Merge pull request rails#18423 from jone/remove-default-header

Default headers, removed in controller actions, will not be reapplied to the test response

actionpack/CHANGELOG.md

@@ -1,3 +1,8 @@
+*   Default headers, removed in controller actions, are no longer reapplied on
+    the test response.
+
+    *Jonas Baumann*
+
 *   Deprecate all *_filter callbacks in favor of *_action callbacks.
 
     *Rafael Mendonça França*

actionpack/lib/action_dispatch/testing/test_response.rb

@@ -25,5 +25,12 @@ def self.from_response(response)
 
     # Was there a server-side error?
     alias_method :error?, :server_error?
+
+    def merge_default_headers(original, *args)
+      # Default headers are already applied, no need to merge them a second time.
+      # This makes sure that default headers, removed in controller actions, will
+      # not be reapplied to the test response.
+      original
+    end
   end
 end

actionpack/test/controller/integration_test.rb

@@ -279,6 +279,11 @@ def get_cookie
     def redirect
       redirect_to action_url('get')
     end
+
+    def remove_default_header
+      response.headers.except! 'X-Frame-Options'
+      head :ok
+    end
   end
 
   def test_get
@@ -506,6 +511,24 @@ def test_https_and_port_via_process
     end
   end
 
+  def test_removed_default_headers_on_test_response_are_not_reapplied
+    with_test_route_set do
+      begin
+        header_to_remove = 'X-Frame-Options'
+        original_default_headers = ActionDispatch::Response.default_headers
+        ActionDispatch::Response.default_headers = {
+          'X-Content-Type-Options' => 'nosniff',
+          header_to_remove => 'SAMEORIGIN',
+        }
+        get '/remove_default_header'
+        assert_includes headers, 'X-Content-Type-Options'
+        assert_not_includes headers, header_to_remove, "Should not contain removed default header"
+      ensure
+        ActionDispatch::Response.default_headers = original_default_headers
+      end
+    end
+  end
+
   private
     def with_test_route_set
       with_routing do |set|