Browse files

Set X-Frame-Options to SAMEORIGIN and add description to application.…

…rb generator. Closes #6311
  • Loading branch information...
1 parent 97ac309 commit 352d089af4147a8cd12ad29f24c506f93ff18b17 @homakov homakov committed May 28, 2012
View
5 actionpack/lib/action_dispatch/http/response.rb
@@ -59,6 +59,7 @@ class Response
LOCATION = "Location".freeze
cattr_accessor(:default_charset) { "utf-8" }
+ cattr_accessor(:default_x_frame_options)
include Rack::Response::Helpers
include ActionDispatch::Http::Cache::Response
@@ -160,6 +161,10 @@ def to_a
@header[SET_COOKIE] = @header[SET_COOKIE].join("\n") if @header[SET_COOKIE].respond_to?(:join)
+ if !self.class.default_x_frame_options.nil?
+ @header['X-Frame-Options'] ||= self.class.default_x_frame_options
+ end
+
if [204, 304].include?(@status)
@header.delete CONTENT_TYPE
[@status, @header, []]
View
6 railties/lib/rails/application/finisher.rb
@@ -102,6 +102,12 @@ module Finisher
at_exit { app.queue_consumer.shutdown }
end
end
+
+ initializer :set_default_headers do
+ if config.action_dispatch.x_frame_options
+ ActionDispatch::Response.default_x_frame_options = config.action_dispatch.x_frame_options
+ end
+ end
end
end
end
View
3 railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -44,6 +44,9 @@ class Application < Rails::Application
# Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password]
+ # Do not display in frames
+ config.action_dispatch.x_frame_options = 'SAMEORIGIN'
+
# Use SQL instead of Active Record's schema dumper when creating the database.
# This is necessary if your schema can't be completely dumped by the schema dumper,
# like if you have constraints or database-specific column types.

0 comments on commit 352d089

Please sign in to comment.