Merge pull request #235 from twitter/fix-opt-out-regression

Opting out of all protection would raise an exception because the idempotency check was wrong
github · Mar 28, 2016 · 6399816 · 6399816
2 parents 171ca58 + 0358c8e
commit 6399816
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 0 deletions.
diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb
@@ -71,6 +71,7 @@ def add_noop_configuration
           ALL_HEADER_CLASSES.each do |klass|
             config.send("#{klass::CONFIG_KEY}=", OPT_OUT)
           end
+          config.dynamic_csp = OPT_OUT
         end
 
         add_configuration(NOOP_CONFIGURATION, noop_config)

diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -196,6 +196,7 @@ def validate_config!(config)
       # additions = { script_src: %w(google.com)} then idempotent_additions? would return
       # because google.com is already in the config.
       def idempotent_additions?(config, additions)
+        return true if config == OPT_OUT && additions == OPT_OUT
         return false if config == OPT_OUT
         config == combine_policies(config, additions)
       end

diff --git a/spec/lib/secure_headers_spec.rb b/spec/lib/secure_headers_spec.rb
@@ -38,6 +38,7 @@ module SecureHeaders
         ALL_HEADER_CLASSES.each do |klass|
           expect(hash[klass::CONFIG_KEY]).to be_nil
         end
+        expect(hash.count).to eq(0)
       end
 
       it "allows you to override X-Frame-Options settings" do