Changelog History
Page 4
-
v3.6.4 Changes
๐ Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: https://github.com/twitter/secureheaders/pull/325
-
v3.6.3 Changes
โ Remove deprecation warning when setting
frame-src
. It is no longer deprecated. -
v3.6.2 Changes
๐ Now that Safari 10 supports nonces and it appears to work, enable the nonce feature for safari.
-
v3.6.1 Changes
๐ Improved memory use via minor improvements clever hacks that are sadly needed. Thanks @carlosantoniodasilva!
-
v3.6.0 Changes
โ Add support for the clear-site-data header
-
v3.5.1 Changes
- ๐ Fix bug that can occur when useragent library version is older, resulting in a nil version sometimes.
- โ Add constant for
strict-dynamic
-
v3.5.0 Changes
๐ This release adds support for setting two CSP headers (enforced/report-only) and management around them.
-
v3.4.1 Changes
๐ Small bugfix
๐ If your CSP did not define a script/style-src and you tried to use a script/style nonce, the nonce would be added to the page but it would not be added to the CSP. A workaround is to define a script/style src but now it should add the missing directive (and populate it with the default-src).
Named Appends
Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into
append_content_security_policy_directives
. The current request object is passed as an argument to the block for even more flexibility.def show if include_widget? @widget = widget.render use_content_security_policy_named_append(:widget_partial) end end SecureHeaders::Configuration.named_append(:widget_partial) do |request| if request.controller_instance.current_user.in_test_bucket? SecureHeaders.override_x_frame_options(request, "DENY") { child_src: %w(beta.thirdpartyhost.com) } else { child_src: %w(thirdpartyhost.com) } end end
You can use as many named appends as you would like per request, but be careful because order of inclusion matters. Consider the following:
SecureHeader::Configuration.default do |config| config.csp = { default_src: %w('self')} end SecureHeaders::Configuration.named_append(:A) do |request| { default_src: %w(myhost.com) } end SecureHeaders::Configuration.named_append(:B) do |request| { script_src: %w('unsafe-eval') } end
0๏ธโฃ The following code will produce different policies due to the way policies are normalized (e.g. providing a previously undefined directive that inherits from
default-src
, removing host source values when*
is provided. Removing'none'
when additional values are present, etc.):def index use_content_security_policy_named_append(:A) use_content_security_policy_named_append(:B) # produces default-src 'self' myhost.com; script-src 'self' myhost.com 'unsafe-eval'; end def show use_content_security_policy_named_append(:B) use_content_security_policy_named_append(:A) # produces default-src 'self' myhost.com; script-src 'self' 'unsafe-eval'; end
-
v3.4.0 Changes
๐ Handle the
child-src
/frame-src
transition semi-intelligently across versions. I think the code best descibes the behavior here:if supported_directives.include?(:child_src) @config[:child_src] = @config[:child_src] || @config[:frame_src] else @config[:frame_src] = @config[:frame_src] || @config[:child_src] end
๐ Also, @koenpunt noticed that we were loading view helpers in a way that Rails 5 did not like.
-
v3.3.2 Changes
๐ @dankohn was seeing "already initialized" errors in his output. This change conditionally defines the constants.