github / secure_headers

Manages application of security headers with many safe defaults
MIT License
3.17k stars 252 forks source link

Semantically parse source expressions. #497

Closed lgarron closed 2 years ago

lgarron commented 2 years ago

Recently, we've had a spate of fixes for parsing directives and source-expressions, stemming from the fact that the code doesn't understand the format of valid expressions, and makes local assumptions about what they look like — in particular, assuming a resemblance to URLs during deduplication.

https://github.com/github/secure_headers/pull/490 https://github.com/github/secure_headers/pull/478

This PR is an attempt to 'bite the bullet" and parse source expressions so we can semantically deduplicate matching URLs.

All PRs:

Adding a new header