7.2 release #566
Draft
7.2 release #566
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
rei-moo
force-pushed
the
feature-7.2
branch
3 times, most recently
from
4f5686e to
930157e
Compare
Do not join cookies with new like if they weren't before fix(middleware): ensure headers are wrapped with `Rack::Headers` Add `Rack::Headers` wrapping to middleware to prevent header manipulation issues. Added a test to verify cookies remain as an array when flagged if already in array format.
While this gem now uses lowercase headers, the Rails default configuration still defines non-lowercase headers. As a result, our Railtie will not remove those conflicting headers. This change ensures that we're accounting for both lowercase and non-lowercase default headers in Rails.
CSP3 more explicitly calls this out: > If path A consists of one character that is equal to the U+002F > SOLIDUS character (/) and path B is empty, return "Matches". A URL like `example.com/foo` will match a connect-src of `example.com`, as well as `example.com/`, so having two connect-srcs listed like this is redundant. fix: allow URIs with schema to have trailing slashes normalised Co-authored-by: Dusty Greif <[email protected]>
Fix rake task file count output message
fletchto99
force-pushed
the
feature-7.2
branch
from
2967cd5 to
6ac6e72
Compare
Co-authored-by: fletchto99 <[email protected]>m>
Co-authored-by: fletchto99 <[email protected]>
fletchto99
force-pushed
the
feature-7.2
branch
from
6ac6e72 to
e5f347e
Compare
closes #512 ## All PRs: * [x] Has tests * [x] Documentation updated ## Adding a new header (Reporting-Endpoints) **Is the header supported by any user agent?* Yes - Chrome 116+, Edge 116+, Opera 102+ (via Reporting API) **What does it do?** Defines HTTP reporting endpoints for CSP violations and other security/performance reports using the HTTP Reporting API **What are the valid values?** Comma-separated pairs of [name="url"] where url must be HTTPS (e.g., csp-violations="https://example.com/reports") **Where does the specification live?** [MDN Reporting-Endpoints](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Reporting-Endpoints) and [MDN report-to directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/report-to) ## Adding a new CSP directive (report-to) **Is the directive supported by any user agent?** Yes - Chrome 69+, Edge 79+, Firefox 110+, Safari 15.1+ **What does it do?** Specifies a named reporting endpoint (defined via Reporting-Endpoints header) where CSP violations should be reported, replacing or complementing report-uri **What are the valid values?** A single string endpoint name (e.g., report-to csp-violations), must match a name defined in the Reporting-Endpoints header --------- Co-authored-by: Kylie Stradley <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #541
Fixes: #514
Fixes: #450
Fixes: #348