RubyGems - secure_headers - Versions diffs - 6.6.0 → 7.0.0 - Mend

secure_headers 6.6.0 → 7.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/.github/workflows/build.yml +7 -6
data/Gemfile +2 -0
data/README.md +1 -1
data/docs/upgrading-to-7-0.md +12 -0
data/lib/secure_headers/configuration.rb +6 -3
data/lib/secure_headers/headers/content_security_policy.rb +3 -3
data/lib/secure_headers/headers/content_security_policy_config.rb +15 -57
data/lib/secure_headers/headers/x_xss_protection.rb +1 -1
data/lib/secure_headers/version.rb +1 -1
data/secure_headers.gemspec +1 -1
metadata +4 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2afd142dc54275ace387af0a964bba3918655513474a14f11959532616108d58
-  data.tar.gz: f520ab4f191710af2d78bc662319b02ab7819bba57a091c921822984393f18e5
+  metadata.gz: df732bcf03768407849220aa164adc5b05c741d3ffcaea00d80758bd936d4e65
+  data.tar.gz: d979d4a8892a101b2efbeba1fc2fd3fbeffa154d9e429aaf7a5ff73d889bbdac
 SHA512:
-  metadata.gz: 3fe9df12ae44cabd372f84e8eebd47946e6102d8c920cf48752e3f36bcd1db3e429cbc47e54dda8f8194b4ae2cb90c583eec38b0e7906bac8f0fb9337eb7ecad
-  data.tar.gz: 56a30016b7f290693c89d8f8e2fd4e3d8425962a2dcb0fb75c96bd6b2fc8b85b890373a4ebd160e7cf2896e494697a563dd882f11f7527da9c29234d41bd2b17
+  metadata.gz: be8e613fe594063d0921ee9e971c43522cf4d434ef1ae958a15a20cb9cf07d74180803323c90cafe9ac1cb9c09377110d3757f4b4a0b91774401fe09dff1da40
+  data.tar.gz: 47471941c3192cfff7e3fc1d2442a2c5106334a192cede9e8aa432ce7c7906eeb369ad528989932e33e6fdae02853c37c90609be47ce1b256634af9d6455d379

data/.github/workflows/build.yml CHANGED Viewed

@@ -1,6 +1,9 @@
 name: Build + Test
 on: [pull_request, push]
+permissions:
+  contents: read
 jobs:
   build:
     name: Build + Test
@@ -10,15 +13,13 @@ jobs:
         ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby ${{ matrix.ruby }}
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 #v1.190.0 tag
       with:
         ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
     - name: Build and test with Rake
       run: |
-        gem install bundler
-        bundle install --jobs 4 --retry 3 --without guard
-        bundle exec rspec spec
         bundle exec rubocop
+        bundle exec rspec spec

data/Gemfile CHANGED Viewed

@@ -3,6 +3,8 @@ source "https://rubygems.org"
 gemspec
+gem "benchmark-ips"
 group :test do
   gem "coveralls"
   gem "json"

data/README.md CHANGED Viewed

@@ -105,7 +105,7 @@ X-Content-Type-Options: nosniff
 X-Download-Options: noopen
 X-Frame-Options: sameorigin
 X-Permitted-Cross-Domain-Policies: none
-X-Xss-Protection: 1; mode=block
+X-Xss-Protection: 0
 ```
 ## API configurations

data/docs/upgrading-to-7-0.md ADDED Viewed

@@ -0,0 +1,12 @@
+## X-Xss-Protection is set to 0 by default
+Version 6 and below of `secure_headers` set the `X-Xss-Protection` to `1; mode=block` by default. This was done to protect against reflected XSS attacks. However, this header is no longer recommended (see https://github.com/github/secure_headers/issues/439 for more information).
+If any functionality in your app depended on this header being set to the previous value, you will need to set it explicitly in your configuration.
+```ruby
+# config/initializers/secure_headers.rb
+SecureHeaders::Configuration.default do |config|
+  config.x_xss_protection = "1; mode=block"
+end
+```

data/lib/secure_headers/configuration.rb CHANGED Viewed

@@ -83,14 +83,17 @@ module SecureHeaders
       # can lead to modifying parent objects.
       def deep_copy(config)
         return unless config
-        config.each_with_object({}) do |(key, value), hash|
-          hash[key] =
-            if value.is_a?(Array)
+        result = {}
+        config.each_pair do |key, value|
+          result[key] =
+            case value
+            when Array
               value.dup
             else
               value
             end
         end
+        result
       end
       # Private: Returns the internal default configuration. This should only

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -20,9 +20,9 @@ module SecureHeaders
           config
         end
-      @preserve_schemes = @config.preserve_schemes
-      @script_nonce = @config.script_nonce
-      @style_nonce = @config.style_nonce
+      @preserve_schemes = @config[:preserve_schemes]
+      @script_nonce = @config[:script_nonce]
+      @style_nonce = @config[:style_nonce]
     end
     ##

data/lib/secure_headers/headers/content_security_policy_config.rb CHANGED Viewed

@@ -1,65 +1,23 @@
 # frozen_string_literal: true
 module SecureHeaders
   module DynamicConfig
-    def self.included(base)
-      base.send(:attr_reader, *base.attrs)
-      base.attrs.each do |attr|
-        base.send(:define_method, "#{attr}=") do |value|
-          if self.class.attrs.include?(attr)
-            write_attribute(attr, value)
-          else
-            raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
-          end
-        end
-      end
-    end
     def initialize(hash)
-      @base_uri = nil
-      @child_src = nil
-      @connect_src = nil
-      @default_src = nil
-      @font_src = nil
-      @form_action = nil
-      @frame_ancestors = nil
-      @frame_src = nil
-      @img_src = nil
-      @manifest_src = nil
-      @media_src = nil
-      @navigate_to = nil
-      @object_src = nil
-      @plugin_types = nil
-      @prefetch_src = nil
-      @preserve_schemes = nil
-      @report_only = nil
-      @report_uri = nil
-      @require_sri_for = nil
-      @require_trusted_types_for = nil
-      @sandbox = nil
-      @script_nonce = nil
-      @script_src = nil
-      @script_src_elem = nil
-      @script_src_attr = nil
-      @style_nonce = nil
-      @style_src = nil
-      @style_src_elem = nil
-      @style_src_attr = nil
-      @trusted_types = nil
-      @worker_src = nil
-      @upgrade_insecure_requests = nil
-      @disable_nonce_backwards_compatibility = nil
+      @config = {}
       from_hash(hash)
     end
+    def initialize_copy(hash)
+      @config = hash.to_h
+    end
     def update_directive(directive, value)
-      self.send("#{directive}=", value)
+      @config[directive] = value
     end
     def directive_value(directive)
-      if self.class.attrs.include?(directive)
-        self.send(directive)
-      end
+      # No need to check attrs, as we only assign valid keys
+      @config[directive]
     end
     def merge(new_hash)
@@ -77,10 +35,7 @@ module SecureHeaders
     end
     def to_h
-      self.class.attrs.each_with_object({}) do |key, hash|
-        value = self.send(key)
-        hash[key] = value unless value.nil?
-      end
+      @config.dup
     end
     def dup
@@ -113,8 +68,11 @@ module SecureHeaders
     def write_attribute(attr, value)
       value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
-      attr_variable = "@#{attr}"
-      self.instance_variable_set(attr_variable, value)
+      if value.nil?
+        @config.delete(attr)
+      else
+        @config[attr] = value
+      end
     end
   end
@@ -122,7 +80,7 @@ module SecureHeaders
   class ContentSecurityPolicyConfig
     HEADER_NAME = "Content-Security-Policy".freeze
-    ATTRS = PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
+    ATTRS = Set.new(PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES)
     def self.attrs
       ATTRS
     end

data/lib/secure_headers/headers/x_xss_protection.rb CHANGED Viewed

@@ -3,7 +3,7 @@ module SecureHeaders
   class XXssProtectionConfigError < StandardError; end
   class XXssProtection
     HEADER_NAME = "X-XSS-Protection".freeze
-    DEFAULT_VALUE = "1; mode=block"
+    DEFAULT_VALUE = "0".freeze
     VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
     class << self

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module SecureHeaders
-  VERSION = "6.6.0"
+  VERSION = "7.0.0"
 end

data/secure_headers.gemspec CHANGED Viewed

@@ -13,7 +13,7 @@ Gem::Specification.new do |gem|
   gem.description   = 'Add easily configured security headers to responses
     including content-security-policy, x-frame-options,
     strict-transport-security, etc.'
-  gem.homepage      = "https://github.com/twitter/secureheaders"
+  gem.homepage      = "https://github.com/github/secure_headers"
   gem.license       = "MIT"
   gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
   gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.6.0
+  version: 7.0.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-09 00:00:00.000000000 Z
+date: 2024-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -61,6 +61,7 @@ files:
 - docs/upgrading-to-4-0.md
 - docs/upgrading-to-5-0.md
 - docs/upgrading-to-6-0.md
+- docs/upgrading-to-7-0.md
 - lib/secure_headers.rb
 - lib/secure_headers/configuration.rb
 - lib/secure_headers/hash_helper.rb
@@ -101,7 +102,7 @@ files:
 - spec/lib/secure_headers/view_helpers_spec.rb
 - spec/lib/secure_headers_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/twitter/secureheaders
+homepage: https://github.com/github/secure_headers
 licenses:
 - MIT
 metadata: {}