Skip to content

Commit 5d7b70f

Browse files
committed
Add secure X-Download-Options and X-Permitted-Cross-Domain-Policies to default headers set.
1 parent 55d4cf2 commit 5d7b70f

File tree

4 files changed

+15
-4
lines changed

4 files changed

+15
-4
lines changed

actionpack/CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
2+
default headers set.
3+
4+
*Guillermo Iguaran*
5+
16
* Add headless firefox support to System Tests.
27

38
*bogdanvlviv*

actionpack/lib/action_dispatch/railtie.rb

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,9 @@ class Railtie < Rails::Railtie # :nodoc:
2626
config.action_dispatch.default_headers = {
2727
"X-Frame-Options" => "SAMEORIGIN",
2828
"X-XSS-Protection" => "1; mode=block",
29-
"X-Content-Type-Options" => "nosniff"
29+
"X-Content-Type-Options" => "nosniff",
30+
"X-Download-Options" => "noopen",
31+
"X-Permitted-Cross-Domain-Policies" => "none"
3032
}
3133

3234
config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new

actionpack/test/controller/metal_test.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ def hello
99
end
1010
end
1111

12-
def test_response_has_default_headers
12+
def test_response_does_not_have_default_headers
1313
original_default_headers = ActionDispatch::Response.default_headers
1414

1515
ActionDispatch::Response.default_headers = {

actionpack/test/dispatch/response_test.rb

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -311,13 +311,15 @@ def test_only_set_charset_still_defaults_to_text_html
311311
end
312312
end
313313

314-
test "read x_frame_options, x_content_type_options and x_xss_protection" do
314+
test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do
315315
original_default_headers = ActionDispatch::Response.default_headers
316316
begin
317317
ActionDispatch::Response.default_headers = {
318318
"X-Frame-Options" => "DENY",
319319
"X-Content-Type-Options" => "nosniff",
320-
"X-XSS-Protection" => "1;"
320+
"X-XSS-Protection" => "1;",
321+
"X-Download-Options" => "noopen",
322+
"X-Permitted-Cross-Domain-Policies" => "none"
321323
}
322324
resp = ActionDispatch::Response.create.tap { |response|
323325
response.body = "Hello"
@@ -327,6 +329,8 @@ def test_only_set_charset_still_defaults_to_text_html
327329
assert_equal("DENY", resp.headers["X-Frame-Options"])
328330
assert_equal("nosniff", resp.headers["X-Content-Type-Options"])
329331
assert_equal("1;", resp.headers["X-XSS-Protection"])
332+
assert_equal("noopen", resp.headers["X-Download-Options"])
333+
assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
330334
ensure
331335
ActionDispatch::Response.default_headers = original_default_headers
332336
end

0 commit comments

Comments
 (0)