Diff of the two buildlogs: -- --- b1/build.log 2025-10-24 08:47:20.210766285 +0000 +++ b2/build.log 2025-10-24 08:48:02.598817421 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Thu Nov 26 03:09:31 -12 2026 -I: pbuilder-time-stamp: 1795705771 +I: Current time: Fri Oct 24 22:47:22 +14 2025 +I: pbuilder-time-stamp: 1761295642 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/unstable-reproducible-base.tgz] I: copying local configuration @@ -25,53 +25,85 @@ dpkg-source: info: applying 03-fix-library-path.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/3088478/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/4187491/tmp/hooks/D01_modify_environment starting +debug: Running on codethink04-arm64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Oct 24 08:47 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/4187491/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/4187491/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='arm64' - DEBIAN_FRONTEND='noninteractive' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="3" [2]="3" [3]="1" [4]="release" [5]="aarch64-unknown-linux-gnu") + BASH_VERSION='5.3.3(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=arm64 + DEBIAN_FRONTEND=noninteractive DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=12 ' - DISTRIBUTION='unstable' - HOME='/root' - HOST_ARCH='arm64' + DIRSTACK=() + DISTRIBUTION=unstable + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=aarch64 + HOST_ARCH=arm64 IFS=' ' - INVOCATION_ID='712c02bd531b4dd388b055227e43db9a' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='3088478' - PS1='# ' - PS2='> ' + INVOCATION_ID=834cc5c598c442b8abdc01354212de94 + LANG=C + LANGUAGE=nl_BE:nl + LC_ALL=C + MACHTYPE=aarch64-unknown-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=4187491 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.OWnADWjb/pbuilderrc_nxSx --distribution unstable --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.OWnADWjb/b1 --logfile b1/build.log ruby-secure-headers_7.1.0-1.dsc' - SUDO_GID='109' - SUDO_HOME='/var/lib/jenkins' - SUDO_UID='104' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://192.168.101.4:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.OWnADWjb/pbuilderrc_addP --distribution unstable --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.OWnADWjb/b2 --logfile b2/build.log ruby-secure-headers_7.1.0-1.dsc' + SUDO_GID=109 + SUDO_HOME=/var/lib/jenkins + SUDO_UID=104 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://192.168.101.4:3128 I: uname -a - Linux codethink03-arm64 6.12.48+deb13-cloud-arm64 #1 SMP Debian 6.12.48-1 (2025-09-20) aarch64 GNU/Linux + Linux i-capture-the-hostname 6.12.48+deb13-cloud-arm64 #1 SMP Debian 6.12.48-1 (2025-09-20) aarch64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 Aug 10 2025 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/3088478/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 Aug 10 12:30 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/4187491/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -271,7 +303,7 @@ Get: 150 http://deb.debian.org/debian unstable/main arm64 ruby-rspec-mocks all 3.13.0c0e0m0s1-2 [81.3 kB] Get: 151 http://deb.debian.org/debian unstable/main arm64 ruby-rspec all 3.13.0c0e0m0s1-2 [5184 B] Get: 152 http://deb.debian.org/debian unstable/main arm64 ruby-useragent all 0.16.8-2 [12.3 kB] -Fetched 36.5 MB in 0s (107 MB/s) +Fetched 36.5 MB in 0s (115 MB/s) Preconfiguring packages ... Selecting previously unselected package libexpat1:arm64. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 19962 files and directories currently installed.) @@ -775,8 +807,8 @@ Setting up tzdata (2025b-5) ... Current default time zone: 'Etc/UTC' -Local time is now: Thu Nov 26 15:09:58 UTC 2026. -Universal Time is now: Thu Nov 26 15:09:58 UTC 2026. +Local time is now: Fri Oct 24 08:47:40 UTC 2025. +Universal Time is now: Fri Oct 24 08:47:40 UTC 2025. Run 'dpkg-reconfigure tzdata' if you wish to change it. Setting up ruby-minitest (5.25.4-3) ... @@ -914,7 +946,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/ruby-secure-headers-7.1.0/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../ruby-secure-headers_7.1.0-1_source.changes +I: user script /srv/workspace/pbuilder/4187491/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for unstable +I: user script /srv/workspace/pbuilder/4187491/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/ruby-secure-headers-7.1.0/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../ruby-secure-headers_7.1.0-1_source.changes dpkg-buildpackage: info: source package ruby-secure-headers dpkg-buildpackage: info: source version 7.1.0-1 dpkg-buildpackage: info: source distribution unstable @@ -947,7 +983,7 @@ │ ruby-secure-headers: Installing files and building extensions for ruby3.3 │ └──────────────────────────────────────────────────────────────────────────────┘ -/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20261126-3103346-wlu1q9/gemspec +/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20251024-22622-zw6zi6/gemspec WARNING: open-ended dependency on rake (>= 0, development) is not recommended use a bounded requirement, such as "~> x.y" WARNING: make sure you specify the oldest ruby version constraint (like ">= 3.0") that you want your gem to support by setting the `required_ruby_version` gemspec attribute @@ -962,7 +998,7 @@ Name: secure_headers Version: 7.1.0 File: secure_headers-7.1.0.gem -/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-secure-headers/usr/share/rubygems-integration/all /tmp/d20261126-3103346-wlu1q9/secure_headers-7.1.0.gem +/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-secure-headers/usr/share/rubygems-integration/all /tmp/d20251024-22622-zw6zi6/secure_headers-7.1.0.gem /build/reproducible-path/ruby-secure-headers-7.1.0/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-7.1.0/lib/secure_headers.rb /build/reproducible-path/ruby-secure-headers-7.1.0/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-7.1.0/lib/secure_headers/configuration.rb /build/reproducible-path/ruby-secure-headers-7.1.0/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-7.1.0/lib/secure_headers/hash_helper.rb @@ -1018,335 +1054,335 @@ [Coveralls] Set up the SimpleCov formatter. [Coveralls] Using SimpleCov's default settings. -Randomized with seed 20807 - -SecureHeaders::XFrameOptions - #value - is expected to eq ["x-frame-options", "sameorigin"] - is expected to eq ["x-frame-options", "DENY"] - with invalid configuration - allows SAMEORIGIN - does not allow garbage - allows DENY - allows ALLOW-FROM* - -SecureHeaders::XContentTypeOptions - #value - is expected to eq ["x-content-type-options", "nosniff"] - is expected to eq ["x-content-type-options", "nosniff"] - invalid configuration values - doesn't accept anything besides no-sniff - accepts nil - accepts nosniff +Randomized with seed 20001 SecureHeaders::Middleware - uses named overrides respects overrides sets the headers - cookies - sets the secure cookie flag correctly on interleaved http/https requests - disables secure cookies for non-https requests - flags cookies from configuration - flags cookies with a combination of SameSite configurations + uses named overrides cookies allows opting out of cookie protection with OPT_OUT alone - cookies should not be flagged - does not flags cookies as secure cookies should be flagged flags cookies as secure + cookies should not be flagged + does not flags cookies as secure + cookies + flags cookies with a combination of SameSite configurations + sets the secure cookie flag correctly on interleaved http/https requests + disables secure cookies for non-https requests + flags cookies from configuration -SecureHeaders::ViewHelpers - adds known hash values to the corresponding headers when the helper is used - raises an error when using hashed content with precomputed hashes, but none for the given file - raises an error when using previously unknown hashed content with precomputed hashes for a given file - avoids calling content_security_policy_nonce internally - raises an error when using hashed content without precomputed hashes - -with an invalid configuration - raises an exception when configured with false - raises an exception when both lax and strict only filters are provided to SameSite configurations - raises an exception when SameSite lax and none enforcement modes are configured with booleans - raises an exception when SameSite lax and strict enforcement modes are configured with booleans - raises an exception when both only and except filters are provided to SameSite configurations - raises an exception when SameSite none and lax enforcement modes are configured with booleans - raises an exception when SameSite strict and lax enforcement modes are configured with booleans - raises an exception when both lax and strict only filters are provided to SameSite configurations - raises an exception when both only and except filters are provided - raises an exception when SameSite lax and strict enforcement modes are configured with booleans - raises an exception when SameSite none and strict enforcement modes are configured with booleans - raises an exception when configured without a boolean(true or OPT_OUT)/Hash - raises an exception when SameSite is not configured with a Hash - raises an exception when SameSite strict and none enforcement modes are configured with booleans - raises an exception when not configured with a Hash - -SecureHeaders::ReferrerPolicy - is expected to eq ["referrer-policy", "origin-when-cross-origin"] - is expected to eq ["referrer-policy", "origin-when-cross-origin, strict-origin-when-cross-origin"] - is expected to eq ["referrer-policy", "no-referrer"] +SecureHeaders::XPermittedCrossDomainPolicies + is expected to eq ["x-permitted-cross-domain-policies", "none"] + is expected to eq ["x-permitted-cross-domain-policies", "master-only"] + invlaid configuration values + doesn't accept invalid values valid configuration values + accepts 'master-only' accepts nil - accepts 'same-origin' - accepts 'unsafe-url' - accepts 'origin' - accepts 'strict-origin-when-cross-origin' - accepts 'no-referrer' - accepts array of policy values - accepts 'origin-when-cross-origin' - accepts 'no-referrer-when-downgrade' - accepts 'strict-origin' - invalid configuration values - doesn't accept invalid values - doesn't accept invalid types + accepts 'all' + accepts 'by-content-type' + accepts 'by-ftp-filename' SecureHeaders::ClearSiteData + make_header_value + returns a string of quoted values that are comma separated validate_config! - succeeds for empty config - succeeds for `true` config - succeeds for opt-out config fails for other types of config - succeeds for Array of Strings config + succeeds for opt-out config + succeeds for `true` config succeeds for `nil` config + succeeds for Array of Strings config fails for Array of non-String config - make_header_value - returns a string of quoted values that are comma separated + succeeds for empty config make_header - returns nil with empty config - returns specified types + returns all types with `true` config returns nil with nil config returns nil with opt-out config - returns all types with `true` config + returns specified types + returns nil with empty config + +with an invalid configuration + raises an exception when SameSite none and strict enforcement modes are configured with booleans + raises an exception when both lax and strict only filters are provided to SameSite configurations + raises an exception when SameSite is not configured with a Hash + raises an exception when configured without a boolean(true or OPT_OUT)/Hash + raises an exception when SameSite lax and strict enforcement modes are configured with booleans + raises an exception when both lax and strict only filters are provided to SameSite configurations + raises an exception when configured with false + raises an exception when SameSite lax and none enforcement modes are configured with booleans + raises an exception when SameSite lax and strict enforcement modes are configured with booleans + raises an exception when SameSite strict and none enforcement modes are configured with booleans + raises an exception when both only and except filters are provided + raises an exception when both only and except filters are provided to SameSite configurations + raises an exception when SameSite none and lax enforcement modes are configured with booleans + raises an exception when SameSite strict and lax enforcement modes are configured with booleans + raises an exception when not configured with a Hash + +SecureHeaders::XXssProtection + is expected to eq ["x-xss-protection", "1; mode=block; report=https://www.secure.com/reports"] + is expected to eq ["x-xss-protection", "0"] + with invalid configuration + should raise an error when providing a string that is not valid + when using a hash value + should raise an error if no value key is supplied + should allow string values ('1' or '0' are the only valid strings) + should raise an error if an invalid key is supplied + should raise an error if mode != block SecureHeaders::XDownloadOptions is expected to eq ["x-download-options", "noopen"] is expected to eq ["x-download-options", "noopen"] invalid configuration values + accepts nil doesn't accept anything besides noopen accepts noopen - accepts nil - -SecureHeaders::ContentSecurityPolicy - #name - when in enforce mode - is expected to eq "content-security-policy" - when in report-only mode - is expected to eq "content-security-policy-report-only" - #value - deprecates and escapes semicolons in directive source lists - does not add a directive if the value is an empty array (or all nil) - creates maximally strict sandbox policy when passed no sandbox token values - uses a safe but non-breaking default value - discards source expressions (besides unsafe-* and non-host source values) when * is present - does not build directives with a value of OPT_OUT (and bypasses directive requirements) - allows duplicate policy names in trusted-types directive - allows script as a require-sri-src - supports style-src-attr directive - removes http/s schemes from hosts - supports strict-dynamic and opting out of the appended 'unsafe-inline' - handles wildcard subdomain with wildcard port - supports script-src-elem directive - does add a boolean directive if the value is true - does not minify source expressions based on overlapping wildcards - discards 'none' values if any other source expressions are present - deduplicates source expressions that match exactly (after scheme stripping) - includes prefetch-src - does not add a boolean directive if the value is false - does not emit a warning when using frame-src - does not add a directive if the value is nil - supports strict-dynamic - creates sandbox policy when passed valid sandbox token values - supports style-src-elem directive - supports trusted-types directive - supports script-src-attr directive - does not remove schemes from report-uri values - creates maximally strict sandbox policy when passed true - allows style as a require-sri-src - supports trusted-types directive with 'none' - allows style as a require-trusted-types-for source - includes navigate-to - deprecates and escapes semicolons in directive source lists - does not remove schemes when :preserve_schemes is true - removes nil from source lists - allows script and style as a require-sri-src - does not deduplicate non-matching schema source expressions -SecureHeaders::Cookie - applies httponly, secure, and samesite by default - preserves existing attributes - prevents duplicate flagging of attributes - does not tamper with cookies when using OPT_OUT is used - SameSite cookies - flags SameSite=Lax when configured with a boolean - does not flag cookies as SameSite=Strict when excluded - flags SameSite=Strict when configured with a boolean - flags SameSite=Strict when configured with a boolean - ignores configuration if the cookie is already flagged - does not flag cookies as SameSite=Lax when excluded - flags SameSite=None - flags SameSite=Lax - flags properly when both lax and strict are configured - samesite: true sets all cookies to samesite=lax - flags SameSite=Strict - does not flag cookies as SameSite=None when excluded - flags SameSite=None when configured with a boolean - Secure cookies - when configured with a boolean - flags cookies as Secure - when configured with a Hash - flags cookies as Secure when whitelisted - does not flag cookies as Secure when excluded - HttpOnly cookies - when configured with a Hash - flags cookies as HttpOnly when whitelisted - does not flag cookies as HttpOnly when excluded - when configured with a boolean - flags cookies as HttpOnly +SecureHeaders::Configuration + deprecates the secure_cookies configuration + has a default config + allows OPT_OUT + gives cookies a default config + dup results in a copy of the default config + allows me to be explicit too + stores an override + has an 'noop' override + #named_append + raises on configuring an existing append + raises when an override with the given name exists + #override + raises when a named append with the given name exists + raises on configuring an existing override SecureHeaders::StrictTransportSecurity #value - is expected to eq ["strict-transport-security", "max-age=1234; includeSubdomains; preload"] is expected to eq ["strict-transport-security", "max-age=631138519"] + is expected to eq ["strict-transport-security", "max-age=1234; includeSubdomains; preload"] with an invalid configuration with a string argument - raises an exception with an invalid max-age raises an exception if max-age is not supplied raises an exception with an invalid format + raises an exception with an invalid max-age + +SecureHeaders::ReferrerPolicy + is expected to eq ["referrer-policy", "no-referrer"] + is expected to eq ["referrer-policy", "origin-when-cross-origin"] + is expected to eq ["referrer-policy", "origin-when-cross-origin, strict-origin-when-cross-origin"] + invalid configuration values + doesn't accept invalid types + doesn't accept invalid values + valid configuration values + accepts 'same-origin' + accepts 'no-referrer-when-downgrade' + accepts 'strict-origin-when-cross-origin' + accepts 'no-referrer' + accepts 'strict-origin' + accepts nil + accepts 'unsafe-url' + accepts array of policy values + accepts 'origin' + accepts 'origin-when-cross-origin' + +SecureHeaders::PolicyManagement + #combine_policies + raises an error if appending to a OPT_OUT policy + overrides the report_only flag + overrides the :upgrade_insecure_requests flag + does not combine the default-src value for directives that don't fall back to default sources + combines directives where the original value is nil and the hash is frozen + combines the default-src value with the override if the directive was unconfigured + #validate_config! + rejects style for trusted types + allows report_only to be set in a report-only config + accepts anything of the form type/subtype as a plugin-type value + requires :upgrade_insecure_requests to be a boolean value + accepts anything of the form allow-* as a sandbox value + requires all source lists to be an array of strings + allows nil values + requires a :default_src value + accepts OPT_OUT as a script-src value + accepts true as a sandbox policy + requires a :script_src value + requires :preserve_schemes to be a truthy value + requires :report_only to be a truthy value + rejects unknown directives / config + rejects anything not of the form type/subtype as a plugin-type value + doesn't allow report_only to be set in a non-report-only config + accepts all keys + performs light validation on source lists + rejects anything not of the form allow-* as a sandbox value SecureHeaders::ExpectCertificateTransparency - is expected to eq "enforce, max-age=1234" is expected to eq "max-age=1234" - is expected to eq "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" is expected to eq "max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" + is expected to eq "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" + is expected to eq "enforce, max-age=1234" is expected to eq "max-age=1234" with an invalid configuration raises an exception when configuration isn't a hash raises an exception with an invalid max-age - raises an exception when max-age is not provided raises an exception with an invalid enforce value - -SecureHeaders::Configuration - stores an override - has a default config - deprecates the secure_cookies configuration - allows me to be explicit too - allows OPT_OUT - dup results in a copy of the default config - has an 'noop' override - gives cookies a default config - #named_append - raises on configuring an existing append - raises when an override with the given name exists - #override - raises when a named append with the given name exists - raises on configuring an existing override - -SecureHeaders::XPermittedCrossDomainPolicies - is expected to eq ["x-permitted-cross-domain-policies", "master-only"] - is expected to eq ["x-permitted-cross-domain-policies", "none"] - valid configuration values - accepts 'by-ftp-filename' - accepts nil - accepts 'master-only' - accepts 'all' - accepts 'by-content-type' - invlaid configuration values - doesn't accept invalid values + raises an exception when max-age is not provided SecureHeaders - has a HEADER_NAME with no capital letters - raises and ArgumentError when referencing an override that has not been set - raises a NotYetConfiguredError if trying to opt-out of unconfigured headers raises a AlreadyConfiguredError if trying to configure and default has already been set raises a NotYetConfiguredError if default has not been set + raises and ArgumentError when referencing an override that has not been set + has a HEADER_NAME with no capital letters + raises a NotYetConfiguredError if trying to opt-out of unconfigured headers validation - validates your cookies config upon configuration - validates your x_xss config upon configuration validates your hsts config upon configuration - validates your clear site data config upon configuration - raises errors for unknown directives - validates your xfo config upon configuration - validates your x_permitted_cross_domain_policies config upon configuration + validates your referrer_policy config upon configuration validates your xcto config upon configuration + validates your xfo config upon configuration validates your csp config upon configuration - validates your referrer_policy config upon configuration + raises errors for unknown directives + validates your cookies config upon configuration validates your xdo config upon configuration + validates your x_permitted_cross_domain_policies config upon configuration + validates your clear site data config upon configuration + validates your x_xss config upon configuration #header_hash_for does not set the HSTS header if request is over HTTP - allows you to override x-frame-options settings - allows you to override opting out - produces a hash of headers with default config Carries options over when using overrides allows you to opt out entirely - allows you to opt out of individual headers via API + allows you to override x-frame-options settings + produces a hash of headers with default config + allows you to override opting out Overrides the current default config if default config changes during request + allows you to opt out of individual headers via API content security policy + overrides non-existant directives Raises an error if csp_report_only is used with `report_only: false` + overrides individual directives appends a hash to a missing script-src value - appends a value to csp directive does not support the deprecated `report_only: true` format - overrides individual directives appends a nonce to the script-src when used - overrides non-existant directives - appends a nonce to a missing script-src value supports named appends + appends a value to csp directive + appends a nonce to a missing script-src value setting two headers - sets identical values when the configs are the same - allows you to opt-out of enforced CSP - allows overriding the report only policy allows appending to both policies - allows overriding the enforced policy + sets different headers when the configs are different allows overriding both policies + allows you to opt-out of enforced CSP allows appending to the report only policy - sets different headers when the configs are different + sets identical values when the configs are the same + allows overriding the enforced policy allows appending to the enforced policy + allows overriding the report only policy when inferring which config to modify + updates both headers if both are configured updates the report only header when configured updates the enforced header when configured - updates both headers if both are configured -SecureHeaders::XXssProtection - is expected to eq ["x-xss-protection", "0"] - is expected to eq ["x-xss-protection", "1; mode=block; report=https://www.secure.com/reports"] - with invalid configuration - should raise an error when providing a string that is not valid - when using a hash value - should allow string values ('1' or '0' are the only valid strings) - should raise an error if mode != block - should raise an error if an invalid key is supplied - should raise an error if no value key is supplied +SecureHeaders::XFrameOptions + #value + is expected to eq ["x-frame-options", "sameorigin"] + is expected to eq ["x-frame-options", "DENY"] + with invalid configuration + allows ALLOW-FROM* + allows DENY + does not allow garbage + allows SAMEORIGIN -SecureHeaders::PolicyManagement - #combine_policies - overrides the report_only flag - raises an error if appending to a OPT_OUT policy - does not combine the default-src value for directives that don't fall back to default sources - overrides the :upgrade_insecure_requests flag - combines the default-src value with the override if the directive was unconfigured - combines directives where the original value is nil and the hash is frozen - #validate_config! - performs light validation on source lists - rejects unknown directives / config - requires a :default_src value - allows report_only to be set in a report-only config - requires all source lists to be an array of strings - accepts OPT_OUT as a script-src value - requires :report_only to be a truthy value - requires :upgrade_insecure_requests to be a boolean value - requires :preserve_schemes to be a truthy value - rejects anything not of the form type/subtype as a plugin-type value - rejects style for trusted types - accepts anything of the form allow-* as a sandbox value - accepts all keys - accepts true as a sandbox policy - accepts anything of the form type/subtype as a plugin-type value - doesn't allow report_only to be set in a non-report-only config - requires a :script_src value - rejects anything not of the form allow-* as a sandbox value - allows nil values +SecureHeaders::XContentTypeOptions + #value + is expected to eq ["x-content-type-options", "nosniff"] + is expected to eq ["x-content-type-options", "nosniff"] + invalid configuration values + accepts nosniff + doesn't accept anything besides no-sniff + accepts nil + +SecureHeaders::ViewHelpers + raises an error when using hashed content with precomputed hashes, but none for the given file + adds known hash values to the corresponding headers when the helper is used + raises an error when using previously unknown hashed content with precomputed hashes for a given file + avoids calling content_security_policy_nonce internally + raises an error when using hashed content without precomputed hashes + +SecureHeaders::Cookie + preserves existing attributes + does not tamper with cookies when using OPT_OUT is used + applies httponly, secure, and samesite by default + prevents duplicate flagging of attributes + Secure cookies + when configured with a boolean + flags cookies as Secure + when configured with a Hash + does not flag cookies as Secure when excluded + flags cookies as Secure when whitelisted + HttpOnly cookies + when configured with a Hash + flags cookies as HttpOnly when whitelisted + does not flag cookies as HttpOnly when excluded + when configured with a boolean + flags cookies as HttpOnly + SameSite cookies + flags SameSite=Lax when configured with a boolean + flags SameSite=Lax + samesite: true sets all cookies to samesite=lax + does not flag cookies as SameSite=None when excluded + flags SameSite=None + ignores configuration if the cookie is already flagged + flags SameSite=None when configured with a boolean + flags SameSite=Strict + does not flag cookies as SameSite=Lax when excluded + flags SameSite=Strict when configured with a boolean + does not flag cookies as SameSite=Strict when excluded + flags SameSite=Strict when configured with a boolean + flags properly when both lax and strict are configured + +SecureHeaders::ContentSecurityPolicy + #name + when in report-only mode + is expected to eq "content-security-policy-report-only" + when in enforce mode + is expected to eq "content-security-policy" + #value + removes http/s schemes from hosts + does not remove schemes when :preserve_schemes is true + handles wildcard subdomain with wildcard port + supports trusted-types directive with 'none' + includes navigate-to + supports strict-dynamic and opting out of the appended 'unsafe-inline' + does not deduplicate non-matching schema source expressions + does not add a directive if the value is nil + allows duplicate policy names in trusted-types directive + allows style as a require-trusted-types-for source + discards 'none' values if any other source expressions are present + uses a safe but non-breaking default value + does not minify source expressions based on overlapping wildcards + does add a boolean directive if the value is true + supports script-src-attr directive + allows style as a require-sri-src + supports style-src-attr directive + supports trusted-types directive + allows script and style as a require-sri-src + creates maximally strict sandbox policy when passed no sandbox token values + supports strict-dynamic + creates sandbox policy when passed valid sandbox token values + does not remove schemes from report-uri values + deprecates and escapes semicolons in directive source lists + supports script-src-elem directive + does not add a boolean directive if the value is false + removes nil from source lists + does not emit a warning when using frame-src + deprecates and escapes semicolons in directive source lists + does not build directives with a value of OPT_OUT (and bypasses directive requirements) + allows script as a require-sri-src + supports style-src-elem directive + deduplicates source expressions that match exactly (after scheme stripping) + includes prefetch-src + does not add a directive if the value is an empty array (or all nil) + creates maximally strict sandbox policy when passed true + discards source expressions (besides unsafe-* and non-host source values) when * is present -Finished in 0.1747 seconds (files took 0.37767 seconds to load) +Finished in 0.14225 seconds (files took 0.38018 seconds to load) 247 examples, 0 failures -Randomized with seed 20807 +Randomized with seed 20001 [Coveralls] Outside the CI environment, not sending data. @@ -1377,12 +1413,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: including full source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/4187491/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/4187491/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/3088478 and its subdirectories -I: Current time: Thu Nov 26 03:10:20 -12 2026 -I: pbuilder-time-stamp: 1795705820 +I: removing directory /srv/workspace/pbuilder/4187491 and its subdirectories +I: Current time: Fri Oct 24 22:48:01 +14 2025 +I: pbuilder-time-stamp: 1761295681