0.4.3 ====== Safari 5 is just completely broken when CSP is used, both mobile and desktop versions 0.4.2 ====== - Stupid bug where Fixnums couldn't be used for config values - Doc updates 0.4.1 ====== - Allow strings or ints in the HSTS max-age (@reedloden) 0.4.0 ======= - Treat each header as it's own before_filter. This allows you to `skip_before_filter :set_X_header, :only => :bad_idea - Should be backwards compatible, but it is a change to the API. 0.3.0 ======= - Greatly reduce the need to use the forward_endpoint attribute. If you are posting from your site to a host that matches TLD+1 (e.g. translate.twitter.com matches twitter.com), use a protocol relative value for report-uri. This will alleviate the need to use forwarding. If your host doesn't match, you still need to use forwarding due to host mismatches for Firefox. 0.2.3 ======= - Fix error in report-uri logic for Firefox forwarding. 0.2.2 ======= - Stop applying chrome-extension: to Firefox directives. 0.2.1 ======= - Firefox headers will now stop overriding report_uri when only a path is supplied 0.2.0 ======= - 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values - Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles: ```ruby FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value ``` - :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting) - Skeleton applications have been added to test isolated application configurations - Cleanup by @bemurphy 0.1.1 ======= Bug fix. Firefox doesn't seem to like the default-src directive, reverting back to 'allow' 0.1.0 ======= Notes: ------ - Gem is renamed to secure_headers. This will make bundler happy. https://github.com/twitter/secureheaders/pull/26 Features: ------ - ability to apply two headers, one in enforce mode, one in "experimental" mode https://github.com/twitter/secureheaders/pull/11 - Rails 3.0 support https://github.com/twitter/secureheaders/pull/28 Bug fixes, misc: ------ - Fix issue where settings in application_controller were ignored if no intializer was supplied https://github.com/twitter/secureheaders/pull/25 - Better support for other frameworks, including docs from @achui, @bmaland - Rails 4 routes support from @jviney https://github.com/twitter/secureheaders/pull/13 - data: automatically whitelisted for img-src - Doc updates from @ming13, @theverything, @dcollazo