Merge pull request #14 from reedloden/master

Add support for the X-XSS-Protection and X-Content-Type-Options headers
mozilla · Sep 10, 2012 · 60ce951 · 60ce951
2 parents e2e02ad + babf821
commit 60ce951
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 0 deletions.
diff --git a/commonware/middleware.py b/commonware/middleware.py
@@ -4,4 +4,6 @@
 from commonware.request.middleware import SetRemoteAddrFromForwardedFor
 from commonware.response.middleware import FrameOptionsHeader
 from commonware.response.middleware import StrictTransportMiddleware
+from commonware.response.middleware import XSSProtectionHeader
+from commonware.response.middleware import ContentTypeOptionsHeader
 from commonware.session.middleware import NoVarySessionMiddleware
diff --git a/commonware/response/middleware.py b/commonware/response/middleware.py
@@ -52,3 +52,29 @@ def process_response(self, request, response):
                 val += '; includeSubDomains'
             response['Strict-Transport-Security'] = val
         return response
+
+
+class XSSProtectionHeader(object):
+    """
+    Set the X-XSS-Protection header on responses. Defaults to
+    '1; mode=block'. Set response['X-XSS-Protection'] = '0' (disable)
+    or '1' (rewrite mode) to override.
+    """
+
+    def process_response(self, request, response):
+        if not 'X-XSS-Protection' in response:
+            response['X-XSS-Protection'] = '1; mode=block'
+        return response
+
+
+class ContentTypeOptionsHeader(object):
+    """
+    Set the X-Content-Type-Options header on responses. Defaults
+    to 'nosniff'. Set response['X-Content-Type-Options'] = ''
+    to override.
+    """
+
+    def process_response(self, request, response):
+        if not 'X-Content-Type-Options' in response:
+            response['X-Content-Type-Options'] = 'nosniff'
+        return response
diff --git a/commonware/response/tests.py b/commonware/response/tests.py
@@ -52,3 +52,31 @@ def test_xframe_middleware_disable():
     resp.no_frame_options = True
     resp = mw.process_response({}, resp)
     assert not 'x-frame-options' in resp
+
+
+def test_xssprotection_middleware():
+    resp = _make_resp(middleware.XSSProtectionHeader)
+    assert 'X-XSS-Protection' in resp
+    eq_('1; mode=block', resp['X-XSS-Protection'])
+
+
+def test_xssprotection_middleware_no_overwrite():
+    mw = middleware.XSSProtectionHeader()
+    resp = HttpResponse()
+    resp['X-XSS-Protection'] = '1'
+    resp = mw.process_response({}, resp)
+    eq_('1', resp['X-XSS-Protection'])
+
+
+def test_contenttypeoptions_middleware():
+    resp = _make_resp(middleware.ContentTypeOptionsHeader)
+    assert 'X-Content-Type-Options' in resp
+    eq_('nosniff', resp['X-Content-Type-Options'])
+
+
+def test_contenttypeoptions_middleware_no_overwrite():
+    mw = middleware.ContentTypeOptionsHeader()
+    resp = HttpResponse()
+    resp['X-Content-Type-Options'] = ''
+    resp = mw.process_response({}, resp)
+    eq_('', resp['X-Content-Type-Options'])