From 7854e14e075da7f77ae97bfb8e7f1c4368b0bc65 Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Sun, 8 Apr 2018 00:47:19 +0200
Subject: [PATCH] Bump secure_headers

---
 Gemfile                               | 2 +-
 Gemfile.lock                          | 8 ++++----
 config/initializers/secure_headers.rb | 6 +++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Gemfile b/Gemfile
index cdadff30f..ab4793f50 100644
--- a/Gemfile
+++ b/Gemfile
@@ -152,7 +152,7 @@ gem "string-direction", "1.2.1"
 
 # Security Headers
 
-gem "secure_headers", "3.7.1"
+gem "secure_headers", "5.0.5"
 
 # Services
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 3c221ca6f..34a27b2fb 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -639,8 +639,8 @@ GEM
     scss_lint (0.54.0)
       rake (>= 0.9, < 13)
       sass (~> 3.4.20)
-    secure_headers (3.7.1)
-      useragent
+    secure_headers (5.0.5)
+      useragent (>= 0.15.0)
     securecompare (1.0.0)
     shellany (0.0.1)
     shoulda-matchers (3.1.2)
@@ -730,7 +730,7 @@ GEM
       get_process_mem (~> 0)
       unicorn (>= 4, < 6)
     url_safe_base64 (0.2.2)
-    useragent (0.16.8)
+    useragent (0.16.10)
     uuid (2.3.8)
       macaddr (~> 1.0)
     valid (1.2.0)
@@ -883,7 +883,7 @@ DEPENDENCIES
   ruby-oembed (= 0.12.0)
   rubyzip (= 1.2.1)
   sass-rails (= 5.0.7)
-  secure_headers (= 3.7.1)
+  secure_headers (= 5.0.5)
   shoulda-matchers (= 3.1.2)
   sidekiq (= 5.1.3)
   sidekiq-cron (= 0.6.3)
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index cf3edbb70..6f4e64318 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -5,13 +5,13 @@ SecureHeaders::Configuration.default do |config|
 
   csp = {
     default_src:     %w('none'),
-    child_src:       %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
-                        player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
-                        www.instagram.com),
     connect_src:     %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com),
     font_src:        %w('self'),
     form_action:     %w('self' platform.twitter.com syndication.twitter.com),
     frame_ancestors: %w('self'),
+    frame_src:       %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
+                        player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
+                        www.instagram.com),
     img_src:         %w('self' data: *),
     media_src:       %w(https:),
     script_src:      %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com