Permalink
Browse files

Add 'Referrer-Policy' header to default headers set

  • Loading branch information...
guilleiguaran committed Jan 9, 2018
1 parent f17137b commit 428939be9f954d39b0c41bc53d85d0d106b9d1a1
View
@@ -1,3 +1,7 @@
* Add `Referrer-Policy` header to default headers set.
*Guillermo Iguaran*
* Changed the system tests to set Puma as default server only when the
user haven't specified manually another server.
@@ -28,7 +28,8 @@ class Railtie < Rails::Railtie # :nodoc:
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none"
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "strict-origin-when-cross-origin"
}
config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
@@ -311,15 +311,16 @@ def test_only_set_charset_still_defaults_to_text_html
end
end
test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do
test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies, referrer_policy" do
original_default_headers = ActionDispatch::Response.default_headers
begin
ActionDispatch::Response.default_headers = {
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff",
"X-XSS-Protection" => "1;",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none"
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "strict-origin-when-cross-origin"
}
resp = ActionDispatch::Response.create.tap { |response|
response.body = "Hello"
@@ -331,6 +332,7 @@ def test_only_set_charset_still_defaults_to_text_html
assert_equal("1;", resp.headers["X-XSS-Protection"])
assert_equal("noopen", resp.headers["X-Download-Options"])
assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
assert_equal("strict-origin-when-cross-origin", resp.headers["Referrer-Policy"])
ensure
ActionDispatch::Response.default_headers = original_default_headers
end

0 comments on commit 428939b

Please sign in to comment.