an array of strings
       # 2. does not contain any deprecated, now invalid values (inline, eval, self, none)

data/lib/secure_headers/middleware.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 module SecureHeaders
   class Middleware
-    HPKP_SAME_HOST_WARNING = "[WARNING] HPKP report host should not be the same as the request host. See https://github.com/twitter/secureheaders/issues/166"
-
     def initialize(app)
       @app = app
     end
@@ -13,10 +11,6 @@ module SecureHeaders
       status, headers, response = @app.call(env)
 
       config = SecureHeaders.config_for(req)
-      if config.hpkp_report_host == req.host
-        Kernel.warn(HPKP_SAME_HOST_WARNING)
-      end
-
       flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
       headers.merge!(SecureHeaders.header_hash_for(req))
       [status, headers, response]

data/lib/secure_headers/utils/cookies_config.rb

@@ -43,10 +43,12 @@ module SecureHeaders
 
     # when configuring with booleans, only one enforcement is permitted
     def validate_samesite_boolean_config!
-      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
-      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
+      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
       end
     end
 
@@ -65,7 +67,7 @@ module SecureHeaders
 
     def validate_hash_or_true_or_opt_out!(attribute)
       if !(is_hash?(config[attribute]) || is_true_or_opt_out?(config[attribute]))
-        raise CookiesConfigError.new("#{attribute} cookie config must be a hash or boolean")
+        raise CookiesConfigError.new("#{attribute} cookie config must be a hash, true, or SecureHeaders::OPT_OUT")
       end
     end
 

data/lib/secure_headers/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module SecureHeaders
+  VERSION = "6.7.0"
+end

data/lib/secure_headers/view_helper.rb

@@ -21,7 +21,7 @@ module SecureHeaders
     def nonced_stylesheet_link_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
-      stylesheet_link_tag(*args, opts, &block)
+      stylesheet_link_tag(*args, **opts, &block)
     end
 
     # Public: create a script tag using the content security policy nonce.
@@ -39,7 +39,7 @@ module SecureHeaders
     def nonced_javascript_include_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
-      javascript_include_tag(*args, opts, &block)
+      javascript_include_tag(*args, **opts, &block)
     end
 
     # Public: create a script Webpacker pack tag using the content security policy nonce.
@@ -49,7 +49,7 @@ module SecureHeaders
     def nonced_javascript_pack_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
-      javascript_pack_tag(*args, opts, &block)
+      javascript_pack_tag(*args, **opts, &block)
     end
 
     # Public: create a stylesheet Webpacker link tag using the content security policy nonce.
@@ -59,7 +59,7 @@ module SecureHeaders
     def nonced_stylesheet_pack_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
-      stylesheet_pack_tag(*args, opts, &block)
+      stylesheet_pack_tag(*args, **opts, &block)
     end
 
     # Public: use the content security policy nonce for this request directly.
@@ -147,12 +147,13 @@ module SecureHeaders
 
     def nonced_tag(type, content_or_options, block)
       options = {}
-      content = if block
-        options = content_or_options
-        capture(&block)
-      else
-        content_or_options.html_safe # :'(
-      end
+      content =
+        if block
+          options = content_or_options
+          capture(&block)
+        else
+          content_or_options.html_safe # :'(
+        end
       content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
     end
 

data/lib/secure_headers.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 require "secure_headers/hash_helper"
 require "secure_headers/headers/cookie"
-require "secure_headers/headers/public_key_pins"
 require "secure_headers/headers/content_security_policy"
 require "secure_headers/headers/x_frame_options"
 require "secure_headers/headers/strict_transport_security"
@@ -18,8 +17,7 @@ require "secure_headers/view_helper"
 require "singleton"
 require "secure_headers/configuration"
 
-# All headers (except for hpkp) have a default value. Provide SecureHeaders::OPT_OUT
-# or ":optout_of_protection" as a config value to disable a given header
+# Provide SecureHeaders::OPT_OUT as a config value to disable a given header
 module SecureHeaders
   class NoOpHeaderConfig
     include Singleton
@@ -51,10 +49,6 @@ module SecureHeaders
   HTTPS = "https".freeze
   CSP = ContentSecurityPolicy
 
-  # Headers set on http requests (excludes STS and HPKP)
-  HTTPS_HEADER_CLASSES =
-    [StrictTransportSecurity, PublicKeyPins].freeze
-
   class << self
     # Public: override a given set of directives for the current request. If a
     # value already exists for a given directive, it will be overridden.
@@ -138,7 +132,7 @@ module SecureHeaders
     # Public: Builds the hash of headers that should be applied base on the
     # request.
     #
-    # StrictTransportSecurity and PublicKeyPins are not applied to http requests.
+    # StrictTransportSecurity is not applied to http requests.
     # See #config_for to determine which config is used for a given request.
     #
     # Returns a hash of header names => header values. The value
@@ -151,9 +145,7 @@ module SecureHeaders
       headers = config.generate_headers
 
       if request.scheme != HTTPS
-        HTTPS_HEADER_CLASSES.each do |klass|
-          headers.delete(klass::HEADER_NAME)
-        end
+        headers.delete(StrictTransportSecurity::HEADER_NAME)
       end
       headers
     end

data/lib/tasks/tasks.rake

@@ -20,10 +20,11 @@ namespace :secure_headers do
       (is_erb?(filename) && inline_script =~ /<%.*%>/)
   end
 
-  def find_inline_content(filename, regex, hashes)
+  def find_inline_content(filename, regex, hashes, strip_trailing_whitespace)
     file = File.read(filename)
     file.scan(regex) do # TODO don't use gsub
       inline_script = Regexp.last_match.captures.last
+      inline_script.gsub!(/(\r?\n)[\t ]+\z/, '\1') if strip_trailing_whitespace
       if dynamic_content?(filename, inline_script)
         puts "Looks like there's some dynamic content inside of a tag :-/"
         puts "That pretty much means the hash value will never match."
@@ -38,9 +39,8 @@ namespace :secure_headers do
   def generate_inline_script_hashes(filename)
     hashes = []
 
-    [INLINE_SCRIPT_REGEX, INLINE_HASH_SCRIPT_HELPER_REGEX].each do |regex|
-      find_inline_content(filename, regex, hashes)
-    end
+    find_inline_content(filename, INLINE_SCRIPT_REGEX, hashes, false)
+    find_inline_content(filename, INLINE_HASH_SCRIPT_HELPER_REGEX, hashes, true)
 
     hashes
   end
@@ -48,9 +48,8 @@ namespace :secure_headers do
   def generate_inline_style_hashes(filename)
     hashes = []
 
-    [INLINE_STYLE_REGEX, INLINE_HASH_STYLE_HELPER_REGEX].each do |regex|
-      find_inline_content(filename, regex, hashes)
-    end
+    find_inline_content(filename, INLINE_STYLE_REGEX, hashes, false)
+    find_inline_content(filename, INLINE_HASH_STYLE_HELPER_REGEX, hashes, true)
 
     hashes
   end