Bump secure_headers from 3.3.2 to 3.9.0

[dependabot]

Bumps secure_headers from 3.3.2 to 3.9.0.

Release notes

Sourced from secure_headers's releases.

Bug fix and strict dynamic support

• Fix bug that can occur when useragent library version is older, resulting in a nil version sometimes.
• Add constant for strict-dynamic

Add support for setting two headers

No release notes provided.

Handle frame-src/child-src gracefully

3.4.0 the frame-src/child-src transition for Firefox.

Handle the child-src/frame-src transition semi-intelligently across versions. I think the code best describes the behavior here:

if supported_directives.include?(:child_src)
  @config[:child_src] = @config[:child_src] || @config[:frame_src]
else
  @config[:frame_src] = @config[:frame_src] || @config[:child_src]
end

Changelog

Sourced from secure_headers's changelog.

3.9.0

Fixes newline injection issue

3.8.0

Fixes semicolon injection issue reported by @mvgijssel see twitter/secure_headers#418

3.7.4

Backport SameSite=None functionality into 3.x line

3.7.3

• Updates Expect-CT header to use a comma separator between directives, as specified in the most current spec.

3.7.2

• Adds support for worker-src CSP directive to 3.x line (twitter/secureheaders#364)

3.7.1

Fix support for the sandbox attribute of CSP. true and [] represent the maximally restricted policy (sandbox;) and validate other values.

3.7.0

Adds support for the Expect-CT header (@jacobbednarz: twitter/secureheaders#322)

3.6.7

Actually set manifest-src when configured. twitter/secureheaders#339 Thanks @carlosantoniodasilva!

3.6.6

wat?

3.6.5

Update clear-site-data header to use current format specified by the specification.

3.6.4

Fix case where mixing frame-src/child-src dynamically would behave in unexpected ways: twitter/secureheaders#325

3.6.3

Remove deprecation warning when setting frame-src. It is no longer deprecated.

3.6.2

Commits

• f06956d bump to 3.9.0
• 3240b58 Merge pull request from GHSA-w978-rmpf-qmwg
• 0c8f096 bump to 3.8
• 399a9ad Merge pull request #420 from twitter/escape-semi-colons-3x
• fd1303d Escape semi colons in directive source lists in 3.x releases
• 2d1037e version bump
• a9a8c0a Merge pull request #416 from ilikepi/add-same-site-none-support-to-3.x-cherry
• 9235f3e Fix spec to work under ruby 1.9
• 71f18e5 dry up more tests
• b1971e0 DRY up tests a little
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.