secure_headers/Gemfile

# frozen_string_literal: true
source "https://rubygems.org"

gemspec

gem "benchmark-ips"

group :test do
  gem "coveralls"
  gem "json"
  gem "pry-nav"
  gem "rack"
  gem "rspec"
  gem "rubocop"
  gem "rubocop-github"
  gem "rubocop-performance"
  gem "term-ansicolor"
  gem "tins"
end

group :guard do
  gem "growl"
  gem "guard-rspec", platforms: [:ruby]
  gem "rb-fsevent"
  gem "terminal-notifier-guard"
end
fix rubocop violations 2017-06-02 04:56:25 +03:00			`# frozen_string_literal: true`
Major rewrite: Configure a global default and named overrides Use helper methods to set/modify configurations at runtime Set the headers in middleware based on the configuration saved to request.env Configuration changes: All headers require string values except for CSP and HPKP CSP directives must be arrays of strings, no more support for space-delimited strings or procs 2015-10-07 03:30:16 +03:00			`source "https://rubygems.org"`
Initial Commit Signed-off-by: Chris Aniszczyk <zx@twitter.com> 2013-01-23 03:09:22 +04:00
			`gemspec`

Make SecureSecurityPolicyConfig significantly faster (#506) We have been seeing this gem a lot in profiles. Must of this slowness seems to come from overuse of instance variables in `DynamicConfig` and attempting to use them basically as a hash (which we can do much faster with a hash 😅) The first commit of these is the most important, but the other two also significantly speed things up. There is definitely more improvement available here, we seem to be overly cautious in duplicating arrays, and we also seem to convert unnecessarily between hashes and the config object, but I think this is the best place to start. <details> <summary>Benchmark:</summary> ``` require "secure_headers" require "benchmark/ips" # Copied from README MyCSPConfig = SecureHeaders::ContentSecurityPolicyConfig.new( preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content. disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this. # directive values: these values will directly translate into source directives default_src: %w('none'), base_uri: %w('self'), block_all_mixed_content: true, # see https://www.w3.org/TR/mixed-content/ child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set. connect_src: %w(wss:), font_src: %w('self' data:), form_action: %w('self' github.com), frame_ancestors: %w('none'), img_src: %w(mycdn.com data:), manifest_src: %w('self'), media_src: %w(utoob.com), object_src: %w('self'), sandbox: true, # true and [] will set a maximally restrictive setting plugin_types: %w(application/x-shockwave-flash), script_src: %w('self'), script_src_elem: %w('self'), script_src_attr: %w('self'), style_src: %w('unsafe-inline'), style_src_elem: %w('unsafe-inline'), style_src_attr: %w('unsafe-inline'), worker_src: %w('self'), upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/ report_uri: %w(https://report-uri.io/example-csp) ) Benchmark.ips do \|x\| x.report "csp_config.to_h" do MyCSPConfig.to_h end x.report "csp_config.append" do MyCSPConfig.append({}) end x.report "new(config).value" do SecureHeaders::ContentSecurityPolicy.new(MyCSPConfig).value end end ``` </details> Before: ``` $ be ruby bench.rb Warming up -------------------------------------- csp_config.to_h 13.737k i/100ms csp_config.append 2.105k i/100ms new(config).value 1.429k i/100ms Calculating ------------------------------------- csp_config.to_h 139.988k (± 0.3%) i/s - 700.587k in 5.004666s csp_config.append 21.133k (± 2.4%) i/s - 107.355k in 5.082856s new(config).value 14.298k (± 0.4%) i/s - 72.879k in 5.097116s ``` After: ``` $ be ruby bench.rb Warming up -------------------------------------- csp_config.to_h 123.784k i/100ms csp_config.append 4.181k i/100ms new(config).value 1.617k i/100ms Calculating ------------------------------------- csp_config.to_h 1.238M (± 3.1%) i/s - 6.189M in 5.003769s csp_config.append 40.921k (± 1.0%) i/s - 204.869k in 5.006924s new(config).value 16.095k (± 0.4%) i/s - 80.850k in 5.023259s ``` `to_h` is 10x faster, `append` is 2x faster, and .value (which was not the target of these optimizations but I didn't want to see it regress) is slightly faster --------- Co-authored-by: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com> 2023-08-11 21:20:28 +03:00			`gem "benchmark-ips"`

Initial Commit Signed-off-by: Chris Aniszczyk <zx@twitter.com> 2013-01-23 03:09:22 +04:00			`group :test do`
fix rubocop violations 2017-06-02 04:56:25 +03:00			`gem "coveralls"`
upgrade some test dependencies 2017-11-29 21:15:50 +03:00			`gem "json"`
fix rubocop violations 2017-06-02 04:56:25 +03:00			`gem "pry-nav"`
upgrade some test dependencies 2017-11-29 21:15:50 +03:00			`gem "rack"`
cleanup gemfile, move guard gems to guard group 2016-03-01 14:23:15 +03:00			`gem "rspec"`
don't limit rubocop version 2021-11-15 09:06:24 +03:00			`gem "rubocop"`
add rubocop-github 2017-06-02 04:55:58 +03:00			`gem "rubocop-github"`
Add rubocop-performance gem and config to fix deprecation message (#430) * Add rubocop-performance gem and config to fix deprecation message * ehhh apparently the order of the gemfile matters? Gemfile:14:3: C: Bundler/OrderedGems: Gems should be sorted in an alphabetical order within their section of the Gemfile. Gem rubocop-github should appear before rubocop-performance. gem "rubocop-github" ^^^^^^^^^^^^^^^^^^^^ 2020-02-20 22:26:20 +03:00			`gem "rubocop-performance"`
upgrade some test dependencies 2017-11-29 21:15:50 +03:00			`gem "term-ansicolor"`
			`gem "tins"`
cleanup gemfile, move guard gems to guard group 2016-03-01 14:23:15 +03:00			`end`

			`group :guard do`
Major rewrite: Configure a global default and named overrides Use helper methods to set/modify configurations at runtime Set the headers in middleware based on the configuration saved to request.env Configuration changes: All headers require string values except for CSP and HPKP CSP directives must be arrays of strings, no more support for space-delimited strings or procs 2015-10-07 03:30:16 +03:00			`gem "growl"`
Add support for SameSite=None Fixes https://github.com/twitter/secure_headers/issues/412 2020-01-08 01:05:40 +03:00			`gem "guard-rspec", platforms: [:ruby]`
Major rewrite: Configure a global default and named overrides Use helper methods to set/modify configurations at runtime Set the headers in middleware based on the configuration saved to request.env Configuration changes: All headers require string values except for CSP and HPKP CSP directives must be arrays of strings, no more support for space-delimited strings or procs 2015-10-07 03:30:16 +03:00			`gem "rb-fsevent"`
lint 2018-02-12 23:30:35 +03:00			`gem "terminal-notifier-guard"`
Initial Commit Signed-off-by: Chris Aniszczyk <zx@twitter.com> 2013-01-23 03:09:22 +04:00			`end`