Releases: github/secure_headers
Performance improvement
@igrep reported an anti-patter in use regarding UserAgentParser. This caused UserAgentParser to reload it's entire configuration set twice* per request. Moving this to a cached constant prevents the constant reinstantiation and will improve performance.
Bug fix release
More UA sniffing
Some internal changes affecting behavior, but not functionality
If you leveraged secure_headers
automatic filling of empty directives, the header value will change but it should not affect how the browser applies the policy. The content of CSP reports may change if you do not update your policy.
before
config.csp = {
:default_src => "'self'"
}
would produce default-src 'self'; connect-src 'self'; frame-src 'self' ... etc.
after
config.csp = {
:default_src => "'self'"
}
will produce default-src 'self'
The reason for this is that a default-src
violation was basically impossible to handle. Chrome sends an effective-directive
which helps indicate what kind of violation occurred even if it fell back to default-src
. This is part of the CSP Level 2 spec so hopefully other browsers will implement this soon.
Workaround
Just set the values yourself, but really a default-src
of anything other than 'none'
implies the policy can be tightened dramatically. "ZOMG don't you work for github and doesn't github send a default-src
of *
???" Yes, this is true. I disagree with this but at the same time, github defines every single known directive that a browser supports so default-src
will only apply if a new directive is introduced, and we'd rather fail open. For now.
config.csp = {
:default_src => "'self'",
:connect_src => "'self'",
:frame_src => "'self'"
... etc.
}
Besides, relying on default-src
is often not what you want and encourages an overly permissive policy. I've seen it. Seriously. default-src 'unsafe-inline' 'unsafe-eval' https: http:;
That's terrible.
Add header_hash feature for use in middleware.
Print deprecation warning for 1.8.7 users
As discussed in #154
Adds ability to opt-out of automatically adding data: sources to img-src
Another option for config granularity.
See #147
Allows you to override a controller method that returns a config in the context of the executing action.
When using nonces, do not include the nonce for safari / IE
See #150
Safari will generate a warning that it doesn't support nonces. Safari will fall back to the unsafe-inline
. Things will still work, but an ugly message is printed to the console.
This opts out safari and IE users from the inline script protection. I haven't verified any IE behavior yet, so I'm just assuming it doesn't work.
Pass controller reference to callable config value expressions.
Facilitates better per-request config:
:enforce => lambda { |controller| controller.current_user.beta_testing? }
NOTE if you used lambda
config values, this will raise an exception until you add the controller reference:
bad:
lambda { true }
good:
lambda { |controller| true }
proc { true }
proc { |controller| true }