Diff of the two buildlogs: -- --- b1/build.log 2025-07-31 12:22:28.187982735 +0000 +++ b2/build.log 2025-07-31 12:23:08.372036868 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Thu Jul 31 00:21:51 -12 2025 -I: pbuilder-time-stamp: 1753964511 +I: Current time: Thu Sep 3 08:45:30 +14 2026 +I: pbuilder-time-stamp: 1788374730 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/trixie-reproducible-base.tgz] I: copying local configuration @@ -25,52 +25,84 @@ dpkg-source: info: applying 03-fix-library-path.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/798624/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/893976/tmp/hooks/D01_modify_environment starting +debug: Running on codethink03-arm64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Sep 2 18:45 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/893976/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/893976/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='arm64' - DEBIAN_FRONTEND='noninteractive' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="2" [2]="37" [3]="1" [4]="release" [5]="aarch64-unknown-linux-gnu") + BASH_VERSION='5.2.37(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=arm64 + DEBIAN_FRONTEND=noninteractive DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=12 ' - DISTRIBUTION='trixie' - HOME='/root' - HOST_ARCH='arm64' + DIRSTACK=() + DISTRIBUTION=trixie + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=aarch64 + HOST_ARCH=arm64 IFS=' ' - INVOCATION_ID='a6b26346a44b43b390976480d4a649ef' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='798624' - PS1='# ' - PS2='> ' + INVOCATION_ID=5402b7028936459183cecc1e4651f957 + LANG=C + LANGUAGE=nl_BE:nl + LC_ALL=C + MACHTYPE=aarch64-unknown-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=893976 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.17joblaB/pbuilderrc_CZDD --distribution trixie --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/trixie-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.17joblaB/b1 --logfile b1/build.log ruby-secure-headers_6.3.2-2.dsc' - SUDO_GID='109' - SUDO_UID='104' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://192.168.101.4:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.17joblaB/pbuilderrc_1crd --distribution trixie --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/trixie-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.17joblaB/b2 --logfile b2/build.log ruby-secure-headers_6.3.2-2.dsc' + SUDO_GID=109 + SUDO_UID=104 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://192.168.101.4:3128 I: uname -a - Linux codethink04-arm64 6.1.0-37-cloud-arm64 #1 SMP Debian 6.1.140-1 (2025-05-22) aarch64 GNU/Linux + Linux i-capture-the-hostname 6.1.0-37-cloud-arm64 #1 SMP Debian 6.1.140-1 (2025-05-22) aarch64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 May 12 19:25 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/798624/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 May 12 2025 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/893976/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -269,7 +301,7 @@ Get: 149 http://deb.debian.org/debian trixie/main arm64 ruby-rspec-mocks all 3.13.0c0e0m0s1-2 [81.3 kB] Get: 150 http://deb.debian.org/debian trixie/main arm64 ruby-rspec all 3.13.0c0e0m0s1-2 [5184 B] Get: 151 http://deb.debian.org/debian trixie/main arm64 ruby-useragent all 0.16.8-1.1 [12.0 kB] -Fetched 36.3 MB in 0s (198 MB/s) +Fetched 36.3 MB in 0s (139 MB/s) Preconfiguring packages ... Selecting previously unselected package libexpat1:arm64. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 19964 files and directories currently installed.) @@ -769,8 +801,8 @@ Setting up tzdata (2025b-4) ... Current default time zone: 'Etc/UTC' -Local time is now: Thu Jul 31 12:22:11 UTC 2025. -Universal Time is now: Thu Jul 31 12:22:11 UTC 2025. +Local time is now: Wed Sep 2 18:45:49 UTC 2026. +Universal Time is now: Wed Sep 2 18:45:49 UTC 2026. Run 'dpkg-reconfigure tzdata' if you wish to change it. Setting up ruby-minitest (5.25.4-3) ... @@ -908,7 +940,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/ruby-secure-headers-6.3.2/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../ruby-secure-headers_6.3.2-2_source.changes +I: user script /srv/workspace/pbuilder/893976/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for trixie +I: user script /srv/workspace/pbuilder/893976/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/ruby-secure-headers-6.3.2/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../ruby-secure-headers_6.3.2-2_source.changes dpkg-buildpackage: info: source package ruby-secure-headers dpkg-buildpackage: info: source version 6.3.2-2 dpkg-buildpackage: info: source distribution unstable @@ -941,7 +977,7 @@ │ ruby-secure-headers: Installing files and building extensions for ruby3.3 │ └──────────────────────────────────────────────────────────────────────────────┘ -/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20250731-810344-xhmscl/gemspec +/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20260903-904730-5jtwfg/gemspec WARNING: License identifier 'Apache Public License 2.0' is invalid. Use an identifier from https://spdx.org/licenses or 'Nonstandard' for a nonstandard license, or set it to nil if you don't want to specify a license. @@ -954,7 +990,7 @@ Name: secure_headers Version: 6.3.2 File: secure_headers-6.3.2.gem -/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-secure-headers/usr/share/rubygems-integration/all /tmp/d20250731-810344-xhmscl/secure_headers-6.3.2.gem +/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-secure-headers/usr/share/rubygems-integration/all /tmp/d20260903-904730-5jtwfg/secure_headers-6.3.2.gem /build/reproducible-path/ruby-secure-headers-6.3.2/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-6.3.2/lib/secure_headers.rb /build/reproducible-path/ruby-secure-headers-6.3.2/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-6.3.2/lib/secure_headers/configuration.rb /build/reproducible-path/ruby-secure-headers-6.3.2/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-6.3.2/lib/secure_headers/hash_helper.rb @@ -1010,328 +1046,328 @@ [Coveralls] Set up the SimpleCov formatter. [Coveralls] Using SimpleCov's default settings. -Randomized with seed 4183 +Randomized with seed 57383 -SecureHeaders::ViewHelpers - avoids calling content_security_policy_nonce internally - adds known hash values to the corresponding headers when the helper is used - raises an error when using hashed content with precomputed hashes, but none for the given file - raises an error when using previously unknown hashed content with precomputed hashes for a given file - raises an error when using hashed content without precomputed hashes +SecureHeaders::Middleware + respects overrides + uses named overrides + sets the headers + cookies + allows opting out of cookie protection with OPT_OUT alone + cookies should not be flagged + does not flags cookies as secure + cookies should be flagged + flags cookies as secure + cookies + sets the secure cookie flag correctly on interleaved http/https requests + flags cookies from configuration + disables secure cookies for non-https requests + flags cookies with a combination of SameSite configurations + +SecureHeaders::XXssProtection + is expected to eq ["X-XSS-Protection", "1; mode=block"] + is expected to eq ["X-XSS-Protection", "1; mode=block; report=https://www.secure.com/reports"] + with invalid configuration + should raise an error when providing a string that is not valid + when using a hash value + should raise an error if mode != block + should raise an error if an invalid key is supplied + should raise an error if no value key is supplied + should allow string values ('1' or '0' are the only valid strings) + +SecureHeaders::XContentTypeOptions + #value + is expected to eq ["X-Content-Type-Options", "nosniff"] + is expected to eq ["X-Content-Type-Options", "nosniff"] + invalid configuration values + accepts nil + doesn't accept anything besides no-sniff + accepts nosniff + +SecureHeaders::ClearSiteData + validate_config! + succeeds for `nil` config + fails for other types of config + succeeds for `true` config + succeeds for opt-out config + fails for Array of non-String config + succeeds for empty config + succeeds for Array of Strings config + make_header_value + returns a string of quoted values that are comma separated + make_header + returns nil with opt-out config + returns nil with empty config + returns nil with nil config + returns all types with `true` config + returns specified types with an invalid configuration + raises an exception when both only and except filters are provided + raises an exception when SameSite strict and none enforcement modes are configured with booleans + raises an exception when configured without a boolean(true or OPT_OUT)/Hash raises an exception when SameSite none and lax enforcement modes are configured with booleans - raises an exception when both lax and strict only filters are provided to SameSite configurations + raises an exception when SameSite lax and strict enforcement modes are configured with booleans raises an exception when SameSite lax and none enforcement modes are configured with booleans + raises an exception when both lax and strict only filters are provided to SameSite configurations raises an exception when both only and except filters are provided to SameSite configurations - raises an exception when configured without a boolean(true or OPT_OUT)/Hash + raises an exception when SameSite none and strict enforcement modes are configured with booleans raises an exception when configured with false - raises an exception when SameSite is not configured with a Hash - raises an exception when both only and except filters are provided raises an exception when both lax and strict only filters are provided to SameSite configurations raises an exception when SameSite strict and lax enforcement modes are configured with booleans - raises an exception when SameSite strict and none enforcement modes are configured with booleans - raises an exception when SameSite lax and strict enforcement modes are configured with booleans raises an exception when SameSite lax and strict enforcement modes are configured with booleans raises an exception when not configured with a Hash - raises an exception when SameSite none and strict enforcement modes are configured with booleans - -SecureHeaders::ExpectCertificateTransparency - is expected to eq "enforce, max-age=1234" - is expected to eq "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" - is expected to eq "max-age=1234" - is expected to eq "max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" - is expected to eq "max-age=1234" - with an invalid configuration - raises an exception with an invalid max-age - raises an exception with an invalid enforce value - raises an exception when max-age is not provided - raises an exception when configuration isn't a hash + raises an exception when SameSite is not configured with a Hash SecureHeaders::PolicyManagement - #combine_policies - overrides the :block_all_mixed_content flag - raises an error if appending to a OPT_OUT policy - overrides the report_only flag - combines the default-src value with the override if the directive was unconfigured - combines directives where the original value is nil and the hash is frozen - does not combine the default-src value for directives that don't fall back to default sources #validate_config! - doesn't allow report_only to be set in a non-report-only config - requires :upgrade_insecure_requests to be a boolean value - requires :report_only to be a truthy value - requires :preserve_schemes to be a truthy value - requires a :script_src value - rejects unknown directives / config - accepts anything of the form allow-* as a sandbox value - rejects anything not of the form allow-* as a sandbox value - requires :block_all_mixed_content to be a boolean value - allows report_only to be set in a report-only config + requires a :default_src value accepts anything of the form type/subtype as a plugin-type value + accepts all keys accepts OPT_OUT as a script-src value - requires all source lists to be an array of strings + allows report_only to be set in a report-only config performs light validation on source lists - requires a :default_src value - accepts all keys + accepts anything of the form allow-* as a sandbox value + rejects anything not of the form allow-* as a sandbox value + rejects unknown directives / config + requires :block_all_mixed_content to be a boolean value + requires :preserve_schemes to be a truthy value allows nil values - accepts true as a sandbox policy + doesn't allow report_only to be set in a non-report-only config rejects anything not of the form type/subtype as a plugin-type value + requires all source lists to be an array of strings + accepts true as a sandbox policy + requires :upgrade_insecure_requests to be a boolean value + requires :report_only to be a truthy value + requires a :script_src value + #combine_policies + overrides the report_only flag + raises an error if appending to a OPT_OUT policy + overrides the :block_all_mixed_content flag + combines the default-src value with the override if the directive was unconfigured + combines directives where the original value is nil and the hash is frozen + does not combine the default-src value for directives that don't fall back to default sources -SecureHeaders::ContentSecurityPolicy - #name - when in enforce mode - is expected to eq "Content-Security-Policy" - when in report-only mode - is expected to eq "Content-Security-Policy-Report-Only" +SecureHeaders::XDownloadOptions + is expected to eq ["X-Download-Options", "noopen"] + is expected to eq ["X-Download-Options", "noopen"] + invalid configuration values + doesn't accept anything besides noopen + accepts noopen + accepts nil + +SecureHeaders::StrictTransportSecurity #value - supports strict-dynamic and opting out of the appended 'unsafe-inline' - discards 'none' values if any other source expressions are present - includes prefetch-src - does not emit a warning when using frame-src - removes http/s schemes from hosts - discards source expressions (besides unsafe-* and non-host source values) when * is present - creates sandbox policy when passed valid sandbox token values - does not add a directive if the value is nil - minifies source expressions based on overlapping wildcards - includes navigate-to - does not add a boolean directive if the value is false - does not add a directive if the value is an empty array (or all nil) - creates maximally strict sandbox policy when passed no sandbox token values - does not build directives with a value of OPT_OUT (and bypasses directive requirements) - deprecates and escapes semicolons in directive source lists - deprecates and escapes semicolons in directive source lists - removes nil from source lists - allows style as a require-sri-src - does not remove schemes when :preserve_schemes is true - supports script-src-elem directive - uses a safe but non-breaking default value - allows script as a require-sri-src - supports style-src-elem directive - supports strict-dynamic - supports script-src-attr directive - creates maximally strict sandbox policy when passed true - does add a boolean directive if the value is true - allows script and style as a require-sri-src - does not remove schemes from report-uri values - deduplicates any source expressions - supports style-src-attr directive + is expected to eq ["Strict-Transport-Security", "max-age=631138519"] + is expected to eq ["Strict-Transport-Security", "max-age=1234; includeSubdomains; preload"] + with an invalid configuration + with a string argument + raises an exception if max-age is not supplied + raises an exception with an invalid max-age + raises an exception with an invalid format -SecureHeaders::Middleware - uses named overrides - sets the headers - respects overrides - cookies - sets the secure cookie flag correctly on interleaved http/https requests - flags cookies from configuration - disables secure cookies for non-https requests - flags cookies with a combination of SameSite configurations - cookies - allows opting out of cookie protection with OPT_OUT alone - cookies should not be flagged - does not flags cookies as secure - cookies should be flagged - flags cookies as secure +SecureHeaders::Configuration + stores an override + has an 'noop' override + has a default config + deprecates the secure_cookies configuration + dup results in a copy of the default config + allows me to be explicit too + allows OPT_OUT + gives cookies a default config + #override + raises when a named append with the given name exists + raises on configuring an existing override + #named_append + raises when an override with the given name exists + raises on configuring an existing append -SecureHeaders::XPermittedCrossDomainPolicies - is expected to eq ["X-Permitted-Cross-Domain-Policies", "none"] - is expected to eq ["X-Permitted-Cross-Domain-Policies", "master-only"] - valid configuration values - accepts 'master-only' - accepts nil - accepts 'by-content-type' - accepts 'by-ftp-filename' - accepts 'all' - invlaid configuration values - doesn't accept invalid values +SecureHeaders::XFrameOptions + #value + is expected to eq ["X-Frame-Options", "sameorigin"] + is expected to eq ["X-Frame-Options", "DENY"] + with invalid configuration + allows DENY + does not allow garbage + allows ALLOW-FROM* + allows SAMEORIGIN + +SecureHeaders::ExpectCertificateTransparency + is expected to eq "max-age=1234" + is expected to eq "max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" + is expected to eq "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" + is expected to eq "enforce, max-age=1234" + is expected to eq "max-age=1234" + with an invalid configuration + raises an exception when configuration isn't a hash + raises an exception with an invalid max-age + raises an exception with an invalid enforce value + raises an exception when max-age is not provided + +SecureHeaders::Cookie + prevents duplicate flagging of attributes + applies httponly, secure, and samesite by default + does not tamper with cookies when using OPT_OUT is used + preserves existing attributes + HttpOnly cookies + when configured with a Hash + does not flag cookies as HttpOnly when excluded + flags cookies as HttpOnly when whitelisted + when configured with a boolean + flags cookies as HttpOnly + SameSite cookies + flags SameSite=Lax when configured with a boolean + ignores configuration if the cookie is already flagged + flags SameSite=Strict when configured with a boolean + flags properly when both lax and strict are configured + does not flag cookies as SameSite=None when excluded + flags SameSite=None + flags SameSite=Strict when configured with a boolean + samesite: true sets all cookies to samesite=lax + flags SameSite=Lax + flags SameSite=Strict + does not flag cookies as SameSite=Strict when excluded + does not flag cookies as SameSite=Lax when excluded + flags SameSite=None when configured with a boolean + Secure cookies + when configured with a Hash + flags cookies as Secure when whitelisted + does not flag cookies as Secure when excluded + when configured with a boolean + flags cookies as Secure SecureHeaders - raises a NotYetConfiguredError if trying to opt-out of unconfigured headers raises a AlreadyConfiguredError if trying to configure and default has already been set - raises a NotYetConfiguredError if default has not been set raises and ArgumentError when referencing an override that has not been set + raises a NotYetConfiguredError if trying to opt-out of unconfigured headers + raises a NotYetConfiguredError if default has not been set + validation + validates your cookies config upon configuration + validates your xcto config upon configuration + validates your x_xss config upon configuration + validates your xfo config upon configuration + validates your csp config upon configuration + validates your x_permitted_cross_domain_policies config upon configuration + validates your hsts config upon configuration + validates your referrer_policy config upon configuration + raises errors for unknown directives + validates your clear site data config upon configuration + validates your xdo config upon configuration #header_hash_for - produces a hash of headers with default config - does not set the HSTS header if request is over HTTP allows you to override X-Frame-Options settings + produces a hash of headers with default config allows you to opt out entirely + allows you to override opting out Carries options over when using overrides + does not set the HSTS header if request is over HTTP Overrides the current default config if default config changes during request allows you to opt out of individual headers via API - allows you to override opting out content security policy - overrides non-existant directives + Raises an error if csp_report_only is used with `report_only: false` + appends a value to csp directive appends a hash to a missing script-src value - appends a nonce to the script-src when used does not support the deprecated `report_only: true` format + overrides non-existant directives overrides individual directives - appends a value to csp directive - Raises an error if csp_report_only is used with `report_only: false` - supports named appends appends a nonce to a missing script-src value + supports named appends + appends a nonce to the script-src when used setting two headers - allows appending to both policies - allows overriding the report only policy - allows appending to the report only policy + sets identical values when the configs are the same allows overriding both policies allows appending to the enforced policy + allows overriding the report only policy + sets different headers when the configs are different + allows appending to the report only policy allows overriding the enforced policy + allows appending to both policies allows you to opt-out of enforced CSP - sets different headers when the configs are different - sets identical values when the configs are the same when inferring which config to modify - updates both headers if both are configured updates the report only header when configured + updates both headers if both are configured updates the enforced header when configured - validation - validates your xdo config upon configuration - validates your x_permitted_cross_domain_policies config upon configuration - validates your cookies config upon configuration - validates your hsts config upon configuration - validates your xfo config upon configuration - validates your xcto config upon configuration - validates your clear site data config upon configuration - validates your x_xss config upon configuration - validates your referrer_policy config upon configuration - raises errors for unknown directives - validates your csp config upon configuration - -SecureHeaders::Cookie - preserves existing attributes - prevents duplicate flagging of attributes - does not tamper with cookies when using OPT_OUT is used - applies httponly, secure, and samesite by default - Secure cookies - when configured with a Hash - flags cookies as Secure when whitelisted - does not flag cookies as Secure when excluded - when configured with a boolean - flags cookies as Secure - SameSite cookies - flags properly when both lax and strict are configured - flags SameSite=Strict - flags SameSite=Strict when configured with a boolean - flags SameSite=Lax - does not flag cookies as SameSite=None when excluded - flags SameSite=Strict when configured with a boolean - flags SameSite=Lax when configured with a boolean - flags SameSite=None - samesite: true sets all cookies to samesite=lax - does not flag cookies as SameSite=Strict when excluded - flags SameSite=None when configured with a boolean - ignores configuration if the cookie is already flagged - does not flag cookies as SameSite=Lax when excluded - HttpOnly cookies - when configured with a Hash - does not flag cookies as HttpOnly when excluded - flags cookies as HttpOnly when whitelisted - when configured with a boolean - flags cookies as HttpOnly - -SecureHeaders::XContentTypeOptions - #value - is expected to eq ["X-Content-Type-Options", "nosniff"] - is expected to eq ["X-Content-Type-Options", "nosniff"] - invalid configuration values - accepts nil - doesn't accept anything besides no-sniff - accepts nosniff - -SecureHeaders::StrictTransportSecurity - #value - is expected to eq ["Strict-Transport-Security", "max-age=631138519"] - is expected to eq ["Strict-Transport-Security", "max-age=1234; includeSubdomains; preload"] - with an invalid configuration - with a string argument - raises an exception with an invalid format - raises an exception if max-age is not supplied - raises an exception with an invalid max-age - -SecureHeaders::Configuration - has a default config - allows me to be explicit too - gives cookies a default config - allows OPT_OUT - stores an override - has an 'noop' override - dup results in a copy of the default config - deprecates the secure_cookies configuration - #override - raises when a named append with the given name exists - raises on configuring an existing override - #named_append - raises on configuring an existing append - raises when an override with the given name exists - -SecureHeaders::XXssProtection - is expected to eq ["X-XSS-Protection", "1; mode=block"] - is expected to eq ["X-XSS-Protection", "1; mode=block; report=https://www.secure.com/reports"] - with invalid configuration - should raise an error when providing a string that is not valid - when using a hash value - should allow string values ('1' or '0' are the only valid strings) - should raise an error if mode != block - should raise an error if an invalid key is supplied - should raise an error if no value key is supplied -SecureHeaders::ClearSiteData - make_header - returns specified types - returns nil with opt-out config - returns nil with nil config - returns all types with `true` config - returns nil with empty config - make_header_value - returns a string of quoted values that are comma separated - validate_config! - fails for Array of non-String config - succeeds for `true` config - fails for other types of config - succeeds for Array of Strings config - succeeds for empty config - succeeds for opt-out config - succeeds for `nil` config +SecureHeaders::XPermittedCrossDomainPolicies + is expected to eq ["X-Permitted-Cross-Domain-Policies", "none"] + is expected to eq ["X-Permitted-Cross-Domain-Policies", "master-only"] + invlaid configuration values + doesn't accept invalid values + valid configuration values + accepts 'all' + accepts 'by-content-type' + accepts nil + accepts 'by-ftp-filename' + accepts 'master-only' SecureHeaders::ReferrerPolicy + is expected to eq ["Referrer-Policy", "origin-when-cross-origin, strict-origin-when-cross-origin"] is expected to eq ["Referrer-Policy", "origin-when-cross-origin"] is expected to eq ["Referrer-Policy", "no-referrer"] - is expected to eq ["Referrer-Policy", "origin-when-cross-origin, strict-origin-when-cross-origin"] - invalid configuration values - doesn't accept invalid types - doesn't accept invalid values valid configuration values accepts 'unsafe-url' - accepts 'no-referrer-when-downgrade' accepts 'no-referrer' accepts 'strict-origin' - accepts 'origin' - accepts 'origin-when-cross-origin' - accepts array of policy values accepts nil accepts 'same-origin' + accepts 'origin' + accepts 'no-referrer-when-downgrade' + accepts array of policy values accepts 'strict-origin-when-cross-origin' + accepts 'origin-when-cross-origin' + invalid configuration values + doesn't accept invalid values + doesn't accept invalid types -SecureHeaders::XFrameOptions - #value - is expected to eq ["X-Frame-Options", "sameorigin"] - is expected to eq ["X-Frame-Options", "DENY"] - with invalid configuration - allows ALLOW-FROM* - allows DENY - allows SAMEORIGIN - does not allow garbage +SecureHeaders::ViewHelpers + adds known hash values to the corresponding headers when the helper is used + raises an error when using hashed content with precomputed hashes, but none for the given file + raises an error when using previously unknown hashed content with precomputed hashes for a given file + raises an error when using hashed content without precomputed hashes + avoids calling content_security_policy_nonce internally -SecureHeaders::XDownloadOptions - is expected to eq ["X-Download-Options", "noopen"] - is expected to eq ["X-Download-Options", "noopen"] - invalid configuration values - doesn't accept anything besides noopen - accepts nil - accepts noopen +SecureHeaders::ContentSecurityPolicy + #value + does not remove schemes when :preserve_schemes is true + creates sandbox policy when passed valid sandbox token values + deduplicates any source expressions + includes navigate-to + does not add a boolean directive if the value is false + does not add a directive if the value is nil + removes http/s schemes from hosts + does not build directives with a value of OPT_OUT (and bypasses directive requirements) + discards source expressions (besides unsafe-* and non-host source values) when * is present + does add a boolean directive if the value is true + supports style-src-elem directive + deprecates and escapes semicolons in directive source lists + creates maximally strict sandbox policy when passed no sandbox token values + supports script-src-attr directive + supports strict-dynamic and opting out of the appended 'unsafe-inline' + supports style-src-attr directive + creates maximally strict sandbox policy when passed true + does not remove schemes from report-uri values + does not add a directive if the value is an empty array (or all nil) + allows script and style as a require-sri-src + allows script as a require-sri-src + discards 'none' values if any other source expressions are present + does not emit a warning when using frame-src + includes prefetch-src + supports strict-dynamic + allows style as a require-sri-src + uses a safe but non-breaking default value + removes nil from source lists + deprecates and escapes semicolons in directive source lists + minifies source expressions based on overlapping wildcards + supports script-src-elem directive + #name + when in enforce mode + is expected to eq "Content-Security-Policy" + when in report-only mode + is expected to eq "Content-Security-Policy-Report-Only" -Finished in 0.15161 seconds (files took 0.41572 seconds to load) +Finished in 0.15183 seconds (files took 0.43682 seconds to load) 240 examples, 0 failures -Randomized with seed 4183 +Randomized with seed 57383 [Coveralls] Outside the CI environment, not sending data. @@ -1362,12 +1398,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: not including original source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/893976/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/893976/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/798624 and its subdirectories -I: Current time: Thu Jul 31 00:22:27 -12 2025 -I: pbuilder-time-stamp: 1753964547 +I: removing directory /srv/workspace/pbuilder/893976 and its subdirectories +I: Current time: Thu Sep 3 08:46:07 +14 2026 +I: pbuilder-time-stamp: 1788374767