Skip to content

Commit 0b33264

Browse files
oreoshakeoreoshake
committed
Revert "escape semicolons by replacing them with spaces"
This reverts commit ddec695.
1 parent ddec695 commit 0b33264

File tree

2 files changed

+2
-13
lines changed

2 files changed

+2
-13
lines changed

lib/secure_headers/headers/content_security_policy.rb

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -138,14 +138,8 @@ def build_source_list_directive(directive)
138138
end
139139

140140
if source_list != OPT_OUT && source_list && source_list.any?
141-
minified_source_list = minify_source_list(directive, source_list).join(" ")
142-
143-
if minified_source_list.include?(";")
144-
Kernel.warn("#{directive} contains a ; in '#{minified_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
145-
end
146-
147-
escaped_source_list = minified_source_list.gsub(";", " ")
148-
[symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
141+
normalized_source_list = minify_source_list(directive, source_list)
142+
[symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
149143
end
150144
end
151145

spec/lib/secure_headers/headers/content_security_policy_spec.rb

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,6 @@ module SecureHeaders
2828
expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
2929
end
3030

31-
it "deprecates and escapes semicolons in directive source lists" do
32-
expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
33-
expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
34-
end
35-
3631
it "discards 'none' values if any other source expressions are present" do
3732
csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
3833
expect(csp.value).not_to include("'none'")

0 commit comments

Comments
 (0)