Merge pull request #202 from twitter/2.x-deprecation-warnings

2.x deprecation warnings

Author: oreoshake

.travis.yml

@@ -9,3 +9,4 @@ rvm:
 
 sudo: false
 cache: bundler
+before_install: gem update bundler

Gemfile

@@ -3,6 +3,7 @@ source 'https://rubygems.org'
 gemspec
 
 group :test do
+  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22]
   gem 'test-unit', '~> 3.0'
   gem 'rails', '3.2.22'
   gem 'sqlite3', :platforms => [:ruby, :mswin, :mingw]

Guardfile

@@ -0,0 +1,12 @@
+guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
+end

fixtures/rails_3_2_22_no_init/app/controllers/other_things_controller.rb

@@ -9,6 +9,7 @@ def other_action
   end
 
   def secure_header_options_for(header, options)
+    warn "[DEPRECATION] secure_header_options_for will not be supported in secure_headers 3.x."
     if params[:action] == "other_action"
       if header == :csp
         options.merge(:style_src => "'self'")

lib/secure_headers.rb

@@ -33,12 +33,18 @@ class << self
         :x_xss_protection, :csp, :x_download_options, :script_hashes,
         :x_permitted_cross_domain_policies, :hpkp
 
-      def configure &block
+      # For preparation for the secure_headers 3.x change.
+      def default &block
         instance_eval &block
         if File.exists?(SCRIPT_HASH_CONFIG_FILE)
           ::SecureHeaders::Configuration.script_hashes = YAML.load(File.open(SCRIPT_HASH_CONFIG_FILE))
         end
       end
+
+      def configure &block
+        warn "[DEPRECATION] `configure` is removed in secure_headers 3.x. Instead use `default`."
+        default &block
+      end
     end
   end
 

lib/secure_headers/headers/content_security_policy.rb

@@ -137,9 +137,18 @@ def initialize(config=nil, options={})
 
       # Config values can be string, array, or lamdba values
       @config = config.inject({}) do |hash, (key, value)|
-        config_val = value.respond_to?(:call) ? value.call(@controller) : value
+        config_val = if value.respond_to?(:call)
+          warn "[DEPRECATION] secure_headers 3.x will not support procs as config values."
+          value.call(@controller)
+        else
+          value
+        end
+
         if ALL_DIRECTIVES.include?(key.to_sym) # directives need to be normalized to arrays of strings
-          config_val = config_val.split if config_val.is_a? String
+          if config_val.is_a? String
+            warn "[DEPRECATION] A String was supplied for directive #{key}. secure_headers 3.x will require all directives to be arrays of strings."
+            config_val = config_val.split
+          end
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|
               translate_dir_value(val)
@@ -258,10 +267,10 @@ def append_http_additions
 
     def translate_dir_value val
       if %w{inline eval}.include?(val)
-        warn "[DEPRECATION] using inline/eval may not be supported in the future. Instead use 'unsafe-inline'/'unsafe-eval' instead."
+        warn "[DEPRECATION] using inline/eval is not suppored in secure_headers 3.x. Instead use 'unsafe-inline'/'unsafe-eval' instead."
         val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
       elsif %{self none}.include?(val)
-        warn "[DEPRECATION] using self/none may not be supported in the future. Instead use 'self'/'none' instead."
+        warn "[DEPRECATION] using self/none is not suppored in secure_headers 3.x. Instead use 'self'/'none' instead."
         "'#{val}'"
       elsif val == 'nonce'
         if supports_nonces?

lib/secure_headers/headers/strict_transport_security.rb

@@ -41,6 +41,7 @@ def value
 
     def validate_config
       if @config.is_a? Hash
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for StrictTransportSecurity config"
         if !@config[:max_age]
           raise STSBuildError.new("No max-age was supplied.")
         elsif @config[:max_age].to_s !~ /\A\d+\z/

lib/secure_headers/headers/x_content_type_options.rb

@@ -25,6 +25,7 @@ def value
       when String
         @config
       else
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XContentTypeOptions config"
         @config[:value]
       end
     end

lib/secure_headers/headers/x_download_options.rb

@@ -24,6 +24,7 @@ def value
       when String
         @config
       else
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XDownloadOptions config"
         @config[:value]
       end
     end

lib/secure_headers/headers/x_frame_options.rb

@@ -25,6 +25,7 @@ def value
       when String
         @config
       else
+        warn "[DEPRECATION] secure_headers 3.0 will only accept string values for XFrameOptions config"
         @config[:value]
       end
     end