secure_headers 6.1.0 → 6.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26a6b47b87ec772f94c264ef318bf4c20997b3a541898f80110a1bd26a471753
-  data.tar.gz: 73e40f805bafe030a82cbe37cdf499acea6c2613cce3c25964db89a9fde2f172
+  metadata.gz: 7b136a1c21b128826c37c798c9e20db99b1d5a5c035001ed8289692ed8f0096f
+  data.tar.gz: d93c60ba6357a9cd8f64c16b53c9f2843753101e1669fb1bbaea56e549d89466
 SHA512:
-  metadata.gz: ed3eb3ba011292b668fd786a22a2c9d93a20067e4391881eafc555f978a7ae3c5da33741f82c908b7cfe4c66cb837f9fc1b2f7360be788d320dab0694fdaeb66
-  data.tar.gz: df5800647d9dc5462d51529461d85374831bdc1fe0755949d4ec9764f69810c7e5456be1095f25d4b34bb2ec2c3c0773243d2ce4ebaf4c11bace6ea035201947
+  metadata.gz: 13083c3da3a4f68d445be6012a1fa6e37c052e6ac6bdc457d379d725383142c8698f91c2d1a6fc75f13bfad52298e291131e9828bb6f6a1fc6b8cba9bc3d5892
+  data.tar.gz: 92214a6b589ba640e504e58f07b051351a7eea7bce87701730101a68a29045fe81c90d79600f00a36ee7bf3e4c5c7c4071ad74b01bab5e40c53751858bc198d7

data/.github/workflows/build.yml

@@ -0,0 +1,24 @@
+name: Build + Test
+on: [pull_request]
+
+jobs:
+  build:
+    name: Build + Test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby: [ '2.4', '2.5', '2.6', '2.7' ]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby ${{ matrix.ruby }}
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Build and test with Rake
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3 --without guard
+        bundle exec rspec spec
+        bundle exec rubocop
+

data/.github/workflows/sync.yml

@@ -0,0 +1,20 @@
+# This workflow ensures the "master" branch is always up-to-date with the
+# "main" branch (our default one)
+name: sync_main_branch
+on:
+  push:
+    branches: [ main ]
+jobs:
+  catch_up:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v2
+        with:
+         fetch-depth: 0
+      - name: Merge development into master, then push it
+        run: |
+          git pull
+          git checkout master
+          git merge main
+          git push

data/.rubocop.yml

@@ -1,3 +1,4 @@
 inherit_gem:
   rubocop-github:
     - config/default.yml
+require: rubocop-performance

data/.ruby-version

@@ -1 +1 @@
-2.6.1
+2.6.6

data/CHANGELOG.md

@@ -1,7 +1,29 @@
+## 6.3.1
+
+Fixes deprecation warnings when running under ruby 2.7
+
+## 6.3.0
+
+Fixes newline injection issue
+
+## 6.2.0
+
+Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
+
+## 6.1.2
+
+Adds the ability to specify `SameSite=none` with the same configurability as `Strict`/`Lax` in order to disable Chrome's soon-to-be-lax-by-default state.
+
+## 6.1.1
+
+Adds the ability to disable the automatically-appended `'unsafe-inline'` value when nonces are used #404 (@will)
+
 ## 6.1
 
 Adds support for navigate-to, prefetch-src, and require-sri-for #395
 
+NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle :pray:
+
 ## 6.0
 
 - See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
@@ -354,7 +376,7 @@ Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (a
 
 ## 3.0.0
 
-secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
+secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/main/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
 
 ## 2.5.1 - 2016-02-16 18:11:11 UTC - Remove noisy deprecation warning
 

data/Gemfile

@@ -9,15 +9,16 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop"
+  gem "rubocop", "< 0.68"
   gem "rubocop-github"
+  gem "rubocop-performance"
   gem "term-ansicolor"
   gem "tins"
 end
 
 group :guard do
   gem "growl"
-  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
+  gem "guard-rspec", platforms: [:ruby]
   gem "rb-fsevent"
   gem "terminal-notifier-guard"
 end

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright 2013, 2014, 2015, 2016, 2017 Twitter, Inc.
+Copyright 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Twitter, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

data/README.md

@@ -1,6 +1,6 @@
-# Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
+# Secure Headers ![Build + Test](https://github.com/github/secure_headers/workflows/Build%20+%20Test/badge.svg?branch=main)
 
-**master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
+**main branch represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
 
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
@@ -57,6 +57,7 @@ SecureHeaders::Configuration.default do |config|
   config.csp = {
     # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+    disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.
 
     # directive values: these values will directly translate into source directives
     default_src: %w('none'),
@@ -116,7 +117,48 @@ SecureHeaders::Configuration.override(:api) do |config|
 end
 ```
 
-However, I would consider these headers anyways depending on your load and bandwidth requirements. 
+However, I would consider these headers anyways depending on your load and bandwidth requirements.
+
+## Acknowledgements
+
+This project originated within the Security team at Twitter. An archived fork from the point of transition is here: https://github.com/twitter-archive/secure_headers.
+
+Contributors include:
+* Neil Matatall @oreoshake
+* Chris Aniszczyk
+* Artur Dryomov
+* Bjørn Mæland
+* Arthur Chiu
+* Jonathan Viney
+* Jeffrey Horn
+* David Collazo
+* Brendon Murphy
+* William Makley
+* Reed Loden
+* Noah Kantrowitz
+* Wyatt Anderson
+* Salimane Adjao Moustapha
+* Francois Chagnon
+* Jeff Hodges
+* Ian Melven
+* Darío Javier Cravero
+* Logan Hasson
+* Raul E Rangel
+* Steve Agalloco
+* Nate Collings
+* Josh Kalderimis
+* Alex Kwiatkowski
+* Julich Mera
+* Jesse Storimer
+* Tom Daniels
+* Kolja Dummann
+* Jean-Philippe Doyle
+* Blake Hitchcock
+* vanderhoorn
+* orthographic-pedant
+* Narsimham Chelluri
+
+If you've made a contribution and see your name missing from the list, make a PR and add it!
 
 ## Similar libraries
 
@@ -131,9 +173,3 @@ However, I would consider these headers anyways depending on your load and bandw
 * Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
 * Ember.js [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy/)
 * PHP [secure-headers](https://github.com/BePsvPT/secure-headers)
-
-## License
-
-Copyright 2013-2014 Twitter, Inc and other contributors.
-
-Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

data/docs/cookies.md

@@ -25,7 +25,7 @@ Boolean-based configuration is intended to globally enable or disable a specific
 ```ruby
 config.cookies = {
   secure: true, # mark all cookies as Secure
-  httponly: OPT_OUT, # do not mark any cookies as HttpOnly
+  httponly: SecureHeaders::OPT_OUT, # do not mark any cookies as HttpOnly
 }
 ```
 
@@ -52,13 +52,14 @@ config.cookies = {
 }
 ```
 
-`Strict` and `Lax` enforcement modes can also be specified using a Hash.
+`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
 
 ```ruby
 config.cookies = {
   samesite: {
-    strict: { only: ['_rails_session'] },
-    lax: { only: ['_guest'] }
+    strict: { only: ['session_id_duplicate'] },
+    lax: { only: ['_guest', '_rails_session', 'device_id'] },
+    none: { only: ['_tracking', 'saml_cookie', 'session_id'] },
   }
 }
 ```

data/docs/named_overrides_and_appends.md

@@ -1,6 +1,6 @@
 ## Named Appends
 
-Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into `append_content_security_policy_directives`. The current request object is passed as an argument to the block for even more flexibility.
+Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into `append_content_security_policy_directives`. The current request object is passed as an argument to the block for even more flexibility. Reusing a configuration name is not allowed and will throw an exception.
 
 ```ruby
 def show
@@ -76,11 +76,6 @@ class ApplicationController < ActionController::Base
   SecureHeaders::Configuration.override(:script_from_otherdomain_com) do |config|
     config.csp[:script_src] << "otherdomain.com"
   end
-
-  # overrides the :script_from_otherdomain_com configuration
-  SecureHeaders::Configuration.override(:another_config, :script_from_otherdomain_com) do |config|
-    config.csp[:script_src] << "evenanotherdomain.com"
-  end
 end
 
 class MyController < ApplicationController
@@ -96,6 +91,8 @@ class MyController < ApplicationController
 end
 ```
 
+Reusing a configuration name is not allowed and will throw an exception.
+
 By default, a no-op configuration is provided. No headers will be set when this default override is used.
 
 ```ruby

data/docs/upgrading-to-6-0.md

@@ -5,7 +5,7 @@ The original implementation of name overrides worked by making a copy of the def
 ```ruby
 class ApplicationController < ActionController::Base
   Configuration.default do |config|
-    config.x_frame_options = OPT_OUT
+    config.x_frame_options = SecureHeaders::OPT_OUT
   end
 
   SecureHeaders::Configuration.override(:dynamic_override) do |config|

data/lib/secure_headers/configuration.rb

@@ -43,6 +43,9 @@ module SecureHeaders
       def override(name, &block)
         @overrides ||= {}
         raise "Provide a configuration block" unless block_given?
+        if named_append_or_override_exists?(name)
+          raise AlreadyConfiguredError, "Configuration already exists"
+        end
         @overrides[name] = block
       end
 
@@ -59,6 +62,9 @@ module SecureHeaders
       def named_append(name, &block)
         @appends ||= {}
         raise "Provide a configuration block" unless block_given?
+        if named_append_or_override_exists?(name)
+          raise AlreadyConfiguredError, "Configuration already exists"
+        end
         @appends[name] = block
       end
 
@@ -68,6 +74,11 @@ module SecureHeaders
 
       private
 
+      def named_append_or_override_exists?(name)
+        (defined?(@appends) && @appends.key?(name)) ||
+          (defined?(@overrides) && @overrides.key?(name))
+      end
+
       # Public: perform a basic deep dup. The shallow copy provided by dup/clone
       # can lead to modifying parent objects.
       def deep_copy(config)
@@ -126,7 +137,9 @@ module SecureHeaders
     # The list of attributes that must respond to a `make_header` method
     HEADERABLE_ATTRIBUTES = (CONFIG_ATTRIBUTES - [:cookies]).freeze
 
-    attr_accessor(*CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys)
+    attr_writer(*(CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.reject { |key| [:csp, :csp_report_only].include?(key) }.keys))
+
+    attr_reader(*(CONFIG_ATTRIBUTES_TO_HEADER_CLASSES.keys))
 
     @script_hashes = nil
     @style_hashes = nil

data/lib/secure_headers/headers/content_security_policy.rb

@@ -103,10 +103,15 @@ module SecureHeaders
     # Returns a string representing a directive.
     def build_source_list_directive(directive)
       source_list = @config.directive_value(directive)
-
       if source_list != OPT_OUT && source_list && source_list.any?
-        normalized_source_list = minify_source_list(directive, source_list)
-        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
+        minified_source_list = minify_source_list(directive, source_list).join(" ")
+
+        if minified_source_list =~ /(\n|;)/
+          Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
+        end
+
+        escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
+        [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
       end
     end
 
@@ -179,7 +184,8 @@ module SecureHeaders
     # unsafe-inline, this is more concise.
     def append_nonce(source_list, nonce)
       if nonce
-        source_list.push("'nonce-#{nonce}'", UNSAFE_INLINE)
+        source_list.push("'nonce-#{nonce}'")
+        source_list.push(UNSAFE_INLINE) unless @config[:disable_nonce_backwards_compatibility]
       end
 
       source_list

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -42,6 +42,7 @@ module SecureHeaders
       @style_src = nil
       @worker_src = nil
       @upgrade_insecure_requests = nil
+      @disable_nonce_backwards_compatibility = nil
 
       from_hash(hash)
     end

data/lib/secure_headers/headers/cookie.rb

@@ -94,12 +94,14 @@ module SecureHeaders
         "SameSite=Lax"
       elsif flag_samesite_strict?
         "SameSite=Strict"
+      elsif flag_samesite_none?
+        "SameSite=None"
       end
     end
 
     def flag_samesite?
       return false if config == OPT_OUT || config[:samesite] == OPT_OUT
-      flag_samesite_lax? || flag_samesite_strict?
+      flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
     end
 
     def flag_samesite_lax?
@@ -110,6 +112,10 @@ module SecureHeaders
       flag_samesite_enforcement?(:strict)
     end
 
+    def flag_samesite_none?
+      flag_samesite_enforcement?(:none)
+    end
+
     def flag_samesite_enforcement?(mode)
       return unless config[:samesite]
 

data/lib/secure_headers/headers/policy_management.rb

@@ -153,7 +153,8 @@ module SecureHeaders
 
     META_CONFIGS = [
       :report_only,
-      :preserve_schemes
+      :preserve_schemes,
+      :disable_nonce_backwards_compatibility
     ].freeze
 
     NONCES = [

data/lib/secure_headers/utils/cookies_config.rb

@@ -43,10 +43,12 @@ module SecureHeaders
 
     # when configuring with booleans, only one enforcement is permitted
     def validate_samesite_boolean_config!
-      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
-      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
+      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
       end
     end
 

data/lib/secure_headers/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module SecureHeaders
-  VERSION = "6.1.0"
+  VERSION = "6.3.1"
 end

data/lib/secure_headers/view_helper.rb

@@ -21,7 +21,7 @@ module SecureHeaders
     def nonced_stylesheet_link_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
-      stylesheet_link_tag(*args, opts, &block)
+      stylesheet_link_tag(*args, **opts, &block)
     end
 
     # Public: create a script tag using the content security policy nonce.
@@ -39,7 +39,7 @@ module SecureHeaders
     def nonced_javascript_include_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
-      javascript_include_tag(*args, opts, &block)
+      javascript_include_tag(*args, **opts, &block)
     end
 
     # Public: create a script Webpacker pack tag using the content security policy nonce.
@@ -49,7 +49,7 @@ module SecureHeaders
     def nonced_javascript_pack_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
-      javascript_pack_tag(*args, opts, &block)
+      javascript_pack_tag(*args, **opts, &block)
     end
 
     # Public: create a stylesheet Webpacker link tag using the content security policy nonce.
@@ -59,7 +59,7 @@ module SecureHeaders
     def nonced_stylesheet_pack_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
-      stylesheet_pack_tag(*args, opts, &block)
+      stylesheet_pack_tag(*args, **opts, &block)
     end
 
     # Public: use the content security policy nonce for this request directly.

data/secure_headers.gemspec

@@ -1,9 +1,9 @@
+# frozen_string_literal: true
+
 lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "secure_headers/version"
 
-# -*- encoding: utf-8 -*-
-# frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
   gem.version       = SecureHeaders::VERSION

data/spec/lib/secure_headers/configuration_spec.rb

@@ -34,6 +34,60 @@ module SecureHeaders
       expect(Configuration.overrides(:test_override)).to_not be_nil
     end
 
+    describe "#override" do
+      it "raises on configuring an existing override" do
+        set_override = Proc.new {
+          Configuration.override(:test_override) do |config|
+            config.x_frame_options = "DENY"
+          end
+        }
+
+        set_override.call
+
+        expect { set_override.call }
+          .to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+
+      it "raises when a named append with the given name exists" do
+        Configuration.named_append(:test_override) do |config|
+          config.x_frame_options = "DENY"
+        end
+
+        expect do
+          Configuration.override(:test_override) do |config|
+            config.x_frame_options = "SAMEORIGIN"
+          end
+        end.to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+    end
+
+    describe "#named_append" do
+      it "raises on configuring an existing append" do
+        set_override = Proc.new {
+          Configuration.named_append(:test_override) do |config|
+            config.x_frame_options = "DENY"
+          end
+        }
+
+        set_override.call
+
+        expect { set_override.call }
+          .to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+
+      it "raises when an override with the given name exists" do
+        Configuration.override(:test_override) do |config|
+          config.x_frame_options = "DENY"
+        end
+
+        expect do
+          Configuration.named_append(:test_override) do |config|
+            config.x_frame_options = "SAMEORIGIN"
+          end
+        end.to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+    end
+
     it "deprecates the secure_cookies configuration" do
       expect {
         Configuration.default do |config|

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -28,6 +28,16 @@ module SecureHeaders
         expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
       end
 
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a ; in "google.com;script-src *;.;" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
+      end
+
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a \n in "\\nfoo.com\\nhacked" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: ["\nfoo.com\nhacked"]).value).to eq("frame-ancestors  foo.com hacked")
+      end
+
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
         expect(csp.value).not_to include("'none'")
@@ -145,6 +155,11 @@ module SecureHeaders
         csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456})
         expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456' 'unsafe-inline'")
       end
+
+      it "supports strict-dynamic and opting out of the appended 'unsafe-inline'" do
+        csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456, disable_nonce_backwards_compatibility: true })
+        expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'")
+      end
     end
   end
 end

data/spec/lib/secure_headers/headers/cookie_spec.rb

@@ -68,29 +68,21 @@ module SecureHeaders
     end
 
     context "SameSite cookies" do
-      it "flags SameSite=Lax" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
-      end
-
-      it "flags SameSite=Lax when configured with a boolean" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: true}, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
-      end
-
-      it "does not flag cookies as SameSite=Lax when excluded" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest")
-      end
+      %w(None Lax Strict).each do |flag|
+        it "flags SameSite=#{flag}" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
+        end
 
-      it "flags SameSite=Strict" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
-      end
+        it "flags SameSite=#{flag} when configured with a boolean" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true}, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
+        end
 
-      it "does not flag cookies as SameSite=Strict when excluded" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] }}, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest")
+        it "does not flag cookies as SameSite=#{flag} when excluded" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest")
+        end
       end
 
       it "flags SameSite=Strict when configured with a boolean" do
@@ -149,10 +141,15 @@ module SecureHeaders
       end.to raise_error(CookiesConfigError)
     end
 
-    it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
-      expect do
-        Cookie.validate_config!(samesite: { lax: true, strict: true})
-      end.to raise_error(CookiesConfigError)
+    cookie_options = %i(none lax strict)
+    cookie_options.each do |flag|
+      (cookie_options - [flag]).each do |other_flag|
+        it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
+          expect do
+            Cookie.validate_config!(samesite: { flag => true, other_flag => true})
+          end.to raise_error(CookiesConfigError)
+        end
+      end
     end
 
     it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do

data/spec/spec_helper.rb

@@ -45,10 +45,20 @@ module SecureHeaders
       def clear_default_config
         remove_instance_variable(:@default_config) if defined?(@default_config)
       end
+
+      def clear_overrides
+        remove_instance_variable(:@overrides) if defined?(@overrides)
+      end
+
+      def clear_appends
+        remove_instance_variable(:@appends) if defined?(@appends)
+      end
     end
   end
 end
 
 def reset_config
   SecureHeaders::Configuration.clear_default_config
+  SecureHeaders::Configuration.clear_overrides
+  SecureHeaders::Configuration.clear_appends
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.1.0
+  version: 6.3.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-23 00:00:00.000000000 Z
+date: 2020-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -33,12 +33,13 @@ extra_rdoc_files: []
 files:
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
+- ".github/workflows/build.yml"
+- ".github/workflows/sync.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
 - ".ruby-gemset"
 - ".ruby-version"
-- ".travis.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
@@ -115,7 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Add easily configured security headers to responses including content-security-policy,

data/.travis.yml

@@ -1,28 +0,0 @@
-language: ruby
-
-rvm:
-  - ruby-head
-  - 2.6.1
-  - 2.5.0
-  - 2.4.3
-  - jruby-head
-
-env:
-  - SUITE=rspec spec
-  - SUITE=rubocop
-
-script: bundle exec $SUITE
-
-matrix:
-  allow_failures:
-    - rvm: jruby-head
-    - rvm: ruby-head
-
-before_install:
-  - gem update --system
-  - gem --version
-  - gem update bundler
-bundler_args: --without guard -j 3
-
-sudo: false
-cache: bundler