Closed koss-lebedev closed 6 years ago
We will take a look into this, sorry for the delay!
I tried a change to update
::SecureHeaders::Configuration.get.current_csp[:script_src].to_a.include?("'unsafe-inline'")
to
::SecureHeaders::Configuration.get.csp.script_src.to_a.include?("'unsafe-inline'")
but I am not sure what is the original intention to use current_csp
instead of csp
. I tested it in secure header version 5.0.5 and it does not have a current_csp
method anymore in ::SecureHeaders::Configuration
.
current_csp
was replaced by csp
about 2 years ago in version 3.4, here's the commit in which they got rid of it:
https://github.com/twitter/secure_headers/commit/893d6e9aa9a4177c24c36b87dcfac2d7c4ad8ef7
The code changes to use csp
instead of current_csp
need to be implemented here. I'm adding this to milestone v2.17.0
rollbar 2.16.2 secure_headers 6.0.0
Maybe or maybe not related: I'm getting the following error:
[Rollbar] Rollbar.js could not be added because undefined method 'get' for SecureHeaders::Configuration:Class
I don't call get
directly in my configuration file:
SecureHeaders::Configuration.default do |config|
config.cookies = {
secure: true,
httponly: true,
samesite: { lax: true } # mark all cookies as SameSite=lax
}
config.hsts = "max-age=#{365.days}"
config.x_frame_options = "DENY"
config.x_content_type_options = "nosniff"
config.x_download_options = "noopen"
config.x_permitted_cross_domain_policies = "none"
config.x_xss_protection = "1; mode=block"
config.referrer_policy = 'no-referrer-when-downgrade'
config.csp = SecureHeaders::OPT_OUT # Use config/initializers/content_security_policy.rb instead
CT_ENFORCE = true
config.expect_certificate_transparency = {
enforce: CT_ENFORCE,
max_age: 5.minutes,
report_uri: CT_ENFORCE ? 'https://app_name.report-uri.com/r/d/ct/enforce' : 'https://app_name.report-uri.com/r/d/ct/reportOnly'
}
end
This seems like a different issue than the ones in the later comments, but I'm posting it here because it directly relates to the issue title. Feel free to move it to a separate issue, or to ask me to open one myself.
Confirmed that the get
method was removed in secure_headers 6.0.0. Rollbar calls that method here.
Hello guys,
I found that Rollbar.js seems to have issues loading when
SecureHeaders
gem adds CSP policies. I see this error in logs:[Rollbar] Rollbar.js could not be added because undefined method 'current_csp' for #<SecureHeaders::Configuration:0x00000006bccfe0> exception
Is there a CSP rule that has to be added, or is this a known bug? Thank you
Full details: