slimmer 18.0.0 → 18.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7a260effd72ec2553063c010694a0486e5990b664e5934332630b40586933a1
-  data.tar.gz: 70ebd575e41468a07f64c9ebff2e0b168a5cd890f5f32c736bfdbd70befdb1f2
+  metadata.gz: 5c83a7a1a6f6cc3aa308937371b5bd5ed83640dc639f3601ad13b42f85e34b9e
+  data.tar.gz: '0862dc4f349e0b6ec12c8151cfe6be98ab06635ec58a947ac1e3a90d16fc28d7'
 SHA512:
-  metadata.gz: 62607015532688137712ead664e2948e7581c739d6ecfc58b31164d1f63a8a15b652f8e750a2af23e4b0a5439e4a5d139862e8d0bc3cf3c3535c8d93b387a898
-  data.tar.gz: 6bd6af1f703e2d4ec1ce04dc2a883fbb7f208e9d24a3819e257e2d109fc067d0472ed96001d9e873385beab1a3a1aff41db781561d37ac2d383a817fac5b761c
+  metadata.gz: 2f323c8d68bf3bf70e5127f1ac2ce00921b39b4f3f0ec16ca1675675b69ce2db802c75f3f5c0baa38ba6261b708579d42419f4fa5304b79e935345872c4ab42e
+  data.tar.gz: a56a4d1fc87d64c1d7c54f7fc18fbc235871584f43d63071e24d93620239a219bcaa057b795892e0bb71a8833b0b6e6862201cf254054db179185f224f9a466d

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+# 18.2.0
+
+* Drop support for Ruby 2.7.
+* Update reference to deprecated Rack::Utils::HeaderHash
+
+# 18.1.0
+
+* Decorate inline script elements with nonce attribute for appropriately configured Rails requests
+
 # 18.0.0
 
 * BREAKING: Drop support for determining Rails < 6 application names

data/lib/slimmer/app.rb

@@ -42,7 +42,7 @@ module Slimmer
     end
 
     def response_can_be_rewritten?(status, headers)
-      Rack::Utils::HeaderHash.new(headers)["Content-Type"] =~ /text\/html/ && ![301, 302, 304].include?(status)
+      Rack::Headers.new.merge(headers)["Content-Type"] =~ /text\/html/ && ![301, 302, 304].include?(status)
     end
 
     def skip_slimmer?(env, response)
@@ -93,9 +93,7 @@ module Slimmer
     end
 
     def strip_slimmer_headers(headers)
-      # Convert Rack::Util::HeaderHash to a simple hash to avoid a Ruby warning
-      # of extra states not copied. Can be removed once Ruby < 3.1 support is removed.
-      headers.to_h.reject { |k, _v| k =~ /\A#{Headers::HEADER_PREFIX}/ }
+      headers.reject { |k, _v| k =~ /\A#{Headers::HEADER_PREFIX}/i }
     end
   end
 end

data/lib/slimmer/processors/nonce_inserter.rb

@@ -0,0 +1,21 @@
+module Slimmer::Processors
+  class NonceInserter
+    def initialize(env)
+      # As Rails is an optional dependency of this gem quietly do nothing if Rails
+      # classes don't exist.
+      @nonce = if defined?(ActionDispatch::Request)
+                 ActionDispatch::Request.new(env).content_security_policy_nonce
+               end
+    end
+
+    def filter(_src, dest)
+      return unless @nonce
+
+      # Add the nonce attribute to script elements that don't have a src attribute
+      # we expect those with src to be on a CSP host allow list
+      dest.css("script:not([src])").each do |script|
+        script["nonce"] = @nonce
+      end
+    end
+  end
+end

data/lib/slimmer/skin.rb

@@ -104,6 +104,7 @@ module Slimmer
       template_wrapper_id = "wrapper" # All templates in Static use `#wrapper`
 
       processors = [
+        Processors::NonceInserter.new(source_request.env), # for security, this needs to be run before any application HTML is inserted
         Processors::TitleInserter.new,
         Processors::TagMover.new,
         Processors::ConditionalCommentMover.new,

data/lib/slimmer/version.rb

@@ -1,3 +1,3 @@
 module Slimmer
-  VERSION = "18.0.0".freeze
+  VERSION = "18.2.0".freeze
 end

data/lib/slimmer.rb

@@ -38,6 +38,7 @@ module Slimmer
     autoload :ConditionalCommentMover, "slimmer/processors/conditional_comment_mover"
     autoload :FeedbackURLSwapper, "slimmer/processors/feedback_url_swapper"
     autoload :MetadataInserter, "slimmer/processors/metadata_inserter"
+    autoload :NonceInserter, "slimmer/processors/nonce_inserter"
     autoload :HeaderContextInserter, "slimmer/processors/header_context_inserter"
     autoload :InsideHeaderInserter, "slimmer/processors/inside_header_inserter"
     autoload :SearchPathSetter, "slimmer/processors/search_path_setter"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: slimmer
 version: !ruby/object:Gem::Version
-  version: 18.0.0
+  version: 18.2.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-10-21 00:00:00.000000000 Z
+date: 2023-10-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -170,14 +170,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.7.0
+        version: 4.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.7.0
+        version: 4.12.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -216,6 +216,7 @@ files:
 - lib/slimmer/processors/header_context_inserter.rb
 - lib/slimmer/processors/inside_header_inserter.rb
 - lib/slimmer/processors/metadata_inserter.rb
+- lib/slimmer/processors/nonce_inserter.rb
 - lib/slimmer/processors/search_parameter_inserter.rb
 - lib/slimmer/processors/search_path_setter.rb
 - lib/slimmer/processors/search_remover.rb
@@ -243,14 +244,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">"
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.24
+rubygems_version: 3.4.21
 signing_key: 
 specification_version: 4
 summary: Thinner than the skinner