From 0358c8e3e445509095b7daf510162dd2c663d4c4 Mon Sep 17 00:00:00 2001 From: Neil Matatall Date: Mon, 28 Mar 2016 12:57:14 -1000 Subject: [PATCH] Opting out of all protection would raise an exception because the idempotency check was wrong --- lib/secure_headers/configuration.rb | 1 + lib/secure_headers/headers/policy_management.rb | 1 + spec/lib/secure_headers_spec.rb | 1 + 3 files changed, 3 insertions(+) diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb index f7a3ff16..f4154dc4 100644 --- a/lib/secure_headers/configuration.rb +++ b/lib/secure_headers/configuration.rb @@ -71,6 +71,7 @@ def add_noop_configuration ALL_HEADER_CLASSES.each do |klass| config.send("#{klass::CONFIG_KEY}=", OPT_OUT) end + config.dynamic_csp = OPT_OUT end add_configuration(NOOP_CONFIGURATION, noop_config) diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb index 7ff03564..f78f5ffb 100644 --- a/lib/secure_headers/headers/policy_management.rb +++ b/lib/secure_headers/headers/policy_management.rb @@ -196,6 +196,7 @@ def validate_config!(config) # additions = { script_src: %w(google.com)} then idempotent_additions? would return # because google.com is already in the config. def idempotent_additions?(config, additions) + return true if config == OPT_OUT && additions == OPT_OUT return false if config == OPT_OUT config == combine_policies(config, additions) end diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb index ffe73f22..770ea39d 100644 --- a/spec/lib/secure_headers_spec.rb +++ b/spec/lib/secure_headers_spec.rb @@ -38,6 +38,7 @@ module SecureHeaders ALL_HEADER_CLASSES.each do |klass| expect(hash[klass::CONFIG_KEY]).to be_nil end + expect(hash.count).to eq(0) end it "allows you to override X-Frame-Options settings" do