Bump secure_headers from 2.2.2 to 6.3.0

[dependabot]

Bumps secure_headers from 2.2.2 to 6.3.0.

Release notes

Sourced from secure_headers's releases.

Fix rails 2 support

@​solenko noticed an issue with the way the gem is loaded in rails 2 twitter/secureheaders#304

Bug fix and strict dynamic support

• Fix bug that can occur when useragent library version is older, resulting in a nil version sometimes.
• Add constant for strict-dynamic

Add support for setting two headers

No release notes provided.

Handle frame-src/child-src gracefully

3.4.0 the frame-src/child-src transition for Firefox.

Handle the child-src/frame-src transition semi-intelligently across versions. I think the code best describes the behavior here:

if supported_directives.include?(:child_src)
  @config[:child_src] = @config[:child_src] || @config[:frame_src]
else
  @config[:frame_src] = @config[:frame_src] || @config[:child_src]
end

minor fix to silence warnings when using rake

@​dankohn was seeing "already initialized" errors in his output. This change conditionally defines the constants.

bugfix for boolean CSP directives

[@​stefansundin noticed](https://github-redirect.dependabot.com/twitter/secureheaders/pull/253) that supplying false to "boolean" CSP directives (e.g. upgrade-insecure-requests and block-all-mixed-content) would still include the value.

referrer-policy support

While not officially part of the spec and not implemented anywhere, support for the experimental referrer-policy header was preemptively added.

Additionally, two minor enhancements were added this version:

1. Warn when the HPKP report host is the same as the current host. By definition any generated reports would be reporting to a known compromised connection.
2. Filter unsupported CSP directives when using Edge. Previously, this was causing many warnings in the developer console.

Cookie settings and CSP hash sources

3.2.0 Cookie settings and CSP hash sources

Cookies

SecureHeaders supports Secure, HttpOnly and SameSite cookies. These can be defined in the form of a boolean, or as a Hash for more refined configuration.

Note: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.

Boolean-based configuration

Boolean-based configuration is intended to globally enable or disable a specific cookie attribute.

</tr></table> ... (truncated)

Changelog

Sourced from secure_headers's changelog.

6.3.0

Fixes newline injection issue

6.2.0

Fixes semicolon injection issue reported by @​mvgijssel see twitter/secure_headers#418

6.1.2

Adds the ability to specify SameSite=none with the same configurability as Strict/Lax in order to disable Chrome's soon-to-be-lax-by-default state.

6.1.1

Adds the ability to disable the automatically-appended 'unsafe-inline' value when nonces are used #404 (@​will)

6.1

Adds support for navigate-to, prefetch-src, and require-sri-for #395

NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle 🙏

6.0

• See the upgrading to 6.0 guide for the breaking changes.

5.0.5

• A release to deprecate SecureHeaders::Configuration#get in prep for 6.x

5.0.4

• Adds support for nonced_stylesheet_pack_tag #373 (@​paulfri)

5.0.3

• Add nonced versions of Rails link/include tags #372 (@​steveh)

5.0.2

• Updates Referrer-Policy header to support multiple policy values

5.0.1

• Updates Expect-CT header to use a comma separator between directives, as specified in the most current spec.

5.0.0

Well this is a little embarassing. 4.0 was supposed to set the secure/httponly/samesite=lax attributes on cookies by default but it didn't. Now it does. - See the upgrading to 5.0 guide.

... (truncated)

Commits

• 722a690 bump to 6.3
• 3016957 Merge pull request from GHSA-w978-rmpf-qmwg
• 3a2b548 Filter and warn on newlines
• 1298905 bump to 6.2
• 6e38cb4 Merge pull request #419 from twitter/escape-semi-colons
• eed6c16 lint
• 3c4b86e escape semicolons by replacing them with spaces
• 2068ba7 clean up some warnings
• 86c762a Remove outdated APL license blurb from readme, use only the LICENSE file
• 902041b Do years even matter?
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.