secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Semantically parse and deduplicate source expressions

Open lgarron opened this issue 3 years ago • 2 comments

Recently, we've had a spate of fixes for parsing directives and source expressions, stemming from the fact that the code doesn't understand the format of valid expressions, and makes local assumptions about what they look like — in particular, assuming a resemblance to URLs during deduplication, when handling a lot of possible values that are not URLs.

https://github.com/github/secure_headers/pull/490 https://github.com/github/secure_headers/pull/478

This PR is an attempt to 'bite the bullet" and parse source expressions so we can semantically deduplicate matching URLs. In the future, we could use this to add more validation.

All PRs:

  • [x] Has tests
  • [ ] ~Documentation updated~ (N/A)

Adding a new header

lgarron avatar Aug 17 '22 19:08 lgarron

@machisuji if you have time, your review would also be appreciated here having worked in this area very recently 🙇

JackMc avatar Aug 18 '22 12:08 JackMc

Meta-concern: is this change a breaking one? I don’t think we have an easy way to differentiate between the quirks of this implementation and the other one. Those quirks weren’t documented, but they likely are now relied upon.

JackMc avatar Aug 18 '22 12:08 JackMc

Abandoned in favor of https://github.com/github/secure_headers/pull/499

lgarron avatar Oct 25 '22 03:10 lgarron