Bug fix release.
- Parsing of CSP reports was busted.
- Forwarded reports did not include the original referer, ip, UA
- Remove brwsr dependency (no more runtime dependencies)
- Stop serving X- prefixed CSP headers
This change means that all requests get all headers, even if the browser doesn't grok it.
Features:
- Use non-prefixed header names for Firefox >= 23, Chrome >= 25
- Use csp 1.0 compliant header for firefox >= 23
Bug Fix:
- Stop sending CSP on safari 5.1+
- X-Content-Type-Options also applied to Chrome requests
- Safari 5 is just completely broken when CSP is used, both mobile and desktop versions
- Stupid bug where Fixnums couldn't be used for config values
- Doc updates
- Allow strings or ints in the HSTS max-age (@reedloden)
- Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
- Should be backwards compatible, but it is a change to the API.
- Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.
- Fix error in report-uri logic for Firefox forwarding.
- Stop applying chrome-extension: to Firefox directives.
- Firefox headers will now stop overriding report_uri when only a path is supplied
- 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
- Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value- :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
- Skeleton applications have been added to test isolated application configurations
- Cleanup by @bemurphy
Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'
- Gem is renamed to secure_headers. This will make bundler happy. github#26
- ability to apply two headers, one in enforce mode, one in "experimental" mode github#11
- Rails 3.0 support github#28
- Fix issue where settings in application_controller were ignored if no intializer was supplied github#25
- Better support for other frameworks, including docs from @achui, @bmaland
- Rails 4 routes support from @jviney github#13
- data: automatically whitelisted for img-src
- Doc updates from @ming13, @theverything, @dcollazo