v7.3.0

Security

• CSP directive injection via sandbox, plugin-types, and report-to when given untrusted input — GHSA-rqq5-2gf9-4w4q. Reported by @tonghuaroot. The 2020 source-list scrub was not applied to the sandbox, plugin-types, and report-to directive builders, so caller-supplied values containing ;, \n, or \r were emitted verbatim into the Content-Security-Policy header and could inject arbitrary directives. All three builders now share the same scrub (replace ;, \n, \r with a space and Kernel.warn).

Important

You should never pass user-supplied input into your Content-Security-Policy configuration. CSP directive values are part of a security policy, not user data — any untrusted input creates a policy-injection risk. This fix is a defense-in-depth backstop; it is not a license to feed user input into CSP directives. Treat all CSP values as trusted, application-controlled configuration.

What's Changed

• Fix CSP injection via sandbox / plugin-types / report-to directives (GHSA-rqq5-2gf9-4w4q)
• Bump actions/checkout from 5 to 6 by @dependabot in #582
• Bump ruby/setup-ruby from 1.288.0 → 1.310.0 by @dependabot in #584, #585, #587, #588, #589, #590, #591, #592
• Bump Version to 7.3.0 by @KyFaSt in #593

Full Changelog: v7.2.0...v7.3.0

v7.2.0

Release notes

What's Changed

• Remove non-lowercase headers in Rails default configuration by @obrie #551
• Fix compatibility with Rack 3 by @deril #555
• Normalize domains with trailing slashes by @keithamus #477
• Add tests for hash generation by @rahearn #485
• Add Configuration.disable! by @fletchto99 #568
• Don't set upgrade-insecure-requests-directive for HTTP requests by @fletchto99 #570
• Add cgi dependency for ruby 4.0 support by @vcsjones #560
• Update rubocop configuration for ruby 4.0 support by @rei-moo #561
• Fix code style by @tmaier #563
• Fix typos by @myersg86 #546

Full Changelog: v7.1.0...v7.2.0

v7.1.0

Release notes

What's Changed

• Lowercase headers by @arashnd in #533
• Cleanup repository files and Gem build by @rzhade3 in #536

New Contributors

• @arashnd made their first contribution in #533

Full Changelog: v7.0.0...v7.1.0

v7.0.0

Release notes

What's Changed

• Update default X-XSS-Protection value to 0 by @rzhade3 in #479

New Contributors

• @boveus made their first contribution in #520
• @rzhade3 made their first contribution in #479
• @vcsjones made their first contribution in #521

Full Changelog: v6.7.0...v7.0.0

Increase performance of SecureSecurityPolicyConfig

What's Changed

• Make SecureSecurityPolicyConfig significantly faster by @jhawthorn in #506
• Note: If you are accessing values on SecureSecurityPolicyConfig as ivars, you will need to change this to hash access.

New Contributors

• @jhawthorn made their first contribution in #506

Full Changelog: v6.6.0...v6.7.0

v6.6.0

• CSP: Removed deprecated header block-all-mixed-content and replaced it with a recommendation to use the already supported upgrade-insecure-requests instead.

v6.5.0

v6.5.0 (#501)

Release notes:

- CSP: Remove source expression deduplication. (@lgarron)
https://github.com/github/secure_headers/pull/499

v6.4.0

• CSP: Add support for trusted-types, require-trusted-types-for directive (@JackMc): #486

https://github.com/github/secure_headers/blob/v6.4.0/CHANGELOG.md

v6.3.4

• CSP: Do not deduplicate alternate schema source expressions (@keithamus): #478

https://github.com/github/secure_headers/blob/v6.3.4/CHANGELOG.md

v6.3.3

• Fix hash generation for indented helper methods (@rahearn)

For more details, see https://github.com/github/secure_headers/blob/v6.3.3/CHANGELOG.md