Skip to content

New API Implementation #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 24 commits into from
Dec 11, 2015
Merged

New API Implementation #191

merged 24 commits into from
Dec 11, 2015

Conversation

oreoshake
Copy link
Contributor

Followup to #181. As with the last PR, it's probably better to ignore the diff and look at the code directly.

The biggest change in this PR is the added support for "named overrides" - additional configuration objects that can be referenced by name. The header values are all precomputed so named overrides save the overhead of building a policy per request.

(from the readme

class ApplicationController < ActionController::Base
  SecureHeaders::Configuration.default do |config|
    config.csp = {
      default_src: %w('self'),
      script_src: %w(example.org)
    }
  end

  # override default configuration
  SecureHeaders::Configuration.override(:script_from_otherdomain_com) do |config|
    config.csp[:script_src] << "otherdomain.com"
  end

  # overrides the :script_from_otherdomain_com configuration
  SecureHeaders::Configuration.override(:another_config, :script_from_otherdomain_com) do |config|
    config.csp[:script_src] << "evenanotherdomain.com"
  end
end

class MyController < ApplicationController
  def index
    # Produces default-src 'self'; script-src example.org otherdomain.org
    use_secure_headers_override(:script_from_otherdomain_com)
  end

  def show
    # Produces default-src 'self'; script-src example.org otherdomain.org evenanotherdomain.com
    use_secure_headers_override(:another_config)
  end
end

@oreoshake
fix regression with mutation of global state
2b41aca
@oreoshake
Merge pull request #184 from twitter/mutating-global-regression
a11105e 
fix regression with mutation of global state
@oreoshake
version bump for regression
7a42710
@oreoshake
Cache UserAgentParser instance
48b048c 
Thanks to @igrep for pointing this out.

Fixes #187
@oreoshake
Merge pull request #188 from twitter/user-agent-parser
927ecd8 
Cache UserAgentParser instance
@oreoshake
version bump for performance regression
35536c0
@oreoshake
Major rewrite:
32bb3f5 
Configure a global default and named overrides
Use helper methods to set/modify configurations at runtime
Set the headers in middleware based on the configuration saved to request.env

Configuration changes:
All headers require string values except for CSP and HPKP
CSP directives must be arrays of strings, no more support for space-delimited strings or procs
@oreoshake
only attempt to build directives that are configured
4170482
@oreoshake
remove unused constant
b4f672b
@oreoshake
cleanup
b0991ee
@oreoshake
remove method that was only used once
ba05040
@oreoshake
reorder methods
97b56b3
@oreoshake oreoshake mentioned this pull request Nov 5, 2015
Closed
9 tasks
stve
stve reviewed Nov 5, 2015
View reviewed changes
README.md
}
config.hpkp = {
:max_age => 60.days.to_i,
:include_subdomains => true,
:report_uri => '//example.com/uri-directive',
:report_uri => "https//example.com/uri-directive",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing a : here

oreoshake and others added 12 commits November 5, 2015 07:50
@oreoshake
documentation updates
da60685
@oreoshake
parameters to nonce functions should be optional
e3ac264
@oreoshake
Keep unsafe-* around when a * is provided.
68a7498 
e.g.

default-src * 'unsafe-inline' 'unsafe-eval' host1.com http: https:

can be reduced to:

default-src * 'unsafe-inline' 'unsafe-eval'

Previously, the unsafe-* values were removed but * does not cover
the unsafe-* values.
@oreoshake
version lock tins
fb81baf
@oreoshake
actually use pessimistic version locking
0d499f4
@kevgo
Fix typo
5481cba
@oreoshake
Merge pull request #192 from kevgo/patch-1
170271f 
Fix typo
@oreoshake
Fix issue with opting out of headers when using header_hash method
64908d5
@oreoshake
Merge pull request #193 from twitter/calling-name-on-nil-value
6c02a63 
Fix issue with opting out of headers when using header_hash method
@oreoshake
version bump
8e0e654
@oreoshake
Merge branch 'master' into env-rack-config
7d264f9
@oreoshake
merge conflict fixes
27ec392
@oreoshake
Copy link
Contributor Author

This code is now running on github.com. I'll let it sit for a few days and release a 3.0 gem. I'll add an "upgrading to 3.0 wiki" entry in the meantime since it is very much a breaking change.

oreoshake added a commit that referenced this pull request Dec 11, 2015
@oreoshake
Merge pull request #191 from twitter/env-rack-config
1918ce2 
New API Implementation
@oreoshake oreoshake merged commit 1918ce2 into 3.x Dec 11, 2015
@oreoshake oreoshake deleted the env-rack-config branch December 11, 2015 00:41
@oreoshake oreoshake mentioned this pull request Aug 19, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@oreoshake @stve @reedloden @kevgo