Update Referrer-Policy to support multiple token values

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 5.0.2
+
+- Updates `Referrer-Policy` header to support multiple policy values
+
 ## 5.0.1
 
 - Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.

README.md

@@ -71,7 +71,7 @@ SecureHeaders::Configuration.default do |config|
   config.x_xss_protection = "1; mode=block"
   config.x_download_options = "noopen"
   config.x_permitted_cross_domain_policies = "none"
-  config.referrer_policy = "origin-when-cross-origin"
+  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
   config.csp = {
     # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.

lib/secure_headers/headers/referrer_policy.rb

@@ -22,14 +22,21 @@ class << self
       # Returns a default header if no configuration is provided, or a
       # header name and value based on the config.
       def make_header(config = nil)
-        [HEADER_NAME, config || DEFAULT_VALUE]
+        config ||= DEFAULT_VALUE
+        [HEADER_NAME, Array(config).join(", ")]
       end
 
       def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless VALID_POLICIES.include?(config.downcase)
-          raise ReferrerPolicyConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
+        case config
+        when nil, OPT_OUT
+          # valid
+        when String, Array
+          config = Array(config)
+          unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
+            raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
+          end
+        else
+          raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
         end
       end
     end

spec/lib/secure_headers/headers/referrer_policy_spec.rb

@@ -5,6 +5,7 @@ module SecureHeaders
   describe ReferrerPolicy do
     specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
     specify { expect(ReferrerPolicy.make_header("no-referrer")).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
+    specify { expect(ReferrerPolicy.make_header(%w(origin-when-cross-origin strict-origin-when-cross-origin))).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin, strict-origin-when-cross-origin"]) }
 
     context "valid configuration values" do
       it "accepts 'no-referrer'" do
@@ -60,14 +61,31 @@ module SecureHeaders
           ReferrerPolicy.validate_config!(nil)
         end.not_to raise_error
       end
+
+      it "accepts array of policy values" do
+        expect do
+          ReferrerPolicy.validate_config!(
+            %w(
+              origin-when-cross-origin
+              strict-origin-when-cross-origin
+            )
+          )
+        end.not_to raise_error
+      end
     end
 
-    context "invlaid configuration values" do
+    context "invalid configuration values" do
       it "doesn't accept invalid values" do
         expect do
           ReferrerPolicy.validate_config!("open")
         end.to raise_error(ReferrerPolicyConfigError)
       end
+
+      it "doesn't accept invalid types" do
+        expect do
+          ReferrerPolicy.validate_config!({})
+        end.to raise_error(TypeError)
+      end
     end
   end
 end