Skip to content

New API Implementation #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
oreoshake merged 24 commits into from
Dec 11, 2015
Merged

New API Implementation #191

oreoshake merged 24 commits into from
Dec 11, 2015

Conversation

@oreoshake
Copy link
Contributor

@oreoshake oreoshake commented Nov 5, 2015

Followup to #181. As with the last PR, it's probably better to ignore the diff and look at the code directly.

The biggest change in this PR is the added support for "named overrides" - additional configuration objects that can be referenced by name. The header values are all precomputed so named overrides save the overhead of building a policy per request.

(from the readme

class ApplicationController < ActionController::Base SecureHeaders::Configuration.default do |config| config.csp = { default_src: %w('self'), script_src: %w(example.org) } end # override default configuration SecureHeaders::Configuration.override(:script_from_otherdomain_com) do |config| config.csp[:script_src] << "otherdomain.com" end # overrides the :script_from_otherdomain_com configuration SecureHeaders::Configuration.override(:another_config, :script_from_otherdomain_com) do |config| config.csp[:script_src] << "evenanotherdomain.com" end end class MyController < ApplicationController def index # Produces default-src 'self'; script-src example.org otherdomain.org use_secure_headers_override(:script_from_otherdomain_com) end def show # Produces default-src 'self'; script-src example.org otherdomain.org evenanotherdomain.com use_secure_headers_override(:another_config) end end
@oreoshake
fix regression with mutation of global state
2b41aca
@oreoshake
Merge pull request #184 from twitter/mutating-global-regression
a11105e 
fix regression with mutation of global state
@oreoshake
version bump for regression
7a42710
@oreoshake
Cache UserAgentParser instance
48b048c 
Thanks to @igrep for pointing this out. Fixes #187
@oreoshake
Merge pull request #188 from twitter/user-agent-parser
927ecd8 
Cache UserAgentParser instance
@oreoshake
version bump for performance regression
35536c0
@oreoshake
Major rewrite:
32bb3f5 
Configure a global default and named overrides Use helper methods to set/modify configurations at runtime Set the headers in middleware based on the configuration saved to request.env Configuration changes: All headers require string values except for CSP and HPKP CSP directives must be arrays of strings, no more support for space-delimited strings or procs
@oreoshake
only attempt to build directives that are configured
4170482
@oreoshake
remove unused constant
b4f672b
@oreoshake
cleanup
b0991ee
@oreoshake
remove method that was only used once
ba05040
@oreoshake
reorder methods
97b56b3
@oreoshake oreoshake mentioned this pull request Nov 5, 2015
Closed
9 tasks
stve
stve reviewed Nov 5, 2015
View reviewed changes
README.md Outdated
Copy link
Contributor

@stve stve Nov 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing a : here
oreoshake and others added 12 commits November 5, 2015 07:50
@oreoshake
documentation updates
da60685
@oreoshake
parameters to nonce functions should be optional
e3ac264
@oreoshake
Keep unsafe-* around when a * is provided.
68a7498 
e.g. default-src * 'unsafe-inline' 'unsafe-eval' host1.com http: https: can be reduced to: default-src * 'unsafe-inline' 'unsafe-eval' Previously, the unsafe-* values were removed but * does not cover the unsafe-* values.
@oreoshake
version lock tins
fb81baf
@oreoshake
actually use pessimistic version locking
0d499f4
@kevgo
Fix typo
5481cba
@oreoshake
Merge pull request #192 from kevgo/patch-1
170271f 
Fix typo
@oreoshake
Fix issue with opting out of headers when using header_hash method
64908d5
@oreoshake
Merge pull request #193 from twitter/calling-name-on-nil-value
6c02a63 
Fix issue with opting out of headers when using header_hash method
@oreoshake
version bump
8e0e654
@oreoshake
Merge branch 'master' into env-rack-config
7d264f9
@oreoshake
merge conflict fixes
27ec392
@oreoshake
Copy link
Contributor Author

oreoshake commented Dec 11, 2015

This code is now running on github.com. I'll let it sit for a few days and release a 3.0 gem. I'll add an "upgrading to 3.0 wiki" entry in the meantime since it is very much a breaking change.
oreoshake added a commit that referenced this pull request Dec 11, 2015
@oreoshake
Merge pull request #191 from twitter/env-rack-config
1918ce2 
New API Implementation
@oreoshake oreoshake merged commit 1918ce2 into 3.x Dec 11, 2015
@oreoshake oreoshake deleted the env-rack-config branch December 11, 2015 00:41
@oreoshake oreoshake mentioned this pull request Aug 19, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

5 participants

@oreoshake @stve @reedloden @kevgo