Bump secure_headers from 3.6.7 to 3.9.0

[dependabot]

Bumps secure_headers from 3.6.7 to 3.9.0.

Changelog

Sourced from secure_headers's changelog.

6.3.0

Fixes newline injection issue

6.2.0

Fixes semicolon injection issue reported by @​mvgijssel see twitter/secure_headers#418

6.1.2

Adds the ability to specify SameSite=none with the same configurability as Strict/Lax in order to disable Chrome's soon-to-be-lax-by-default state.

6.1.1

Adds the ability to disable the automatically-appended 'unsafe-inline' value when nonces are used #404 (@​will)

6.1

Adds support for navigate-to, prefetch-src, and require-sri-for #395

NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle 🙏

6.0

• See the upgrading to 6.0 guide for the breaking changes.

5.0.5

• A release to deprecate SecureHeaders::Configuration#get in prep for 6.x

5.0.4

• Adds support for nonced_stylesheet_pack_tag #373 (@​paulfri)

5.0.3

• Add nonced versions of Rails link/include tags #372 (@​steveh)

5.0.2

• Updates Referrer-Policy header to support multiple policy values

5.0.1

• Updates Expect-CT header to use a comma separator between directives, as specified in the most current spec.

5.0.0

Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the upgrading to 5.0 guide.

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[longaraymatheus]

Looks safe. See change log below. 3.9.0 seems empty.

3.8.0

Fixes semicolon injection issue reported by @mvgijssel see github/secure_headers#418

3.7.4

Backport SameSite=None functionality into 3.x line

3.7.3

• Updates Expect-CT header to use a comma separator between directives, as specified in the most current spec.

3.7.2

• Adds support for worker-src CSP directive to 3.x line (Support worker-src CSP directive github/secure_headers#364)

3.7.1

Fix support for the sandbox attribute of CSP. true and [] represent the maximally restricted policy (sandbox;) and validate other values.

3.7.0

Adds support for the Expect-CT header (@jacobbednarz: github/secure_headers#322)