prevent loss of frame_src/child_src when using append_content_securit… #325
Conversation
…y_policy_directives
|
If this is merged, it would actually be worthwhile updating the docs to explain that |
|
You should never be setting child-src AND frame-src, always one or the other. The idea behind the code is that you could use either or and, based on the user agent, the lib would set the appropriate value. However, this code has definitely rotted. That being said it's not communicated in any way and has created this issue. I wonder if we should just 🔪 child-src entirely? I'll have to double check but as far as I remember, they are interchangeable and should only produce console warnings on outdated browsers. |
|
Yes to be clear - I'm not suggesting setting both, I'm suggesting that setting one and calling |
|
Yep, thanks! I'll probably merge this in to prevent the confusion you exposed, I was just thinking out loud and more long term. Thanks again for all the 👀 and 💻 ❗️ |
3.6.2 > 3.6.5 https://github.com/twitter/secureheaders/blob/master/CHANGELOG.md#363 3.6.5 Update clear-site-data header to use current format specified by the specification. 3.6.4 Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: github/secure_headers#325 3.6.3 Remove deprecation warning when setting frame-src. It is no longer deprecated.
…y_policy_directives
Currently it is possible for
frame_srcandchild_srcsettings to be dropped when usingappend_content_security_policy_directives.To reproduce:
frame_srcchild_srcusingappend_content_security_policy_directiveschild_srcfrom secureheaders, such as ChromeExpected: the
child_srcis defaulted to theframe_srcsetting I have, plus the additions I made usingappend_content_security_policy_directives. I have this expectation because the gem promises to intelligently select betweenchild_srcandframe_src.Actual: In this case, the original
frame_srcsettings are dropped, and thechild_srcsetting isdefault_src+my additions.All PRs: