Update prebuilt files

Ran and committed the changes from

    bundle exec rake pull build

Looks like we have been accepting changes here that should have gone
into the sinatra/sinatra repo. Oh well.

Author: dentarg

_includes/README.html

@@ -6,7 +6,7 @@
 <p>all</p>
 </dd><dt>More infos
 <dd>
-<p><a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a></p>
+<p><a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a></p>
 </dd></dl>
 
 <p>This middleware only accepts requests other than <code>GET</code>, <code>HEAD</code>, <code>OPTIONS</code>, <code>TRACE</code> if their given access token matches the token included in the session.</p>
@@ -48,6 +48,7 @@ <h2 id="label-Example-3A+Forms+application">Example: Forms application<span><a h
 <p>Here is <code>server.rb</code>:</p>
 
 <pre class="ruby"><span class="ruby-identifier">require</span> <span class="ruby-string">&#39;rack/protection&#39;</span>
+<span class="ruby-identifier">require</span> <span class="ruby-string">&#39;rack/session&#39;</span>
 
 <span class="ruby-identifier">app</span> = <span class="ruby-constant">Rack</span><span class="ruby-operator">::</span><span class="ruby-constant">Builder</span>.<span class="ruby-identifier">app</span> <span class="ruby-keyword">do</span>
   <span class="ruby-identifier">use</span> <span class="ruby-constant">Rack</span><span class="ruby-operator">::</span><span class="ruby-constant">Session</span><span class="ruby-operator">::</span><span class="ruby-constant">Cookie</span>, <span class="ruby-value">secret:</span> <span class="ruby-string">&#39;secret&#39;</span>

_includes/rack-protection-authenticity-token.html

@@ -9,10 +9,10 @@
 <p>Content Security Policy, a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.</p>
 </dd><dt>More info
 <dd>
-<p>W3C CSP Level 1 : <a href="https://www.w3.org/TR/CSP1">www.w3.org/TR/CSP1</a>/ (deprecated) W3C CSP Level 2 : <a href="https://www.w3.org/TR/CSP2">www.w3.org/TR/CSP2</a>/ (current) W3C CSP Level 3 : <a href="https://www.w3.org/TR/CSP3">www.w3.org/TR/CSP3</a>/ (draft) <a href="https://developer.mozilla.org/en-US/docs/Web/Security/CSP">developer.mozilla.org/en-US/docs/Web/Security/CSP</a> <a href="https://caniuse.com/#search=ContentSecurityPolicy">caniuse.com/#search=ContentSecurityPolicy</a> <a href="https://content-security-policy.com">content-security-policy.com</a>/ <a href="https://securityheaders.io">securityheaders.io</a> <a href="https://scotthelme.co.uk/csp-cheat-sheet">scotthelme.co.uk/csp-cheat-sheet</a>/ <a href="https://www.html5rocks.com/en/tutorials/security/content-security-policy">www.html5rocks.com/en/tutorials/security/content-security-policy</a>/</p>
+<p>W3C CSP Level 1 : <a href="https://www.w3.org/TR/CSP1">www.w3.org/TR/CSP1</a>/ (deprecated) W3C CSP Level 2 : <a href="https://www.w3.org/TR/CSP2">www.w3.org/TR/CSP2</a>/ (current) W3C CSP Level 3 : <a href="https://www.w3.org/TR/CSP3">www.w3.org/TR/CSP3</a>/ (draft) <a href="https://developer.mozilla.org/en-US/docs/Web/Security/CSP">developer.mozilla.org/en-US/docs/Web/Security/CSP</a> <a href="http://caniuse.com/#search=ContentSecurityPolicy">caniuse.com/#search=ContentSecurityPolicy</a> <a href="http://content-security-policy.com">content-security-policy.com</a>/ <a href="https://securityheaders.io">securityheaders.io</a> <a href="https://scotthelme.co.uk/csp-cheat-sheet">scotthelme.co.uk/csp-cheat-sheet</a>/ <a href="http://www.html5rocks.com/en/tutorials/security/content-security-policy">www.html5rocks.com/en/tutorials/security/content-security-policy</a>/</p>
 </dd></dl>
 
-<p>Sets the ‘<a href="-Report-Only">Content-Security-Policy</a>’ header.</p>
+<p>Sets the ‘<a href="-report-only">content-security-policy</a>’ header.</p>
 
 <p>Options: ContentSecurityPolicy configuration is a complex topic with</p>
 

_includes/rack-protection-content-security-policy.html

@@ -6,7 +6,7 @@
 <p>all</p>
 </dd><dt>More infos
 <dd>
-<p><a href="https://en.wikipedia.org/wiki/Cross-site_scripting">en.wikipedia.org/wiki/Cross-site_scripting</a></p>
+<p><a href="http://en.wikipedia.org/wiki/Cross-site_scripting">en.wikipedia.org/wiki/Cross-site_scripting</a></p>
 </dd></dl>
 
 <p>Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues.</p>

_includes/rack-protection-escaped-params.html

@@ -6,7 +6,7 @@
 <p>all</p>
 </dd><dt>More infos
 <dd>
-<p><a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a></p>
+<p><a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a></p>
 </dd></dl>
 
 <p>Only accepts submitted forms if a given access token matches the token included in the session. Does not expect such a token from Ajax request.</p>

_includes/rack-protection-form-token.html

@@ -6,14 +6,14 @@
 <p>Google Chrome 2, Safari 4 and later</p>
 </dd><dt>More infos
 <dd>
-<p><a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a> <a href="https://tools.ietf.org/html/draft-abarth-origin">tools.ietf.org/html/draft-abarth-origin</a></p>
+<p><a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a> <a href="http://tools.ietf.org/html/draft-abarth-origin">tools.ietf.org/html/draft-abarth-origin</a></p>
 </dd></dl>
 
 <p>Does not accept unsafe HTTP requests when value of Origin HTTP request header does not match default or permitted URIs.</p>
 
 <p>If you want to permit a specific domain, you can pass in as the ‘:permitted_origins` option:</p>
 
-<pre class="ruby"><span class="ruby-identifier">use</span> <span class="ruby-constant">Rack</span><span class="ruby-operator">::</span><span class="ruby-constant">Protection</span>, <span class="ruby-value">permitted_origins:</span> [<span class="ruby-string">&quot;http://localhost:3000&quot;</span>, <span class="ruby-string">&quot;https://127.0.01:3000&quot;</span>]
+<pre class="ruby"><span class="ruby-identifier">use</span> <span class="ruby-constant">Rack</span><span class="ruby-operator">::</span><span class="ruby-constant">Protection</span>, <span class="ruby-value">permitted_origins:</span> [<span class="ruby-string">&quot;http://localhost:3000&quot;</span>, <span class="ruby-string">&quot;http://127.0.01:3000&quot;</span>]
 </pre>
 
 <p>The ‘:allow_if` option can also be set to a proc to use custom allow/deny logic.</p>

_includes/rack-protection-http-origin.html

@@ -6,7 +6,7 @@
 <p>all</p>
 </dd><dt>More infos
 <dd>
-<p><a href="https://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing">blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing</a>/</p>
+<p><a href="http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing">blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing</a>/</p>
 </dd></dl>
 
 <p>Detect (some) IP spoofing attacks.</p>

_includes/rack-protection-ip-spoofing.html

@@ -6,7 +6,7 @@
 <p>all</p>
 </dd><dt>More infos
 <dd>
-<p><a href="https://flask.pocoo.org/docs/0.10/security/#json-security">flask.pocoo.org/docs/0.10/security/#json-security</a> <a href="https://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx">haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx</a></p>
+<p><a href="http://flask.pocoo.org/docs/0.10/security/#json-security">flask.pocoo.org/docs/0.10/security/#json-security</a> <a href="http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx">haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx</a></p>
 </dd></dl>
 
 <p>JSON GET APIs are vulnerable to being embedded as JavaScript when the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.</p>

_includes/rack-protection-json-csrf.html

@@ -6,7 +6,7 @@
 <p>all</p>
 </dd><dt>More infos
 <dd>
-<p><a href="https://en.wikipedia.org/wiki/Directory_traversal">en.wikipedia.org/wiki/Directory_traversal</a></p>
+<p><a href="http://en.wikipedia.org/wiki/Directory_traversal">en.wikipedia.org/wiki/Directory_traversal</a></p>
 </dd></dl>
 
 <p>Unescapes ‘/’ and ‘.’, expands <code>path_info</code>. Thus <code>GET /foo/%2e%2e%2fbar</code> becomes <code>GET /bar</code>.</p>

_includes/rack-protection-path-traversal.html

@@ -36,14 +36,14 @@ <h2 id="cross-site-request-forgery">Cross Site Request Forgery</h2>
 
 <ul>
   <li>
-<a href="https://www.sinatrarb.com/protection/authenticity_token"><code>Rack::Protection::AuthenticityToken</code></a> (not included by <code>use Rack::Protection</code>)</li>
+<a href="http://www.sinatrarb.com/protection/authenticity_token"><code>Rack::Protection::AuthenticityToken</code></a> (not included by <code>use Rack::Protection</code>)</li>
   <li>
-<a href="https://www.sinatrarb.com/protection/form_token"><code>Rack::Protection::FormToken</code></a> (not included by <code>use Rack::Protection</code>)</li>
-  <li><a href="https://www.sinatrarb.com/protection/json_csrf"><code>Rack::Protection::JsonCsrf</code></a></li>
+<a href="http://www.sinatrarb.com/protection/form_token"><code>Rack::Protection::FormToken</code></a> (not included by <code>use Rack::Protection</code>)</li>
+  <li><a href="http://www.sinatrarb.com/protection/json_csrf"><code>Rack::Protection::JsonCsrf</code></a></li>
   <li>
-<a href="https://www.sinatrarb.com/protection/remote_referrer"><code>Rack::Protection::RemoteReferrer</code></a> (not included by <code>use Rack::Protection</code>)</li>
-  <li><a href="https://www.sinatrarb.com/protection/remote_token"><code>Rack::Protection::RemoteToken</code></a></li>
-  <li><a href="https://www.sinatrarb.com/protection/http_origin"><code>Rack::Protection::HttpOrigin</code></a></li>
+<a href="http://www.sinatrarb.com/protection/remote_referrer"><code>Rack::Protection::RemoteReferrer</code></a> (not included by <code>use Rack::Protection</code>)</li>
+  <li><a href="http://www.sinatrarb.com/protection/remote_token"><code>Rack::Protection::RemoteToken</code></a></li>
+  <li><a href="http://www.sinatrarb.com/protection/http_origin"><code>Rack::Protection::HttpOrigin</code></a></li>
 </ul>
 
 <h2 id="cross-site-scripting">Cross Site Scripting</h2>
@@ -52,50 +52,52 @@ <h2 id="cross-site-scripting">Cross Site Scripting</h2>
 
 <ul>
   <li>
-<a href="https://www.sinatrarb.com/protection/escaped_params"><code>Rack::Protection::EscapedParams</code></a> (not included by <code>use Rack::Protection</code>)</li>
+<a href="http://www.sinatrarb.com/protection/escaped_params"><code>Rack::Protection::EscapedParams</code></a> (not included by <code>use Rack::Protection</code>)</li>
   <li>
-<a href="https://www.sinatrarb.com/protection/xss_header"><code>Rack::Protection::XSSHeader</code></a> (Internet Explorer and Chrome only)</li>
-  <li><a href="https://www.sinatrarb.com/protection/content_security_policy"><code>Rack::Protection::ContentSecurityPolicy</code></a></li>
+<a href="http://www.sinatrarb.com/protection/xss_header"><code>Rack::Protection::XSSHeader</code></a> (Internet Explorer and Chrome only)</li>
+  <li><a href="http://www.sinatrarb.com/protection/content_security_policy"><code>Rack::Protection::ContentSecurityPolicy</code></a></li>
 </ul>
 
 <h2 id="clickjacking">Clickjacking</h2>
 
 <p>Prevented by:</p>
 
 <ul>
-  <li><a href="https://www.sinatrarb.com/protection/frame_options"><code>Rack::Protection::FrameOptions</code></a></li>
+  <li><a href="http://www.sinatrarb.com/protection/frame_options"><code>Rack::Protection::FrameOptions</code></a></li>
 </ul>
 
 <h2 id="directory-traversal">Directory Traversal</h2>
 
 <p>Prevented by:</p>
 
 <ul>
-  <li><a href="https://www.sinatrarb.com/protection/path_traversal"><code>Rack::Protection::PathTraversal</code></a></li>
+  <li><a href="http://www.sinatrarb.com/protection/path_traversal"><code>Rack::Protection::PathTraversal</code></a></li>
 </ul>
 
 <h2 id="session-hijacking">Session Hijacking</h2>
 
 <p>Prevented by:</p>
 
 <ul>
-  <li><a href="https://www.sinatrarb.com/protection/session_hijacking"><code>Rack::Protection::SessionHijacking</code></a></li>
+  <li>
+<a href="http://www.sinatrarb.com/protection/session_hijacking"><code>Rack::Protection::SessionHijacking</code></a> (not included by <code>use Rack::Protection</code>)</li>
 </ul>
 
 <h2 id="cookie-tossing">Cookie Tossing</h2>
 
 <p>Prevented by:</p>
 
 <ul>
-  <li><a href="https://www.sinatrarb.com/protection/cookie_tossing"><code>Rack::Protection::CookieTossing</code></a> (not included by <code>use Rack::Protection</code>)</li>
+  <li>
+<a href="http://www.sinatrarb.com/protection/cookie_tossing"><code>Rack::Protection::CookieTossing</code></a> (not included by <code>use Rack::Protection</code>)</li>
 </ul>
 
 <h2 id="ip-spoofing">IP Spoofing</h2>
 
 <p>Prevented by:</p>
 
 <ul>
-  <li><a href="https://www.sinatrarb.com/protection/ip_spoofing"><code>Rack::Protection::IPSpoofing</code></a></li>
+  <li><a href="http://www.sinatrarb.com/protection/ip_spoofing"><code>Rack::Protection::IPSpoofing</code></a></li>
 </ul>
 
 <h2 id="helps-to-protect-against-protocol-downgrade-attacks-and-cookie-hijacking">Helps to protect against protocol downgrade attacks and cookie hijacking</h2>
@@ -104,7 +106,7 @@ <h2 id="helps-to-protect-against-protocol-downgrade-attacks-and-cookie-hijacking
 
 <ul>
   <li>
-<a href="https://www.sinatrarb.com/protection/strict_transport"><code>Rack::Protection::StrictTransport</code></a> (not included by <code>use Rack::Protection</code>)</li>
+<a href="http://www.sinatrarb.com/protection/strict_transport"><code>Rack::Protection::StrictTransport</code></a> (not included by <code>use Rack::Protection</code>)</li>
 </ul>
 
 <h1 id="installation">Installation</h1>
@@ -114,9 +116,9 @@ <h1 id="installation">Installation</h1>
 
 <h1 id="instrumentation">Instrumentation</h1>
 
-<p>Instrumentation is enabled by passing in an instrumenter as an option.
+<p>Instrumentation is enabled by passing in an instrumenter as an option.</p>
 
-<pre><code> use Rack::Protection, instrumenter: ActiveSupport::Notifications
+<pre><code>use Rack::Protection, instrumenter: ActiveSupport::Notifications
 </code></pre>
 
 <p>The instrumenter is passed a namespace (String) and environment (Hash). The namespace is ‘rack.protection’ and the attack type can be obtained from the environment key ‘rack.protection.attack’.</p>