All Versions
73
Latest Version
Avg Release Cycle
55 days
Latest Release
-

Changelog History
Page 4

  • v3.6.4 Changes

    ๐Ÿ›  Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: https://github.com/twitter/secureheaders/pull/325

  • v3.6.3 Changes

    โœ‚ Remove deprecation warning when setting frame-src. It is no longer deprecated.

  • v3.6.2 Changes

    ๐Ÿ‘ Now that Safari 10 supports nonces and it appears to work, enable the nonce feature for safari.

  • v3.6.1 Changes

    ๐Ÿ‘Œ Improved memory use via minor improvements clever hacks that are sadly needed. Thanks @carlosantoniodasilva!

  • v3.6.0 Changes

    โž• Add support for the clear-site-data header

  • v3.5.1 Changes

    • ๐Ÿ›  Fix bug that can occur when useragent library version is older, resulting in a nil version sometimes.
    • โž• Add constant for strict-dynamic
  • v3.5.0 Changes

    ๐Ÿš€ This release adds support for setting two CSP headers (enforced/report-only) and management around them.

  • v3.4.1 Changes

    ๐Ÿ›  Small bugfix

    ๐Ÿ’… If your CSP did not define a script/style-src and you tried to use a script/style nonce, the nonce would be added to the page but it would not be added to the CSP. A workaround is to define a script/style src but now it should add the missing directive (and populate it with the default-src).

    Named Appends

    Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into append_content_security_policy_directives. The current request object is passed as an argument to the block for even more flexibility.

    def show
      if include_widget?
        @widget = widget.render
        use_content_security_policy_named_append(:widget_partial)
      end
    end
    
    
    SecureHeaders::Configuration.named_append(:widget_partial) do |request|
      if request.controller_instance.current_user.in_test_bucket?
        SecureHeaders.override_x_frame_options(request, "DENY")
        { child_src: %w(beta.thirdpartyhost.com) }
      else
        { child_src: %w(thirdpartyhost.com) }
      end
    end
    

    You can use as many named appends as you would like per request, but be careful because order of inclusion matters. Consider the following:

    SecureHeader::Configuration.default do |config|
      config.csp = { default_src: %w('self')}
    end
    
    SecureHeaders::Configuration.named_append(:A) do |request|
      { default_src: %w(myhost.com) }
    end
    
    SecureHeaders::Configuration.named_append(:B) do |request|
      { script_src: %w('unsafe-eval') }
    end
    

    0๏ธโƒฃ The following code will produce different policies due to the way policies are normalized (e.g. providing a previously undefined directive that inherits from default-src, removing host source values when * is provided. Removing 'none' when additional values are present, etc.):

    def index
      use_content_security_policy_named_append(:A)
      use_content_security_policy_named_append(:B)
      # produces default-src 'self' myhost.com; script-src 'self' myhost.com 'unsafe-eval';
    end
    
    def show
      use_content_security_policy_named_append(:B)
      use_content_security_policy_named_append(:A)
      # produces default-src 'self' myhost.com; script-src 'self' 'unsafe-eval';
    end
    
  • v3.4.0 Changes

    ๐Ÿ– Handle the child-src/frame-src transition semi-intelligently across versions. I think the code best descibes the behavior here:

    if supported_directives.include?(:child_src)
      @config[:child_src] = @config[:child_src] || @config[:frame_src]
    else
      @config[:frame_src] = @config[:frame_src] || @config[:child_src]
    end
    

    ๐Ÿš… Also, @koenpunt noticed that we were loading view helpers in a way that Rails 5 did not like.

  • v3.3.2 Changes

    ๐Ÿ‘€ @dankohn was seeing "already initialized" errors in his output. This change conditionally defines the constants.