Diff of the two buildlogs: -- --- b1/build.log 2024-10-29 09:15:04.807486713 +0000 +++ b2/build.log 2024-10-29 09:15:58.329588551 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Mon Oct 28 21:14:21 -12 2024 -I: pbuilder-time-stamp: 1730193261 +I: Current time: Tue Dec 2 05:38:06 +14 2025 +I: pbuilder-time-stamp: 1764603486 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/unstable-reproducible-base.tgz] I: copying local configuration @@ -29,52 +29,84 @@ dpkg-source: info: applying 03-fix-library-path.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/593002/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/2707511/tmp/hooks/D01_modify_environment starting +debug: Running on codethink03-arm64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Dec 1 15:38 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/2707511/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/2707511/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='arm64' - DEBIAN_FRONTEND='noninteractive' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="2" [2]="32" [3]="1" [4]="release" [5]="aarch64-unknown-linux-gnu") + BASH_VERSION='5.2.32(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=arm64 + DEBIAN_FRONTEND=noninteractive DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=12 ' - DISTRIBUTION='unstable' - HOME='/root' - HOST_ARCH='arm64' + DIRSTACK=() + DISTRIBUTION=unstable + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=aarch64 + HOST_ARCH=arm64 IFS=' ' - INVOCATION_ID='308f50847c1d4e51964c9a454e1500bc' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='593002' - PS1='# ' - PS2='> ' + INVOCATION_ID=e327b4738e1f439692a04cef957fc716 + LANG=C + LANGUAGE=nl_BE:nl + LC_ALL=C + MACHTYPE=aarch64-unknown-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=2707511 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.IUbff74S/pbuilderrc_aLLI --distribution unstable --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.IUbff74S/b1 --logfile b1/build.log ruby-secure-headers_6.3.2-2.dsc' - SUDO_GID='109' - SUDO_UID='104' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://192.168.101.4:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.IUbff74S/pbuilderrc_lTQu --distribution unstable --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.IUbff74S/b2 --logfile b2/build.log ruby-secure-headers_6.3.2-2.dsc' + SUDO_GID=109 + SUDO_UID=104 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://192.168.101.4:3128 I: uname -a - Linux codethink02-arm64 6.1.0-26-cloud-arm64 #1 SMP Debian 6.1.112-1 (2024-09-30) aarch64 GNU/Linux + Linux i-capture-the-hostname 6.1.0-26-cloud-arm64 #1 SMP Debian 6.1.112-1 (2024-09-30) aarch64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 Aug 4 21:30 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/593002/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 Aug 4 2024 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/2707511/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -282,7 +314,7 @@ Get: 158 http://deb.debian.org/debian unstable/main arm64 ruby-rspec-mocks all 3.13.0c0e0m0s1-2 [81.3 kB] Get: 159 http://deb.debian.org/debian unstable/main arm64 ruby-rspec all 3.13.0c0e0m0s1-2 [5184 B] Get: 160 http://deb.debian.org/debian unstable/main arm64 ruby-useragent all 0.16.8-1.1 [12.0 kB] -Fetched 44.7 MB in 0s (188 MB/s) +Fetched 44.7 MB in 0s (173 MB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package libpython3.12-minimal:arm64. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 20060 files and directories currently installed.) @@ -815,8 +847,8 @@ Setting up tzdata (2024b-3) ... Current default time zone: 'Etc/UTC' -Local time is now: Tue Oct 29 09:14:46 UTC 2024. -Universal Time is now: Tue Oct 29 09:14:46 UTC 2024. +Local time is now: Mon Dec 1 15:38:33 UTC 2025. +Universal Time is now: Mon Dec 1 15:38:33 UTC 2025. Run 'dpkg-reconfigure tzdata' if you wish to change it. Setting up autotools-dev (20220109.1) ... @@ -958,7 +990,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/ruby-secure-headers-6.3.2/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../ruby-secure-headers_6.3.2-2_source.changes +I: user script /srv/workspace/pbuilder/2707511/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for unstable +I: user script /srv/workspace/pbuilder/2707511/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/ruby-secure-headers-6.3.2/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../ruby-secure-headers_6.3.2-2_source.changes dpkg-buildpackage: info: source package ruby-secure-headers dpkg-buildpackage: info: source version 6.3.2-2 dpkg-buildpackage: info: source distribution unstable @@ -986,7 +1022,7 @@ dh_prep -O--buildsystem=ruby dh_auto_install --destdir=debian/ruby-secure-headers/ -O--buildsystem=ruby dh_ruby --install /build/reproducible-path/ruby-secure-headers-6.3.2/debian/ruby-secure-headers -/usr/bin/ruby3.1 -S gem build --config-file /dev/null --verbose /tmp/d20241028-599801-uy340i/gemspec +/usr/bin/ruby3.1 -S gem build --config-file /dev/null --verbose /tmp/d20251202-2719508-toq0gu/gemspec Failed to load /dev/null because it doesn't contain valid YAML hash WARNING: license value 'Apache Public License 2.0' is invalid. Use a license identifier from http://spdx.org/licenses or 'Nonstandard' for a nonstandard license, @@ -999,7 +1035,7 @@ Name: secure_headers Version: 6.3.2 File: secure_headers-6.3.2.gem -/usr/bin/ruby3.1 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-secure-headers/usr/share/rubygems-integration/all /tmp/d20241028-599801-uy340i/secure_headers-6.3.2.gem +/usr/bin/ruby3.1 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-secure-headers/usr/share/rubygems-integration/all /tmp/d20251202-2719508-toq0gu/secure_headers-6.3.2.gem Failed to load /dev/null because it doesn't contain valid YAML hash /build/reproducible-path/ruby-secure-headers-6.3.2/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-6.3.2/lib/secure_headers.rb /build/reproducible-path/ruby-secure-headers-6.3.2/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-6.3.2/lib/secure_headers/configuration.rb @@ -1056,7 +1092,55 @@ [Coveralls] Set up the SimpleCov formatter. [Coveralls] Using SimpleCov's default settings. -Randomized with seed 14321 +Randomized with seed 19073 + +SecureHeaders::ReferrerPolicy + is expected to eq ["Referrer-Policy", "origin-when-cross-origin"] + is expected to eq ["Referrer-Policy", "origin-when-cross-origin, strict-origin-when-cross-origin"] + is expected to eq ["Referrer-Policy", "no-referrer"] + invalid configuration values + doesn't accept invalid values + doesn't accept invalid types + valid configuration values + accepts nil + accepts 'unsafe-url' + accepts 'strict-origin-when-cross-origin' + accepts 'origin-when-cross-origin' + accepts 'strict-origin' + accepts array of policy values + accepts 'origin' + accepts 'same-origin' + accepts 'no-referrer-when-downgrade' + accepts 'no-referrer' + +SecureHeaders::PolicyManagement + #combine_policies + overrides the :block_all_mixed_content flag + raises an error if appending to a OPT_OUT policy + combines the default-src value with the override if the directive was unconfigured + does not combine the default-src value for directives that don't fall back to default sources + combines directives where the original value is nil and the hash is frozen + overrides the report_only flag + #validate_config! + accepts anything of the form type/subtype as a plugin-type value + rejects anything not of the form allow-* as a sandbox value + accepts all keys + requires :block_all_mixed_content to be a boolean value + requires a :script_src value + allows nil values + rejects unknown directives / config + doesn't allow report_only to be set in a non-report-only config + accepts anything of the form allow-* as a sandbox value + requires :report_only to be a truthy value + rejects anything not of the form type/subtype as a plugin-type value + allows report_only to be set in a report-only config + performs light validation on source lists + requires :preserve_schemes to be a truthy value + requires a :default_src value + requires :upgrade_insecure_requests to be a boolean value + requires all source lists to be an array of strings + accepts OPT_OUT as a script-src value + accepts true as a sandbox policy SecureHeaders::ContentSecurityPolicy #name @@ -1065,319 +1149,271 @@ when in report-only mode is expected to eq "Content-Security-Policy-Report-Only" #value - creates maximally strict sandbox policy when passed true - includes prefetch-src - does not build directives with a value of OPT_OUT (and bypasses directive requirements) - does not add a directive if the value is an empty array (or all nil) + does not emit a warning when using frame-src + discards source expressions (besides unsafe-* and non-host source values) when * is present supports script-src-attr directive - does not add a boolean directive if the value is false - supports strict-dynamic and opting out of the appended 'unsafe-inline' - does add a boolean directive if the value is true + supports style-src-attr directive + includes navigate-to + allows style as a require-sri-src + includes prefetch-src + deprecates and escapes semicolons in directive source lists + minifies source expressions based on overlapping wildcards + supports strict-dynamic allows script and style as a require-sri-src - creates sandbox policy when passed valid sandbox token values - does not add a directive if the value is nil - discards 'none' values if any other source expressions are present - does not remove schemes when :preserve_schemes is true deduplicates any source expressions + does not add a boolean directive if the value is false + allows script as a require-sri-src + supports style-src-elem directive creates maximally strict sandbox policy when passed no sandbox token values - supports strict-dynamic - does not emit a warning when using frame-src - supports style-src-attr directive + does not add a directive if the value is nil removes nil from source lists + does not remove schemes when :preserve_schemes is true deprecates and escapes semicolons in directive source lists removes http/s schemes from hosts - minifies source expressions based on overlapping wildcards - allows script as a require-sri-src - deprecates and escapes semicolons in directive source lists supports script-src-elem directive - allows style as a require-sri-src - uses a safe but non-breaking default value - includes navigate-to - discards source expressions (besides unsafe-* and non-host source values) when * is present - supports style-src-elem directive + creates maximally strict sandbox policy when passed true + creates sandbox policy when passed valid sandbox token values + supports strict-dynamic and opting out of the appended 'unsafe-inline' does not remove schemes from report-uri values + discards 'none' values if any other source expressions are present + does add a boolean directive if the value is true + does not build directives with a value of OPT_OUT (and bypasses directive requirements) + does not add a directive if the value is an empty array (or all nil) + uses a safe but non-breaking default value -SecureHeaders::XPermittedCrossDomainPolicies - is expected to eq ["X-Permitted-Cross-Domain-Policies", "master-only"] - is expected to eq ["X-Permitted-Cross-Domain-Policies", "none"] - valid configuration values - accepts 'all' - accepts 'master-only' - accepts 'by-ftp-filename' - accepts nil - accepts 'by-content-type' - invlaid configuration values - doesn't accept invalid values - -SecureHeaders::StrictTransportSecurity - #value - is expected to eq ["Strict-Transport-Security", "max-age=1234; includeSubdomains; preload"] - is expected to eq ["Strict-Transport-Security", "max-age=631138519"] - with an invalid configuration - with a string argument - raises an exception with an invalid max-age - raises an exception if max-age is not supplied - raises an exception with an invalid format - -SecureHeaders::ClearSiteData - validate_config! - fails for Array of non-String config - succeeds for `nil` config - succeeds for empty config - succeeds for opt-out config - succeeds for Array of Strings config - succeeds for `true` config - fails for other types of config - make_header - returns nil with nil config - returns specified types - returns nil with opt-out config - returns all types with `true` config - returns nil with empty config - make_header_value - returns a string of quoted values that are comma separated - -SecureHeaders::PolicyManagement - #validate_config! - rejects anything not of the form type/subtype as a plugin-type value - requires all source lists to be an array of strings - requires :preserve_schemes to be a truthy value - rejects unknown directives / config - accepts all keys - allows nil values - accepts true as a sandbox policy - requires :report_only to be a truthy value - performs light validation on source lists - doesn't allow report_only to be set in a non-report-only config - requires a :script_src value - requires a :default_src value - accepts OPT_OUT as a script-src value - requires :block_all_mixed_content to be a boolean value - accepts anything of the form allow-* as a sandbox value - accepts anything of the form type/subtype as a plugin-type value - allows report_only to be set in a report-only config - rejects anything not of the form allow-* as a sandbox value - requires :upgrade_insecure_requests to be a boolean value - #combine_policies - overrides the :block_all_mixed_content flag - does not combine the default-src value for directives that don't fall back to default sources - raises an error if appending to a OPT_OUT policy - overrides the report_only flag - combines directives where the original value is nil and the hash is frozen - combines the default-src value with the override if the directive was unconfigured - -SecureHeaders::XFrameOptions - #value - is expected to eq ["X-Frame-Options", "DENY"] - is expected to eq ["X-Frame-Options", "sameorigin"] - with invalid configuration - allows SAMEORIGIN - does not allow garbage - allows DENY - allows ALLOW-FROM* - -SecureHeaders::ReferrerPolicy - is expected to eq ["Referrer-Policy", "origin-when-cross-origin, strict-origin-when-cross-origin"] - is expected to eq ["Referrer-Policy", "origin-when-cross-origin"] - is expected to eq ["Referrer-Policy", "no-referrer"] - valid configuration values - accepts 'unsafe-url' - accepts 'strict-origin-when-cross-origin' - accepts array of policy values - accepts 'origin' - accepts 'origin-when-cross-origin' - accepts 'no-referrer' - accepts 'strict-origin' - accepts 'no-referrer-when-downgrade' - accepts nil - accepts 'same-origin' - invalid configuration values - doesn't accept invalid values - doesn't accept invalid types - -SecureHeaders::XDownloadOptions - is expected to eq ["X-Download-Options", "noopen"] - is expected to eq ["X-Download-Options", "noopen"] - invalid configuration values - accepts nil - accepts noopen - doesn't accept anything besides noopen - -SecureHeaders::Cookie - preserves existing attributes - does not tamper with cookies when using OPT_OUT is used - applies httponly, secure, and samesite by default - prevents duplicate flagging of attributes - HttpOnly cookies - when configured with a boolean - flags cookies as HttpOnly - when configured with a Hash - flags cookies as HttpOnly when whitelisted - does not flag cookies as HttpOnly when excluded - Secure cookies - when configured with a Hash - flags cookies as Secure when whitelisted - does not flag cookies as Secure when excluded - when configured with a boolean - flags cookies as Secure - SameSite cookies - flags SameSite=Strict - flags SameSite=Lax - flags SameSite=Lax when configured with a boolean - flags SameSite=Strict when configured with a boolean - does not flag cookies as SameSite=None when excluded - does not flag cookies as SameSite=Lax when excluded - ignores configuration if the cookie is already flagged - flags SameSite=None when configured with a boolean - does not flag cookies as SameSite=Strict when excluded - samesite: true sets all cookies to samesite=lax - flags SameSite=Strict when configured with a boolean - flags properly when both lax and strict are configured - flags SameSite=None - -SecureHeaders::ViewHelpers - raises an error when using hashed content without precomputed hashes - avoids calling content_security_policy_nonce internally - adds known hash values to the corresponding headers when the helper is used - raises an error when using previously unknown hashed content with precomputed hashes for a given file - raises an error when using hashed content with precomputed hashes, but none for the given file - -SecureHeaders::XXssProtection - is expected to eq ["X-XSS-Protection", "1; mode=block; report=https://www.secure.com/reports"] - is expected to eq ["X-XSS-Protection", "1; mode=block"] - with invalid configuration - should raise an error when providing a string that is not valid - when using a hash value - should allow string values ('1' or '0' are the only valid strings) - should raise an error if mode != block - should raise an error if an invalid key is supplied - should raise an error if no value key is supplied +SecureHeaders::ExpectCertificateTransparency + is expected to eq "enforce, max-age=1234" + is expected to eq "max-age=1234" + is expected to eq "max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" + is expected to eq "max-age=1234" + is expected to eq "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" + with an invalid configuration + raises an exception when max-age is not provided + raises an exception with an invalid enforce value + raises an exception with an invalid max-age + raises an exception when configuration isn't a hash SecureHeaders::Configuration - gives cookies a default config + deprecates the secure_cookies configuration + has an 'noop' override allows me to be explicit too + has a default config + gives cookies a default config allows OPT_OUT - has an 'noop' override stores an override - deprecates the secure_cookies configuration - has a default config dup results in a copy of the default config #override - raises when a named append with the given name exists raises on configuring an existing override + raises when a named append with the given name exists #named_append raises when an override with the given name exists raises on configuring an existing append -SecureHeaders::ExpectCertificateTransparency - is expected to eq "enforce, max-age=1234" - is expected to eq "max-age=1234" - is expected to eq "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" - is expected to eq "max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" - is expected to eq "max-age=1234" - with an invalid configuration - raises an exception with an invalid max-age - raises an exception when configuration isn't a hash - raises an exception when max-age is not provided - raises an exception with an invalid enforce value +SecureHeaders::StrictTransportSecurity + #value + is expected to eq ["Strict-Transport-Security", "max-age=1234; includeSubdomains; preload"] + is expected to eq ["Strict-Transport-Security", "max-age=631138519"] + with an invalid configuration + with a string argument + raises an exception with an invalid format + raises an exception with an invalid max-age + raises an exception if max-age is not supplied -with an invalid configuration - raises an exception when SameSite is not configured with a Hash - raises an exception when SameSite lax and none enforcement modes are configured with booleans - raises an exception when both lax and strict only filters are provided to SameSite configurations - raises an exception when SameSite strict and lax enforcement modes are configured with booleans - raises an exception when SameSite lax and strict enforcement modes are configured with booleans - raises an exception when SameSite none and lax enforcement modes are configured with booleans - raises an exception when SameSite lax and strict enforcement modes are configured with booleans - raises an exception when configured with false - raises an exception when not configured with a Hash - raises an exception when configured without a boolean(true or OPT_OUT)/Hash - raises an exception when both lax and strict only filters are provided to SameSite configurations - raises an exception when both only and except filters are provided to SameSite configurations - raises an exception when SameSite strict and none enforcement modes are configured with booleans - raises an exception when both only and except filters are provided - raises an exception when SameSite none and strict enforcement modes are configured with booleans +SecureHeaders::XContentTypeOptions + #value + is expected to eq ["X-Content-Type-Options", "nosniff"] + is expected to eq ["X-Content-Type-Options", "nosniff"] + invalid configuration values + doesn't accept anything besides no-sniff + accepts nosniff + accepts nil SecureHeaders raises a NotYetConfiguredError if trying to opt-out of unconfigured headers - raises a NotYetConfiguredError if default has not been set raises a AlreadyConfiguredError if trying to configure and default has already been set + raises a NotYetConfiguredError if default has not been set raises and ArgumentError when referencing an override that has not been set - validation - validates your xcto config upon configuration - validates your cookies config upon configuration - raises errors for unknown directives - validates your xfo config upon configuration - validates your referrer_policy config upon configuration - validates your x_permitted_cross_domain_policies config upon configuration - validates your x_xss config upon configuration - validates your xdo config upon configuration - validates your csp config upon configuration - validates your clear site data config upon configuration - validates your hsts config upon configuration #header_hash_for - does not set the HSTS header if request is over HTTP + allows you to override opting out produces a hash of headers with default config allows you to opt out of individual headers via API + Overrides the current default config if default config changes during request + does not set the HSTS header if request is over HTTP Carries options over when using overrides - allows you to override X-Frame-Options settings allows you to opt out entirely - allows you to override opting out - Overrides the current default config if default config changes during request + allows you to override X-Frame-Options settings content security policy + Raises an error if csp_report_only is used with `report_only: false` overrides non-existant directives - does not support the deprecated `report_only: true` format supports named appends - appends a hash to a missing script-src value - Raises an error if csp_report_only is used with `report_only: false` - appends a nonce to a missing script-src value appends a nonce to the script-src when used + does not support the deprecated `report_only: true` format appends a value to csp directive + appends a nonce to a missing script-src value + appends a hash to a missing script-src value overrides individual directives setting two headers - allows you to opt-out of enforced CSP allows appending to the report only policy - allows overriding both policies allows overriding the report only policy allows overriding the enforced policy sets identical values when the configs are the same + allows you to opt-out of enforced CSP allows appending to both policies - sets different headers when the configs are different allows appending to the enforced policy + allows overriding both policies + sets different headers when the configs are different when inferring which config to modify updates the report only header when configured updates the enforced header when configured updates both headers if both are configured - -SecureHeaders::XContentTypeOptions - #value - is expected to eq ["X-Content-Type-Options", "nosniff"] - is expected to eq ["X-Content-Type-Options", "nosniff"] - invalid configuration values - accepts nosniff - accepts nil - doesn't accept anything besides no-sniff + validation + validates your xfo config upon configuration + raises errors for unknown directives + validates your csp config upon configuration + validates your x_xss config upon configuration + validates your cookies config upon configuration + validates your xcto config upon configuration + validates your x_permitted_cross_domain_policies config upon configuration + validates your xdo config upon configuration + validates your clear site data config upon configuration + validates your hsts config upon configuration + validates your referrer_policy config upon configuration SecureHeaders::Middleware respects overrides sets the headers uses named overrides cookies - flags cookies from configuration + flags cookies with a combination of SameSite configurations sets the secure cookie flag correctly on interleaved http/https requests disables secure cookies for non-https requests - flags cookies with a combination of SameSite configurations + flags cookies from configuration cookies allows opting out of cookie protection with OPT_OUT alone - cookies should be flagged - flags cookies as secure cookies should not be flagged does not flags cookies as secure + cookies should be flagged + flags cookies as secure + +SecureHeaders::XXssProtection + is expected to eq ["X-XSS-Protection", "1; mode=block"] + is expected to eq ["X-XSS-Protection", "1; mode=block; report=https://www.secure.com/reports"] + with invalid configuration + should raise an error when providing a string that is not valid + when using a hash value + should raise an error if no value key is supplied + should raise an error if an invalid key is supplied + should allow string values ('1' or '0' are the only valid strings) + should raise an error if mode != block + +SecureHeaders::ViewHelpers + raises an error when using hashed content without precomputed hashes + avoids calling content_security_policy_nonce internally + raises an error when using hashed content with precomputed hashes, but none for the given file + adds known hash values to the corresponding headers when the helper is used + raises an error when using previously unknown hashed content with precomputed hashes for a given file + +with an invalid configuration + raises an exception when configured without a boolean(true or OPT_OUT)/Hash + raises an exception when SameSite lax and strict enforcement modes are configured with booleans + raises an exception when SameSite is not configured with a Hash + raises an exception when SameSite none and strict enforcement modes are configured with booleans + raises an exception when configured with false + raises an exception when not configured with a Hash + raises an exception when both only and except filters are provided + raises an exception when SameSite strict and lax enforcement modes are configured with booleans + raises an exception when both lax and strict only filters are provided to SameSite configurations + raises an exception when SameSite lax and none enforcement modes are configured with booleans + raises an exception when both only and except filters are provided to SameSite configurations + raises an exception when SameSite strict and none enforcement modes are configured with booleans + raises an exception when SameSite none and lax enforcement modes are configured with booleans + raises an exception when both lax and strict only filters are provided to SameSite configurations + raises an exception when SameSite lax and strict enforcement modes are configured with booleans + +SecureHeaders::XFrameOptions + #value + is expected to eq ["X-Frame-Options", "sameorigin"] + is expected to eq ["X-Frame-Options", "DENY"] + with invalid configuration + allows DENY + allows ALLOW-FROM* + does not allow garbage + allows SAMEORIGIN + +SecureHeaders::XPermittedCrossDomainPolicies + is expected to eq ["X-Permitted-Cross-Domain-Policies", "none"] + is expected to eq ["X-Permitted-Cross-Domain-Policies", "master-only"] + invlaid configuration values + doesn't accept invalid values + valid configuration values + accepts 'by-ftp-filename' + accepts 'all' + accepts 'master-only' + accepts nil + accepts 'by-content-type' + +SecureHeaders::Cookie + applies httponly, secure, and samesite by default + does not tamper with cookies when using OPT_OUT is used + prevents duplicate flagging of attributes + preserves existing attributes + HttpOnly cookies + when configured with a Hash + does not flag cookies as HttpOnly when excluded + flags cookies as HttpOnly when whitelisted + when configured with a boolean + flags cookies as HttpOnly + SameSite cookies + flags SameSite=Lax when configured with a boolean + ignores configuration if the cookie is already flagged + flags SameSite=None when configured with a boolean + flags SameSite=Strict + flags properly when both lax and strict are configured + flags SameSite=Strict when configured with a boolean + flags SameSite=None + does not flag cookies as SameSite=None when excluded + flags SameSite=Strict when configured with a boolean + does not flag cookies as SameSite=Strict when excluded + samesite: true sets all cookies to samesite=lax + flags SameSite=Lax + does not flag cookies as SameSite=Lax when excluded + Secure cookies + when configured with a Hash + flags cookies as Secure when whitelisted + does not flag cookies as Secure when excluded + when configured with a boolean + flags cookies as Secure + +SecureHeaders::XDownloadOptions + is expected to eq ["X-Download-Options", "noopen"] + is expected to eq ["X-Download-Options", "noopen"] + invalid configuration values + accepts nil + doesn't accept anything besides noopen + accepts noopen + +SecureHeaders::ClearSiteData + validate_config! + succeeds for empty config + succeeds for `nil` config + succeeds for opt-out config + succeeds for `true` config + succeeds for Array of Strings config + fails for other types of config + fails for Array of non-String config + make_header + returns specified types + returns nil with opt-out config + returns nil with nil config + returns nil with empty config + returns all types with `true` config + make_header_value + returns a string of quoted values that are comma separated -Finished in 0.11746 seconds (files took 0.3466 seconds to load) +Finished in 0.12212 seconds (files took 0.34727 seconds to load) 240 examples, 0 failures -Randomized with seed 14321 +Randomized with seed 19073 [Coveralls] Outside the CI environment, not sending data. @@ -1408,12 +1444,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: not including original source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/2707511/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/2707511/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/593002 and its subdirectories -I: Current time: Mon Oct 28 21:15:03 -12 2024 -I: pbuilder-time-stamp: 1730193303 +I: removing directory /srv/workspace/pbuilder/2707511 and its subdirectories +I: Current time: Tue Dec 2 05:38:55 +14 2025 +I: pbuilder-time-stamp: 1764603535