secure_headers 6.5.0 → 6.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bafd5e6390db0f1975599ab34f1293986a5c0a1ced14f6cfeca47fd114ce87d4
-  data.tar.gz: 177dc27fa8238fe1a8baa238f6baa244b2c03393f61269e9b417e5ea3a4a4bba
+  metadata.gz: 6919954e57f87c70a4fa42baa5285649bd7484ec6785894a2b461b6f52558f29
+  data.tar.gz: 710492a0e64a47f41f2b079e6d4799922aa05e51d017cacafcc20d77383815ee
 SHA512:
-  metadata.gz: 7a24f853958892e2780dec3cfd8f631d394c959cda6d3f8be5d701792fc1ce57d4141ca88e7b0980fcac979cc855a0c5bc9165a05b314fe281ce092a438f1fe1
-  data.tar.gz: c082a3ee192452712f8e9c7ed18d5c21b5b3eb1712c3d9a4df44220093cf1be09a8e5384f5c8a8909820f1e0048c6d3b6915cc29081288bcf13361bf8cf7dbed
+  metadata.gz: efd8e608dfeafc5d7e7fcd06274b0b8ed0c640744ab9d8113597bef916f31666cbf518b1dcd6869d7af42fbcbaf15a6a4cf8100b97fcbf52f5ba790e495e26c0
+  data.tar.gz: dcc504641e1c22b24a05c76534e2f8ba7a7fd5ff1b5f891eb467d23876c60900ef235d2dd4ba49af4352b23ffd1cd246c720aff79668244b6a10cec3aab8ed6f

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/build.yml

@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ '2.6', '2.7', '3.0', '3.1' ]
+        ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Ruby ${{ matrix.ruby }}
       uses: ruby/setup-ruby@v1
       with:

data/Gemfile

@@ -3,6 +3,8 @@ source "https://rubygems.org"
 
 gemspec
 
+gem "benchmark-ips"
+
 group :test do
   gem "coveralls"
   gem "json"

data/README.md

@@ -62,7 +62,6 @@ SecureHeaders::Configuration.default do |config|
     # directive values: these values will directly translate into source directives
     default_src: %w('none'),
     base_uri: %w('self'),
-    block_all_mixed_content: true, # see https://www.w3.org/TR/mixed-content/
     child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
     connect_src: %w(wss:),
     font_src: %w('self' data:),
@@ -92,6 +91,9 @@ SecureHeaders::Configuration.default do |config|
 end
 ```
 
+### Deprecated Configuration Values
+* `block_all_mixed_content` - this value is deprecated in favor of `upgrade_insecure_requests`. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content for more information.
+
 ## Default values
 
 All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:

data/lib/secure_headers/configuration.rb

@@ -83,14 +83,17 @@ module SecureHeaders
       # can lead to modifying parent objects.
       def deep_copy(config)
         return unless config
-        config.each_with_object({}) do |(key, value), hash|
-          hash[key] =
-            if value.is_a?(Array)
+        result = {}
+        config.each_pair do |key, value|
+          result[key] =
+            case value
+            when Array
               value.dup
             else
               value
             end
         end
+        result
       end
 
       # Private: Returns the internal default configuration. This should only

data/lib/secure_headers/headers/content_security_policy.rb

@@ -20,9 +20,9 @@ module SecureHeaders
           config
         end
 
-      @preserve_schemes = @config.preserve_schemes
-      @script_nonce = @config.script_nonce
-      @style_nonce = @config.style_nonce
+      @preserve_schemes = @config[:preserve_schemes]
+      @script_nonce = @config[:script_nonce]
+      @style_nonce = @config[:style_nonce]
     end
 
     ##

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -1,66 +1,23 @@
 # frozen_string_literal: true
 module SecureHeaders
   module DynamicConfig
-    def self.included(base)
-      base.send(:attr_reader, *base.attrs)
-      base.attrs.each do |attr|
-        base.send(:define_method, "#{attr}=") do |value|
-          if self.class.attrs.include?(attr)
-            write_attribute(attr, value)
-          else
-            raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
-          end
-        end
-      end
-    end
-
     def initialize(hash)
-      @base_uri = nil
-      @block_all_mixed_content = nil
-      @child_src = nil
-      @connect_src = nil
-      @default_src = nil
-      @font_src = nil
-      @form_action = nil
-      @frame_ancestors = nil
-      @frame_src = nil
-      @img_src = nil
-      @manifest_src = nil
-      @media_src = nil
-      @navigate_to = nil
-      @object_src = nil
-      @plugin_types = nil
-      @prefetch_src = nil
-      @preserve_schemes = nil
-      @report_only = nil
-      @report_uri = nil
-      @require_sri_for = nil
-      @require_trusted_types_for = nil
-      @sandbox = nil
-      @script_nonce = nil
-      @script_src = nil
-      @script_src_elem = nil
-      @script_src_attr = nil
-      @style_nonce = nil
-      @style_src = nil
-      @style_src_elem = nil
-      @style_src_attr = nil
-      @trusted_types = nil
-      @worker_src = nil
-      @upgrade_insecure_requests = nil
-      @disable_nonce_backwards_compatibility = nil
+      @config = {}
 
       from_hash(hash)
     end
 
+    def initialize_copy(hash)
+      @config = hash.to_h
+    end
+
     def update_directive(directive, value)
-      self.send("#{directive}=", value)
+      @config[directive] = value
     end
 
     def directive_value(directive)
-      if self.class.attrs.include?(directive)
-        self.send(directive)
-      end
+      # No need to check attrs, as we only assign valid keys
+      @config[directive]
     end
 
     def merge(new_hash)
@@ -78,10 +35,7 @@ module SecureHeaders
     end
 
     def to_h
-      self.class.attrs.each_with_object({}) do |key, hash|
-        value = self.send(key)
-        hash[key] = value unless value.nil?
-      end
+      @config.dup
     end
 
     def dup
@@ -114,8 +68,11 @@ module SecureHeaders
 
     def write_attribute(attr, value)
       value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
-      attr_variable = "@#{attr}"
-      self.instance_variable_set(attr_variable, value)
+      if value.nil?
+        @config.delete(attr)
+      else
+        @config[attr] = value
+      end
     end
   end
 
@@ -123,7 +80,7 @@ module SecureHeaders
   class ContentSecurityPolicyConfig
     HEADER_NAME = "Content-Security-Policy".freeze
 
-    ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
+    ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
     def self.attrs
       ATTRS
     end

data/lib/secure_headers/headers/cookie.rb

@@ -80,9 +80,9 @@ module SecureHeaders
     end
 
     def conditionally_flag?(configuration)
-      if(Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
+      if (Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
         true
-      elsif(Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
+      elsif (Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
         true
       else
         false

data/lib/secure_headers/headers/policy_management.rb

@@ -71,7 +71,6 @@ module SecureHeaders
 
     # All the directives currently under consideration for CSP level 3.
     # https://w3c.github.io/webappsec/specs/CSP2/
-    BLOCK_ALL_MIXED_CONTENT = :block_all_mixed_content
     MANIFEST_SRC = :manifest_src
     NAVIGATE_TO = :navigate_to
     PREFETCH_SRC = :prefetch_src
@@ -85,7 +84,6 @@ module SecureHeaders
 
     DIRECTIVES_3_0 = [
       DIRECTIVES_2_0,
-      BLOCK_ALL_MIXED_CONTENT,
       MANIFEST_SRC,
       NAVIGATE_TO,
       PREFETCH_SRC,
@@ -118,7 +116,6 @@ module SecureHeaders
 
     DIRECTIVE_VALUE_TYPES = {
       BASE_URI                  => :source_list,
-      BLOCK_ALL_MIXED_CONTENT   => :boolean,
       CHILD_SRC                 => :source_list,
       CONNECT_SRC               => :source_list,
       DEFAULT_SRC               => :source_list,
@@ -241,7 +238,7 @@ module SecureHeaders
       #
       # raises an error if the original config is OPT_OUT
       #
-      # 1. for non-source-list values (report_only, block_all_mixed_content, upgrade_insecure_requests),
+      # 1. for non-source-list values (report_only, upgrade_insecure_requests),
       # additions will overwrite the original value.
       # 2. if a value in additions does not exist in the original config, the
       # default-src value is included to match original behavior.

data/lib/secure_headers/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureHeaders
-  VERSION = "6.5.0"
+  VERSION = "6.7.0"
 end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -92,13 +92,13 @@ module SecureHeaders
       end
 
       it "does add a boolean directive if the value is true" do
-        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: true)
-        expect(csp.value).to eq("default-src example.org; block-all-mixed-content; upgrade-insecure-requests")
+        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], upgrade_insecure_requests: true)
+        expect(csp.value).to eq("default-src example.org; upgrade-insecure-requests")
       end
 
       it "does not add a boolean directive if the value is false" do
-        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], block_all_mixed_content: true, upgrade_insecure_requests: false)
-        expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
+        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], upgrade_insecure_requests: false)
+        expect(csp.value).to eq("default-src example.org")
       end
 
       it "handles wildcard subdomain with wildcard port" do

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -30,7 +30,6 @@ module SecureHeaders
           default_src: %w(https: 'self'),
 
           base_uri: %w('self'),
-          block_all_mixed_content: true, # see [http://www.w3.org/TR/mixed-content/](http://www.w3.org/TR/mixed-content/)
           connect_src: %w(wss:),
           child_src: %w('self' *.twimg.com itunes.apple.com),
           font_src: %w('self' data:),
@@ -92,12 +91,6 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
 
-      it "requires :block_all_mixed_content to be a boolean value" do
-        expect do
-          ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(block_all_mixed_content: "steve")))
-        end.to raise_error(ContentSecurityPolicyConfigError)
-      end
-
       it "requires :upgrade_insecure_requests to be a boolean value" do
         expect do
           ContentSecurityPolicy.validate_config!(ContentSecurityPolicyConfig.new(default_opts.merge(upgrade_insecure_requests: "steve")))
@@ -244,18 +237,18 @@ module SecureHeaders
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
 
-      it "overrides the :block_all_mixed_content flag" do
+      it "overrides the :upgrade_insecure_requests flag" do
         Configuration.default do |config|
           config.csp = {
             default_src: %w(https:),
             script_src: %w('self'),
-            block_all_mixed_content: false
+            upgrade_insecure_requests: false
           }
         end
         default_policy = Configuration.dup
-        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, block_all_mixed_content: true)
+        combined_config = ContentSecurityPolicy.combine_policies(default_policy.csp.to_h, upgrade_insecure_requests: true)
         csp = ContentSecurityPolicy.new(combined_config)
-        expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
+        expect(csp.value).to eq("default-src https:; script-src 'self'; upgrade-insecure-requests")
       end
 
       it "raises an error if appending to a OPT_OUT policy" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.5.0
+  version: 6.7.0
 platform: ruby
 authors:
 - Neil Matatall
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-10-25 00:00:00.000000000 Z
+date: 2024-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -36,6 +36,7 @@ extra_rdoc_files: []
 files:
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
+- ".github/dependabot.yml"
 - ".github/workflows/build.yml"
 - ".github/workflows/github-release.yml"
 - ".gitignore"
@@ -104,7 +105,7 @@ homepage: https://github.com/twitter/secureheaders
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -119,8 +120,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 3.0.3.1
+signing_key: 
 specification_version: 4
 summary: Manages application of security headers with many safe defaults.
 test_files: