Skip to content

Latest commit

 

History

History
72 lines (49 loc) · 2.43 KB

HISTORY.md

File metadata and controls

72 lines (49 loc) · 2.43 KB

0.4.1

  • Allow strings or ints in the HSTS max-age (@reedloden)

0.4.0

  • Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea
  • Should be backwards compatible, but it is a change to the API.

0.3.0

  • Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox.

0.2.3

  • Fix error in report-uri logic for Firefox forwarding.

0.2.2

  • Stop applying chrome-extension: to Firefox directives.

0.2.1

  • Firefox headers will now stop overriding report_uri when only a path is supplied

0.2.0

  • 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
  • Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
  • :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
  • Skeleton applications have been added to test isolated application configurations
  • Cleanup by @bemurphy

0.1.1

Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow'

0.1.0

Notes:

  • Gem is renamed to secure_headers. This will make bundler happy. github#26

Features:

  • ability to apply two headers, one in enforce mode, one in "experimental" mode github#11
  • Rails 3.0 support github#28

Bug fixes, misc:

  • Fix issue where settings in application_controller were ignored if no intializer was supplied github#25
  • Better support for other frameworks, including docs from @achui, @bmaland
  • Rails 4 routes support from @jviney github#13
  • data: automatically whitelisted for img-src
  • Doc updates from @ming13, @theverything, @dcollazo