add docs around breaking changes

github · Jul 12, 2017 · 1b94fe0 · 1b94fe0
1 parent cecc908
commit 1b94fe0
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## 4.x
+
+- `script_src` is required to be set in CSP configs. Falling back to *any* `default-src` can be bad. It's certainly possible for this to not cause a problem but better safe than sorry.
+- The default CSP has been changed: `default-src 'self', form-action 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:` This policy is "more secure" and more reasonable.
+
 ## 3.6.5
 
 Update clear-site-data header to use current format specified by the specification.

diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -210,7 +210,7 @@ def make_header(config, user_agent)
       def validate_config!(config)
         return if config.nil? || config.opt_out?
         raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
-        raise ContentSecurityPolicyConfigError.new(":script is required, falling back to default-src is too dangerous") unless config.directive_value(:script_src)
+        raise ContentSecurityPolicyConfigError.new(":script_src is required, falling back to default-src is too dangerous") unless config.directive_value(:script_src)
         ContentSecurityPolicyConfig.attrs.each do |key|
           value = config.directive_value(key)
           next unless value