Merge branch 'main' into feature-7.2

Author: fletchto99

.github/workflows/build.yml

@@ -13,9 +13,9 @@ jobs:
         ruby: [ '2.7', '3.0', '3.1', '3.2', '3.4', '4.0' ]
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Ruby ${{ matrix.ruby }}
-      uses: ruby/setup-ruby@d697be2f83c6234b20877c3b5eac7a7f342f0d0c #v1.269.0 tag
+      uses: ruby/setup-ruby@ac793fdd38cc468a4dd57246fa9d0e868aba9085 #v1.269.0 tag
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: true

.rubocop.yml

@@ -1,23 +1,11 @@
 inherit_gem:
   rubocop-github:
     - config/default.yml
-require: rubocop-performance
+plugins: rubocop-performance
 
 AllCops:
   TargetRubyVersion: 2.6
 
 # Disable cops that are not consistently available across all Ruby versions
-Style/ClassMethodsDefinitions:
-  Enabled: false
-
-Style/OrAssignment:
-  Enabled: false
-
-Layout/SpaceInsideHashLiteralBraces:
-  Enabled: false
-
-Lint/ParenthesesAsGroupedExpression:
-  Enabled: false
-
 Lint/RedundantCopDisableDirective:
   Enabled: false

CHANGELOG.md

@@ -70,7 +70,7 @@ NOTE: this version is a breaking change due to the removal of HPKP. Remove the H
 
 ## 5.0.0
 
-Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
+Well this is a little embarrassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the [upgrading to 5.0](docs/upgrading-to-5-0.md) guide.
 
 ## 4.0.1
 
@@ -194,7 +194,7 @@ end
 
 ## 3.4.0 the frame-src/child-src transition for Firefox.
 
-Handle the `child-src`/`frame-src` transition semi-intelligently across versions. I think the code best descibes the behavior here:
+Handle the `child-src`/`frame-src` transition semi-intelligently across versions. I think the code best describes the behavior here:
 
 ```ruby
 if supported_directives.include?(:child_src)

README.md

@@ -1,4 +1,4 @@
-# Secure Headers ![Build + Test](https://github.com/github/secure_headers/workflows/Build%20+%20Test/badge.svg?branch=main)
+# Secure Headers [![Build + Test](https://github.com/github/secure_headers/actions/workflows/build.yml/badge.svg)](https://github.com/github/secure_headers/actions/workflows/build.yml)
 
 **main branch represents 7.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), [upgrading to 6.x doc](docs/upgrading-to-6-0.md) or [upgrading to 7.x doc](docs/upgrading-to-7-0.md) for instructions on how to upgrade. Bug fixes should go in the `6.x` branch for now.
 

lib/secure_headers.rb

@@ -184,7 +184,7 @@ def content_security_policy_style_nonce(request)
       content_security_policy_nonce(request, ContentSecurityPolicy::STYLE_SRC)
     end
 
-    # Public: Retreives the config for a given header type:
+    # Public: Retrieves the config for a given header type:
     #
     # Checks to see if there is an override for this request, then
     # Checks to see if a named override is used for this request, then
@@ -214,7 +214,7 @@ def raise_on_unknown_target(target)
 
     def config_and_target(request, target)
       config = config_for(request)
-      target = guess_target(config) unless target
+      target ||= guess_target(config)
       raise_on_unknown_target(target)
       [config, target]
     end

lib/secure_headers/configuration.rb

@@ -65,7 +65,7 @@ def default(&block)
 
       # Public: create a named configuration that overrides the default config.
       #
-      # name - use an idenfier for the override config.
+      # name - use an identifier for the override config.
       # base - override another existing config, or override the default config
       # if no value is supplied.
       #

lib/secure_headers/headers/clear_site_data.rb

@@ -11,43 +11,41 @@ class ClearSiteData
     EXECUTION_CONTEXTS = "executionContexts".freeze
     ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
-    class << self
-      # Public: make an clear-site-data header name, value pair
-      #
-      # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config = nil, user_agent = nil)
-        case config
-        when nil, OPT_OUT, []
-          # noop
-        when Array
-          [HEADER_NAME, make_header_value(config)]
-        when true
-          [HEADER_NAME, make_header_value(ALL_TYPES)]
-        end
+    # Public: make an clear-site-data header name, value pair
+    #
+    # Returns nil if not configured, returns header name and value if configured.
+    def self.make_header(config = nil, user_agent = nil)
+      case config
+      when nil, OPT_OUT, []
+        # noop
+      when Array
+        [HEADER_NAME, make_header_value(config)]
+      when true
+        [HEADER_NAME, make_header_value(ALL_TYPES)]
       end
+    end
 
-      def validate_config!(config)
-        case config
-        when nil, OPT_OUT, true
-          # valid
-        when Array
-          unless config.all? { |t| t.is_a?(String) }
-            raise ClearSiteDataConfigError.new("types must be Strings")
-          end
-        else
-          raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
+    def self.validate_config!(config)
+      case config
+      when nil, OPT_OUT, true
+        # valid
+      when Array
+        unless config.all? { |t| t.is_a?(String) }
+          raise ClearSiteDataConfigError.new("types must be Strings")
         end
+      else
+        raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
       end
+    end
 
-      # Public: Transform a clear-site-data config (an Array of Strings) into a
-      # String that can be used as the value for the clear-site-data header.
-      #
-      # types - An Array of String of types of data to clear.
-      #
-      # Returns a String of quoted values that are comma separated.
-      def make_header_value(types)
-        types.map { |t| %("#{t}") }.join(", ")
-      end
+    # Public: Transform a clear-site-data config (an Array of Strings) into a
+    # String that can be used as the value for the clear-site-data header.
+    #
+    # types - An Array of String of types of data to clear.
+    #
+    # Returns a String of quoted values that are comma separated.
+    def self.make_header_value(types)
+      types.map { |t| %("#{t}") }.join(", ")
     end
   end
 end

lib/secure_headers/headers/content_security_policy.rb

@@ -79,7 +79,7 @@ def build_sandbox_list_directive(directive)
       end
 
       # A maximally strict sandbox policy is just the `sandbox` directive,
-      # whith no configuraiton values.
+      # with no configuration values.
       if max_strict_policy
         symbol_to_hyphen_case(directive)
       elsif sandbox_list && sandbox_list.any?
@@ -120,7 +120,7 @@ def build_source_list_directive(directive)
     end
 
     # If a directive contains *, all other values are omitted.
-    # If a directive contains 'none' but has other values, 'none' is ommitted.
+    # If a directive contains 'none' but has other values, 'none' is omitted.
     # Schemes are stripped (see http://www.w3.org/TR/CSP2/#match-source-expression)
     def minify_source_list(directive, source_list)
       source_list = source_list.compact

lib/secure_headers/headers/cookie.rb

@@ -7,10 +7,8 @@ module SecureHeaders
   class CookiesConfigError < StandardError; end
   class Cookie
 
-    class << self
-      def validate_config!(config)
-        CookiesConfig.new(config).validate!
-      end
+    def self.validate_config!(config)
+      CookiesConfig.new(config).validate!
     end
 
     attr_reader :raw_cookie, :config

lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -9,31 +9,29 @@ class ExpectCertificateTransparency
     REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
     INVALID_MAX_AGE_ERROR       = "max-age must be a number.".freeze
 
-    class << self
-      # Public: Generate a expect-ct header.
-      #
-      # Returns nil if not configured, returns header name and value if
-      # configured.
-      def make_header(config, use_agent = nil)
-        return if config.nil? || config == OPT_OUT
+    # Public: Generate a expect-ct header.
+    #
+    # Returns nil if not configured, returns header name and value if
+    # configured.
+    def self.make_header(config, use_agent = nil)
+      return if config.nil? || config == OPT_OUT
 
-        header = new(config)
-        [HEADER_NAME, header.value]
-      end
+      header = new(config)
+      [HEADER_NAME, header.value]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
 
-        unless [true, false, nil].include?(config[:enforce])
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
-        end
+      unless [true, false, nil].include?(config[:enforce])
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
+      end
 
-        if !config[:max_age]
-          raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
-        elsif config[:max_age].to_s !~ /\A\d+\z/
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
-        end
+      if !config[:max_age]
+        raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
+      elsif config[:max_age].to_s !~ /\A\d+\z/
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
       end
     end